Thank you so much to our Ruby Friends of BSidesSF!
@Coffeetocode - Enso-Remco - Enso-Edward - David Shipley - Adam Arellano - bykhee - frostbide - Dave Herrald - Chris Palmer
WOW! Y'all are truly fantastic!
bsidessf.org/friends
#bsidessf #BSidesSF2025 #infosec
6
1
2
353
Powering up for Day 2 of spatial omics hacking with our nice new @_VIB_AI coffee mugs #CoffeeToCode #SpatialOmics24 #FlandersAI
8
3
9
1,130
π¨βοΈ EMERGENCY COFFEE PLAN ACTIVATED! βοΈπ¨
Our beloved coffee machine decided to take a break π Going old school with a hot water pour-over method! π₯π«
Stay calm, caffeine is on the way. πͺβ¨
#CoffeeCrisis #StayCalm #CaffeineFix #CoffeeToCode
3
11
1,974
5 Aug 2023
Fun fact: Programmers have a secret power β they can turn coffee into code, fueling their tech superpowers! βππ» #CoffeeToCode #TechFuel #100DaysOfCode #buildinpublic
1
4
247
12 Nov 2022
They didnβt exit though. They are hedging bets. Most folks leave Mastadon when the network effect isnβt there. We have been through this cycle before.
1
2
25 Sep 2022
hahahahha certainly wasn't thinking of twitter when writing that~ π
3
them: separate prod / dev envs
@twitter:
1
3
23 Sep 2022
On secret/sensitive wrapper types:
Iβve seen how difficult it is keep secrets or sensitive data from entering various logging systems. When it gets in there your security team is now busy cleaning log data instead of what is most helpful to the org.
1
2
23 Sep 2022
On uuids: this doesnβt prevent IDORs but does help make them more difficult to exploit. Additionally helps with reducing information leaks via competitive intelligence (βoh im user 173648β instead of <uuid here>)
1
2
6
23 Sep 2022
Broadly speaking:
* webauthn
* CSP (well configured)
* (maybe controversial?) design authn without cookies (use Authorization header - non-csrfable)
* use ORMs
* memory safe langs ( π¦ )
* separate prod / dev envs
* uuids over enumerable ids
* secret / sensitive wrapper types
2
8
23 Sep 2022
"giving up on sanitization or validation and just sandboxing the darn thing"
1
4
23 Sep 2022
some case specific examples: elimination of cryptographic agility (see: wireguard), logic-less templates
@travismcpeak's thread that @leifdreizler mentioned:
17 May 2022
Crowdsourcing my work β I'm doing a conference talk about secure-by-default. Tell me about something cool I don't know and I'll give you a shoutout!
1
5
23 Sep 2022
Webauthn, memory safe languages, only role assumption on aws (no iam users), functions that only accept compile time constants as format strings, ORMs, csp, binary safelisting; off the top of my head π
2
18
23 Sep 2022
We have a react link component that has an allowlist of schemes, mostly to stop js hrefs.
We also have a test that uses "Jest spies" to try and catch when someone forgets an authZ when accessing a DB table
2
3
23 Sep 2022
I would also love to hear people's thoughts on this :D
@leifdreizler, @shehackspurple, @manicode, @d0nutptr, @coffeetocode, @JacobSalassi, @frgx, @ramimacisabird, and others probably have some opinions ;)
4
7
7 Sep 2022
Yep! I mean the best defense is to ensure you just donβt have XSS in the first place, but service workers can be a nice defense in depth approach to protect sensitive data
1
1
31 Aug 2022
For those who never saw it, its still worth the read! tldrsec.com/blog/appsec-caliβ¦
5
11
31 Aug 2022
OMG! I remember reading that post and sharing it around but forgot who was the author.
Really impressive, @clintgibler !!
1
5