74 Photos and videos
JS sandboxes are broken for over a decade. vm2, node-sandbox, isolated-vm — the graveyard keeps growing. Yet somehow, in 2026, people are still wiring them up to AI agents and calling it secure-AI! #vibecoding #appsec #aisecurity
vm2 should not be relied upon as a sole security control.
We promised a write-up. Here it is.
Using the recent vm2 escape (CVE-2026-22709) as a case study, we ask:
Can a #JavaScript sandbox ever be treated as a security boundary?
Link below
#appsec #securecoding #security
56
Coming Tuesday! A celebration of 100th SecTalks in Sydney. A grass root community running since 2013! sectalks.org/about
We have officially reached our 100th SecTalks Sydney session. To celebrate this milestone, we are hosting a trivia night.
#cybersecurity #sydney #meetup #Trivia
Sign up here: events.humanitix.com/sectalk…
58
Challenge submissions for the AppSec Village Wargame Contest at DEF CON 34 are now open.
Build challenges with the SecDim Play SDK and win prizes at DEF CON 34.
More details below.
#appsec #securecoding #defcon #ctf
105
AI can verify what your software does.
It cannot verify what your software must never do.
That's not a tooling gap. That's Gödel.
🔗 in replies
#aisecurity #vibecoding #appsec
1
1
1
114
1
42
Outsourcing your software security to an AI vendor is a ponzi scheme. You're locked in, spending thousands, with no way to know if the problem is ever actually solved.
#aisecurity #appsec
59
1/Most developers don't think twice before asking their AI assistant to explain a public codebase.
That's exactly what attackers are counting on.
#aisecurity #aisafety
1
278
5/We built a hands-on lab around this exact attack in our Stay Safe with AI: A Developer's Guide course.
You run the attack. You see the override. You learn to defend it.
🔗 learn.secdim.com/course/stay…
45
Further to my post about Mythos hype. From the curl maintainer assessment: 4FP and 1 Low.
"It should be noted that the AI tools find the usual and established kind of errors we already know about. It just finds new instances of them."
daniel.haxx.se/blog/2026/05/…
Many devs ask me about Mythos finding vulns autonomously. My answer is always the same — the data doesn't back it up. 🧵
128
I said it was coming. It's here.
Vibe Coding Security is live — why AI produces vulnerable code, how to design securely before prompting, how to review output as an attacker, and how to catch what review misses.
👉 learn.secdim.com/course/vibe…
You vibe code an app. Your app works. Congratulations. So does the vulnerability inside it.
Vibe coding has a systemic security problem and AI can't fix it. Here's why 🧵
1
3
199
AI has 3 systemic reasons it can't secure your vibe coded app:
1/ Biased training — trained on public code, most of it insecure. It reproduces what's common, not what's correct.
2/ Insecure common patterns — popular libraries have insecure defaults. AI suggests them confidently.
1
43
We're releasing a new course on vibe coding security — built to give every vibe coder the skills to actually own their app's security.
Stay tuned 👀 @secdim #vibecoding #security
52
Recently Hacktron benchmark also backed this up. Finding two 0-days cost $200 in tokens and 1-2 days of expert time. Remove the human and the output is AI slop: hacktron.ai/blog/why-mythos-…
1
41