@dok2001 I've noticed that SNI and host overrides are still in enterprise plan (developers.cloudflare.com/ru…) - any chance we can get that in other plans too given your very generous policy of everything in every plan (blog.cloudflare.com/enterpri…)? 🙏🙇☺️

Make sure to always reuse your botoclients. Initializing a fresh one on each task has A LOT of overhead!

Engineering capacity at a startup is finite. Security is one of the things asking for a piece of it. Here's Tim Olshansky on how to stop running security as a parallel program to product and start budgeting it as part of engineering capacity instead: fencer.dev/blog/security-as-…

Friends! I've built a cool little tool for reviewing security reports, starting with SOC 2 that I'm looking to recruit testers for. Comment in thread or DM and I'll share it with you - would love any/all feedback 🙏

New: a field guide on running security at a startup, from someone who lived it. Our co-founder @timolsh was a CTO at a startup before he built Fencer. He built and ran the security program himself. Led the company through SOC 2 with no security team to hand it to. He wrote down what he wishes someone had handed him then. Startup Security: A Field Guide for CTOs covers: 👉 When security stops being a "someday" problem 👉 Where your hours actually go when you're the one doing the work 👉 What to put in place first 👉 How to run security operations without burning out the team 👉 Considerations for startups in the AI era Read it here: fencer.dev/startup-security-…

Trust me chat. Forget about Glasswing spamming 0days in your software, you're already cooked with current models. I've hacked hundreds of global orgs, including governments (legally) over the last 10 years, and the amount of times I required a 0day to do so was exactly 0 times. Being worried about Glasswing is like living in Europe and being worried about Northrup Grumman having lethal space lasers while you're more likely to get stabbed by a crazy person walking through the streets.

I know its "another tuesday" guys, but what(!) is happening in security right now

Trivy, LiteLLM, now Axios. Damn malware is hitting hard and fast now. A few small shifts that close most of the security gap: * Add a 3–7 day delay on new package versions with package cooldowns (minimumReleaseAge) * Disable install scripts (--ignore-scripts) * Only install from lockfiles (--frozen-lockfile) * Upgrade on a schedule, not on deploy Attackers rely on speed. You don’t have to.

With recent Python supply chain attacks (Trivy/LiteLLM), it’s worth mentioning uv’s `exclude-newer = "x days"` config. It forces uv to only installs packages published more than x days ago, reducing risks since problematic packages should be yanked by then.

If you were impacted by the recent Delve issues and want to harden your security posture, we (@fencer_security ) will be happy to help you out. For anyone that signs up in the next two weeks, we will give you 15% off an annual subscription and provide white glove onboarding ourselves. This will include our full platform of code, infrastructure, runtime protection, static code analysis (SAST), dynamic application security testing (DAST), identity management and SIEM. We typically work with software companies between 20 and 500 employees. While we don’t ourselves do the compliance part, we integrate with many of the large vendors in the industry (Vanta, Drata, etc.) Feel free to DM me or comment below.

Curious what the wider dev world is doing with policy agentic software development in teams? x.com/timolsh/status/2033581…

Hey tweeps, been a while since I've been on here. For the devs that have been following me, check out my new project - Balustrade - balustrade.dev If this is something that you think would be helpful to you, please join the beta program so we can make it better together

Huge milestone today for Zenput as we announce our Series C funding round! 🎉 We’re incredibly grateful to our customers who trust us to help them drive quality execution every day, in every store. Read more in our press release here: ow.ly/5SP950FzVhV

🔥Hot off the press: Issue #95 of Level Up, a curated newsletter for leaders in tech #cto #vpeng #engmanager #techlead w/content from @timolsh @Barryovereem @robverger @a_greenberg @ericfossas @spolsky @jchyip @poyark & more! See levelup.patkua.com/issues/le…

Tim Olshansky on Career Paths for Technologists who don’t want to Manage People bit.ly/3vuLJiw by Tim Olshansky

Bitcoin is the first time that digital scarcity has ever existed. It’s extremely easy to duplicate things in the digital realm, whether that’s a song, a video, or a meme. (2)

We talked with @timolsh, EVP of Product and Engineering at @Zenput, about how remote work can make it harder for Engineers to advance in their careers. Olshansky offered 3 tips for Engineers to accelerate their professional growth during COVID: hubs.la/H0CMZPg0

We recently talked again with @timolsh, EVP of Product and Engineering at @Zenput about the tools, including @Loom, @figmadesign, and @productboard, their Engineering and Product teams have adopted to boost collaboration during COVID: hubs.la/H0CCntD0