I assume 3rd party CNAs will continue to function? This is about to get messy either way, though...
15.04.2025 18:24
👍 4
🔁 0
💬 1
📌 0
I assume 3rd party CNAs will continue to function? This is about to get messy either way, though...
BREAKING.
From a reliable source. MITRE support for the CVE program is due to expire tomorrow. The attached letter was sent out to CVE Board Members.
Happy friggin Tuesday
My team calls it "eating your vegetables" 🥦
I'm impressed that it changed the facial expression of the woman to match the context of her text
God forbid there be any more than three companies involved in cloud technologies. This is a win for Wiz, and a loss for its users.
www.theverge.com/goo...
My coworkers and I bring this one back up at least twice a year
I see. Another thing you could look into is Infisical which is a pretty intuitive self hosted secret manager. I just wrote a blog post for them that shows how to set it up and use their CLI for just-in-time ENV injection. Which works if you're manually running commands
infisical.com/blog/self-ho...
Not sure what you're working with, but most CI platforms are able to issue short lived JWTs to jobs that securely attest what the job is so you can federate access with OIDC. Might be worth looking into if you haven't already. Or it might not be possible as you said without platform support.
Have you tried using OIDC auth to access the vault with a machine identity? IMO that's the best solution to the "recursive secrets" problem
I've been adding muted words on this account to reduce the politics on my timeline (I have another account and news for that).
What words am I missing?
It's so easy to use, our high school intern with zero previous Linux experience has been able to use it in our lab to document what we detect and what our gaps are.
It's been a great project for him to learn about Linux and detection engineering.
Just saw an Elastic blog about detecting PANIX techniques, and wanted to give a big s/o to the tool.
github.com/Aegrah/PANIX
bsky.app/profile/lawn...
The hardest part of writing this blog post is to not sound like I'm vomiting buzzwords like an auditor who pretends to understand how security works
There are way too many acronyms and buzzwords in the identity security space...
I'm writing an article for a client that I could literally title:
"PKI, APIs, JWTs, and SSH: The IAM challenges of Zero Trust ILM for NHIs"
Accurate 😂 and optionally buy a domain
And lots of times things get re-invented
Nothing is "old school" if it still works 🤷
Really appreciate the content and tooling you contribute to the community. Congrats on 5 years!
I worry what it will do to entry level positions, which will in turn raise the bar for someone to get a job that can't be automated with AI agents. I agree that there will always need to be qualified human oversight, but how do those people get trained?
I think the difference between authn and authz in general is commonly misunderstood
"trust, but verify" 💯
#100DaysOfKQL
Day 24 - LOLDRIVERS Malicious Driver Observed or Loaded
Featuring the awesome LOLDrivers project from @magicswordio
Anything they release is amazing and worth integrating in your detection/threat hunting rules, check them out!
github.com/SecurityAura...
If you work at an organization where tighter security ALWAYS means more profit (security vendor, consultant, cyber education, standards research), understand that this is not the case for most companies.
How do we feel about MS claim that Windows 11 is "Secure by default" lol
query.prod.cms.rt.microsoft.com/cms/api/am/b...
That darn #OST
Look mom I'm famous 😅
