Snyk prices are getting very high. Has anyone moved away from them? Which alternative did you choose?
Found this interesting list: https://list.latio.tech/
On the open source side, there is https://www.dependencytrack.org/
Looking for a new training/certification. People who did OSWA (Web-200 by OffSec), how was it?
Learn the foundations of web application assessments. Exploit common web vulnerabilities, learn how to exfiltrate sensitive data from target web applications, and earn your OffSec Web Assessor (OSWA) certification.
Cerbos Hub out of beta
If you're interested in a way to implement Zero Trust principles like least-privilege access or make your access policies more granular without creating code bloat this is something to check out.
Cerbos Hub externalizes application permissions (RBAC/ABAC) and makes it easier to write and maintain fine-grained access policies without falling into a slow doom spiral of spaghetti code.
You write your policies in a central repo, and deploy as many containerized policy decision points as you need alongside the relevant services in your application. Policy checks are an API call. No single point of failure or lag issues.
You can maintain and monitor distributed policy decision points from one place. Make changes in Hub once and the changes are deployed everywhere. It supports PDPs deployed in serverless environments, at the edge or on device. There's a collaborative policy playground to write and test your policies. It has a central audit log of all the policy decisions that take place
Recommended AppSec conferences in Europe?
cross-posted from: https://infosec.pub/post/8123190
Hello everyone,
I work in appsec, my manager would like to send us to a conference this year. We are based in Europe, and the company would like to across intercontinental travel.
I have OWASP Global 2024 in Lisbon on my radar, as well as the BlackHat EU in London, is there any other conference you guys would recommend?
A database of cloud security incidents, campaigns, and techniques, Portswigger's labs on testing LLMs in web apps, using Azure logs for detection
![[tl;dr sec] #215 - Cloud Threat Landscape, Web LLM Security Labs, Azure Logs Primer](https://lazysoci.al/api/v3/image_proxy?url=https%3A%2F%2Fbeehiiv-images-production.s3.amazonaws.com%2Fuploads%2Fpublication%2Fthumbnail%2F080a561f-2435-4477-a549-ab9f115e047c%2Flandscape_Screenshot_2024-11-21_at_10.48.21_AM.png&format=webp)
A new script in the community-scripts repository enables the signing of outgoing requests with RSA keys, addressing the challenge of testing applications that require this functionality.
Stir Trek 2024 will take place at the AMC Easton Town Center 30 on Friday, May 3rd. We'll be at the same great location we have been for the past few ...
#213 - AWS Secure Defaults, Damn Vulnerable LLM Agent, cdk-goat
Useful secure defaults + SCPs for your AWS account, a chatbot LLM ReAct agent for prompt injection practice, vulnerable by design AWS Cloud Development Kit infrastructure
A review of application security happenings and industry news from Chris Romeo.
Trustwave Transfers ModSecurity Custodianship to OWASP on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
How many programmers does it take to filter out 36 characters? You may think this is an opening to a joke, but itâs not.
It takes a special kind of person to name a company after their own body part. Fortunately the Microsoft Security Response Center doesnât seem to have inherited that kind of mentality, because when I have reported not a bug but a feature as a vulnerability - they accepted it.
cross-posted from: https://infosec.pub/post/5707149
I talk about a report I've made to MSRC in the beginning of the year regarding vscode.
It's a bit different. There's no in depth technical stuff, because I basically just reported the feature, not a bug.
AI dev assistants can be convinced to spill secrets learned during training
It was the year of the Linux desktop 1978. Old yellowed computers were not yet old, nor yellowed. Digital Equipment Corporation released the first popular terminal to support a standardized in-band encoding for control functions, the VT100.
This is my first write-up, on a vulnerability I discovered in iTerm2 (RCE). Would love to hear opinions on this. I tried to make the writing engaging.
New OWASP Cheet Sheet on Mobile Securty
Website with the collection of all the cheat sheets of the project.
Mobile application development presents certain security challenges that are unique compared to web applications and other forms of software. This cheat sheet provides guidance on security considerations for mobile app development. It is not a comprehensive guide by any means, but rather a starting point for developers to consider security in their mobile app development.
...
OWASP Top 10 for LLMs (v1.0)
Aims to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing Large Language Models (LLMs)