Career update: I’ve joined @OpenAI to lead Cyber with @michaelaiello. Why I joined, and what we’ll be building: It’s clear that AI is fundamentally changing how software is being written and secured. Coding agents are writing the majority of code for many developers, software is getting shipped more quickly, and vulnerabilities that were latent for 20 years are being discovered at a rapid pace. The time to bug discovery, and exploitation once discovered, are trending down (H/T @EppSecurity and @gadievron). I believe we have an unparalleled opportunity to fundamentally 𝘪𝘮𝘱𝘳𝘰𝘷𝘦 cybersecurity in ways that were previously impossible. (H/T @bubblewire’ BSidesSF keynote on reasons for optimism) Over 6 years at @Semgrep, I had the privilege of working with an amazing team building what has become the most popular open source security code scanning tool in the world, that many companies have built their application security program around. Now, at @OpenAI, I’m thrilled to be a part of a company helping shape how software is written, and how security work gets done. It is a massive opportunity, and responsibility, and I don’t take that lightly. Here are my current thoughts about where things are headed: 𝐑𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐭 𝐛𝐲 𝐝𝐞𝐬𝐢𝐠𝐧. Defenders are not going to win playing bug whack-a-mole. We need to systematically eliminate classes of vulnerabilities, via generating secure code and streamlining the detect → validate → fix process. 𝐀𝐮𝐠𝐦𝐞𝐧𝐭 𝐚𝐧𝐝 𝐞𝐦𝐩𝐨𝐰𝐞𝐫 𝐩𝐞𝐨𝐩𝐥𝐞. We should build models and tools that give defenders “superpowers,” enabling them to be more ambitious in the scope they tackle, shift from being reactive to proactive, and allow them to automate the drudgery so they can focus on the highest leverage work. 𝐒𝐞𝐜𝐮𝐫𝐞 𝐭𝐡𝐞 𝐜𝐨𝐦𝐦𝐨𝐧𝐬. The world runs on open source software. OpenAI has already spent $Ms finding and patching vulnerabilities in the most popular and widely run software, including browsers, operating systems, and core libraries. More on this soon. We’re also working on helping secure critical infrastructure. 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲 𝐚𝐧𝐝 𝐩𝐚𝐫𝐭𝐧𝐞𝐫𝐬. Securing the world is a community effort. I’m looking forward to partnering with cybersecurity vendors, researchers, practitioners, governments, and more to do together what we can’t do alone. 𝐓𝐢𝐦𝐞 𝐭𝐨 𝐛𝐮𝐢𝐥𝐝. Tactically, here are some domains I’m excited about: - Finding, validating, and reliably patching software vulnerabilities at scale. - Eliminating classes of vulnerabilities and making software resilient by design. - Giving broad access to the best cyber models to empower defenders, not just to a select few. - Creating and sharing Skills and playbooks that help in many security domains. - Building platforms that enable defenders to easily orchestrate security work. - Making enterprise agents safe and reliable. Time to build 😎 — What would help you most? What should we build? Let me know.

Early anthropic employees commuting to work post IPO

🛩️ This is so cool: A Redditor living under SFO's takeoff path built a ceiling projection that maps every plane flying over their house in real time, using ADS-B, the open radio signal aircraft broadcast on 1090 MHz. Same feed as FlightRadar24, picked up with a cheap SDR dongle and beamed onto the ceiling.

Holding cybersecurity vendors accountable for their claims is a critical part of improving security. I'm not a troll. I'm not lying. And I'm not harassing you. But since that's your response: Here we go again.

Launching oauthsentry.github.io Look up any OAuth app ID and find out what it actually is across thousands of legitimate, risky, and malicious apps (Entra, Google, GitHub). Multiple feeds, API, detection ideas and remediation guidance. Still improving the detections a bit 🦾

"I remind you that this present you're so concerned about losing, you hated it in the first place." @juanandres_gs on why security practitioners should stop clinging to the broken thing and start imagining what the fixed thing looks like. New episode is live 👇 open.spotify.com/episode/7K6…