Chris (stof) Langton
@0x73746f66.bsky.social
Co-founder & CTO of Vulnetix
Bits of Cyber @ Substack
Bits of Cyber @ Substack
NVD declaring bankruptcy and the perverse incentives of CVE making it quickly the least useful and smallest collection of numbered vulnerabilities despite over 30% growth - means someone in the private sector has to solve the problem
When you learn log4shell was found 2 years before it had a CVE...
When you learn log4shell was found 2 years before it had a CVE...
April 12, 2025 at 5:03 AM
NVD declaring bankruptcy and the perverse incentives of CVE making it quickly the least useful and smallest collection of numbered vulnerabilities despite over 30% growth - means someone in the private sector has to solve the problem
When you learn log4shell was found 2 years before it had a CVE...
When you learn log4shell was found 2 years before it had a CVE...
So I recently became a customer of #exetel / #superloop
They don't like good #passwords
First #cybersecurity FAIL was sending passwords in cleartext over email
Second FAIL is forcing customers to deduct password length or use simple characters to crack
Oh wait, I forgot
We have that AAA bill here!
They don't like good #passwords
First #cybersecurity FAIL was sending passwords in cleartext over email
Second FAIL is forcing customers to deduct password length or use simple characters to crack
Oh wait, I forgot
We have that AAA bill here!
April 2, 2025 at 9:45 PM
So I recently became a customer of #exetel / #superloop
They don't like good #passwords
First #cybersecurity FAIL was sending passwords in cleartext over email
Second FAIL is forcing customers to deduct password length or use simple characters to crack
Oh wait, I forgot
We have that AAA bill here!
They don't like good #passwords
First #cybersecurity FAIL was sending passwords in cleartext over email
Second FAIL is forcing customers to deduct password length or use simple characters to crack
Oh wait, I forgot
We have that AAA bill here!
Works with Vulnetix
#Secrets scanners
#SAST
Linters
#Code test coverage
#IaC
#Containers
Compilers
#DAST
#AttackSurface
+ Anything else that exports #CycloneDX, #SPDX, or #SARIF
Vendor Support for CycloneDX here: cyclonedx.org/about/suppor...
Or SPDX here: spdx.dev/use/spdx-too...
Let's chat
#Secrets scanners
#SAST
Linters
#Code test coverage
#IaC
#Containers
Compilers
#DAST
#AttackSurface
+ Anything else that exports #CycloneDX, #SPDX, or #SARIF
Vendor Support for CycloneDX here: cyclonedx.org/about/suppor...
Or SPDX here: spdx.dev/use/spdx-too...
Let's chat
March 8, 2025 at 11:36 PM
Works with Vulnetix
#Secrets scanners
#SAST
Linters
#Code test coverage
#IaC
#Containers
Compilers
#DAST
#AttackSurface
+ Anything else that exports #CycloneDX, #SPDX, or #SARIF
Vendor Support for CycloneDX here: cyclonedx.org/about/suppor...
Or SPDX here: spdx.dev/use/spdx-too...
Let's chat
#Secrets scanners
#SAST
Linters
#Code test coverage
#IaC
#Containers
Compilers
#DAST
#AttackSurface
+ Anything else that exports #CycloneDX, #SPDX, or #SARIF
Vendor Support for CycloneDX here: cyclonedx.org/about/suppor...
Or SPDX here: spdx.dev/use/spdx-too...
Let's chat
Did you know your security metrics need context?
📈
New #PCI DSS requirement in May: Risk-based approach to security control implementation
Because not all risks are created equal! #RiskManagement
📈
New #PCI DSS requirement in May: Risk-based approach to security control implementation
Because not all risks are created equal! #RiskManagement
February 22, 2025 at 4:15 AM
Did you know your security metrics need context?
📈
New #PCI DSS requirement in May: Risk-based approach to security control implementation
Because not all risks are created equal! #RiskManagement
📈
New #PCI DSS requirement in May: Risk-based approach to security control implementation
Because not all risks are created equal! #RiskManagement
Identity crisis? PCI DSS now requires unique IDs for everyone. No more sharing credentials like they're Netflix passwords!
February 21, 2025 at 11:47 PM
Identity crisis? PCI DSS now requires unique IDs for everyone. No more sharing credentials like they're Netflix passwords!
"Why are there so many logs?" Because PCI DSS 4.0.1 treats your system like a crime scene - everything needs to be documented
February 21, 2025 at 11:44 PM
"Why are there so many logs?" Because PCI DSS 4.0.1 treats your system like a crime scene - everything needs to be documented
Package managers should make security bypasses harder, not provide convenient flags to disable them
The problem with security in modern development isn't that it's broken - it's that we've normalised breaking it
Golang and JavaScript are the worst offenders
#AppSec #fail #SCA
The problem with security in modern development isn't that it's broken - it's that we've normalised breaking it
Golang and JavaScript are the worst offenders
#AppSec #fail #SCA
February 15, 2025 at 11:12 PM
Hash verification isn't a development inconvenience - it's your last line of defence against compromised dependencies
Stack Overflow's highest-voted answers for hash mismatch issues are often the most security-unconscious solutions
Junior Devs love them
#AppSec #DevSecOps #SCA #Dev
Stack Overflow's highest-voted answers for hash mismatch issues are often the most security-unconscious solutions
Junior Devs love them
#AppSec #DevSecOps #SCA #Dev
February 15, 2025 at 11:10 PM
Hash verification isn't a development inconvenience - it's your last line of defence against compromised dependencies
Stack Overflow's highest-voted answers for hash mismatch issues are often the most security-unconscious solutions
Junior Devs love them
#AppSec #DevSecOps #SCA #Dev
Stack Overflow's highest-voted answers for hash mismatch issues are often the most security-unconscious solutions
Junior Devs love them
#AppSec #DevSecOps #SCA #Dev
Want to hire senior Devs better?
The difference between a junior and senior developer often lies in how they handle security warnings - one bypasses, the other investigates
If you have a senior that doesn't investigate hash mismatch, they're still very junior and lack curiosity to level up #AppSec
The difference between a junior and senior developer often lies in how they handle security warnings - one bypasses, the other investigates
If you have a senior that doesn't investigate hash mismatch, they're still very junior and lack curiosity to level up #AppSec
February 15, 2025 at 11:08 PM
Want to hire senior Devs better?
The difference between a junior and senior developer often lies in how they handle security warnings - one bypasses, the other investigates
If you have a senior that doesn't investigate hash mismatch, they're still very junior and lack curiosity to level up #AppSec
The difference between a junior and senior developer often lies in how they handle security warnings - one bypasses, the other investigates
If you have a senior that doesn't investigate hash mismatch, they're still very junior and lack curiosity to level up #AppSec
The most dangerous thing about security bypasses isn't the bypass itself - it's how quickly they become standard practice.
Documentation or CLI output that suggests bypassing security checks without explanation is essentially teaching developers bad habits
#AppSec #DevSecOps #SCA #Software
Documentation or CLI output that suggests bypassing security checks without explanation is essentially teaching developers bad habits
#AppSec #DevSecOps #SCA #Software
February 15, 2025 at 11:06 PM
The most dangerous thing about security bypasses isn't the bypass itself - it's how quickly they become standard practice.
Documentation or CLI output that suggests bypassing security checks without explanation is essentially teaching developers bad habits
#AppSec #DevSecOps #SCA #Software
Documentation or CLI output that suggests bypassing security checks without explanation is essentially teaching developers bad habits
#AppSec #DevSecOps #SCA #Software
Software supply chain attacks succeed not because of sophisticated techniques, but because we've trained developers to ignore warning signs
Hash mismatch?
Let me fix that, putting the new hash in my manifest.
Done
All fixed, build passing
#AppSec #SCA #SupplyChain #Security #devsecops
Hash mismatch?
Let me fix that, putting the new hash in my manifest.
Done
All fixed, build passing
#AppSec #SCA #SupplyChain #Security #devsecops
February 15, 2025 at 11:05 PM
Software supply chain attacks succeed not because of sophisticated techniques, but because we've trained developers to ignore warning signs
Hash mismatch?
Let me fix that, putting the new hash in my manifest.
Done
All fixed, build passing
#AppSec #SCA #SupplyChain #Security #devsecops
Hash mismatch?
Let me fix that, putting the new hash in my manifest.
Done
All fixed, build passing
#AppSec #SCA #SupplyChain #Security #devsecops
If you're routinely clearing your package cache to resolve hash mismatches, you're probably doing security wrong
#AppSec #supplychain #sca
#AppSec #supplychain #sca
February 15, 2025 at 11:03 PM
If you're routinely clearing your package cache to resolve hash mismatches, you're probably doing security wrong
#AppSec #supplychain #sca
#AppSec #supplychain #sca
You don't understand #SoftwareSupplyChain
Cursor #AI is not competing with VS Code, it's built on it
Brave is not competing with chrome, it's built on it
Apple/Google are not competing with T-Mobile/Verizon
These are supply chains
It's like saying a #SaaS competes with the Internet
Absurd
Cursor #AI is not competing with VS Code, it's built on it
Brave is not competing with chrome, it's built on it
Apple/Google are not competing with T-Mobile/Verizon
These are supply chains
It's like saying a #SaaS competes with the Internet
Absurd
January 18, 2025 at 2:16 AM
You don't understand #SoftwareSupplyChain
Cursor #AI is not competing with VS Code, it's built on it
Brave is not competing with chrome, it's built on it
Apple/Google are not competing with T-Mobile/Verizon
These are supply chains
It's like saying a #SaaS competes with the Internet
Absurd
Cursor #AI is not competing with VS Code, it's built on it
Brave is not competing with chrome, it's built on it
Apple/Google are not competing with T-Mobile/Verizon
These are supply chains
It's like saying a #SaaS competes with the Internet
Absurd
The best security tool in the world is useless against interdepartmental politics
There's always budget for another tool, but never for enough people to use them properly
#AppSec
There's always budget for another tool, but never for enough people to use them properly
#AppSec
January 12, 2025 at 2:17 PM
The best security tool in the world is useless against interdepartmental politics
There's always budget for another tool, but never for enough people to use them properly
#AppSec
There's always budget for another tool, but never for enough people to use them properly
#AppSec
Corinium Australian Government Report 2023
Average MTTR of 89 days for government agencies
Agencies maintain 10-25 security tools
Maintenance window approvals are most time-consuming
Security leaders spend 80% time on administrative tasks
Administrative overhead is 100% in roles below leadership
Average MTTR of 89 days for government agencies
Agencies maintain 10-25 security tools
Maintenance window approvals are most time-consuming
Security leaders spend 80% time on administrative tasks
Administrative overhead is 100% in roles below leadership
January 12, 2025 at 2:16 PM
Corinium Australian Government Report 2023
Average MTTR of 89 days for government agencies
Agencies maintain 10-25 security tools
Maintenance window approvals are most time-consuming
Security leaders spend 80% time on administrative tasks
Administrative overhead is 100% in roles below leadership
Average MTTR of 89 days for government agencies
Agencies maintain 10-25 security tools
Maintenance window approvals are most time-consuming
Security leaders spend 80% time on administrative tasks
Administrative overhead is 100% in roles below leadership
12% of "risk accepted" vulnerabilities are critical (Edgescan 2023)
January 12, 2025 at 2:12 PM
12% of "risk accepted" vulnerabilities are critical (Edgescan 2023)
41% of enterprise vulnerabilities remain open after a year (Edgescan 2023)
January 12, 2025 at 2:11 PM
41% of enterprise vulnerabilities remain open after a year (Edgescan 2023)
Think credential #breaches are about weak #passwords and #phishing?
Think again
While vendors push #MFA solutions and every reports outright (or indirectly) blames users for poor password hygiene, the real problem lurks in our applications' blind trust of sessions and lack of proper access controls
Think again
While vendors push #MFA solutions and every reports outright (or indirectly) blames users for poor password hygiene, the real problem lurks in our applications' blind trust of sessions and lack of proper access controls
January 3, 2025 at 12:38 PM
Think credential #breaches are about weak #passwords and #phishing?
Think again
While vendors push #MFA solutions and every reports outright (or indirectly) blames users for poor password hygiene, the real problem lurks in our applications' blind trust of sessions and lack of proper access controls
Think again
While vendors push #MFA solutions and every reports outright (or indirectly) blames users for poor password hygiene, the real problem lurks in our applications' blind trust of sessions and lack of proper access controls
🤔 Uncomfortable Question Time
I've collected my most thought-provoking posts of 2024 that dared to ask:
Is #DevSecOps actually helping?
Can we admit #ZeroTrust doesn't exist?
Are we too dependent on scanning tools? #AppSec
The answers might surprise you (or make you angry - that's fine too!)
I've collected my most thought-provoking posts of 2024 that dared to ask:
Is #DevSecOps actually helping?
Can we admit #ZeroTrust doesn't exist?
Are we too dependent on scanning tools? #AppSec
The answers might surprise you (or make you angry - that's fine too!)
Top 5 Posts of 2024 That Actually Mattered
1.
open.substack.com
January 2, 2025 at 7:33 AM
🤔 Uncomfortable Question Time
I've collected my most thought-provoking posts of 2024 that dared to ask:
Is #DevSecOps actually helping?
Can we admit #ZeroTrust doesn't exist?
Are we too dependent on scanning tools? #AppSec
The answers might surprise you (or make you angry - that's fine too!)
I've collected my most thought-provoking posts of 2024 that dared to ask:
Is #DevSecOps actually helping?
Can we admit #ZeroTrust doesn't exist?
Are we too dependent on scanning tools? #AppSec
The answers might surprise you (or make you angry - that's fine too!)
bitsofcyber.substack.com
Artifacts' (like SBOM or signatures) the word doesn't infer they're old or for display purposes only 🦕🦖
#AppSec
Artifacts' (like SBOM or signatures) the word doesn't infer they're old or for display purposes only 🦕🦖
#AppSec
January 1, 2025 at 11:53 AM
bitsofcyber.substack.com
Artifacts' (like SBOM or signatures) the word doesn't infer they're old or for display purposes only 🦕🦖
#AppSec
Artifacts' (like SBOM or signatures) the word doesn't infer they're old or for display purposes only 🦕🦖
#AppSec
🎉 New Year's Security Resolutions be like:
I resolve to count to 10 before screaming at security scanner alerts
Which security tool sparked joy via uninstallation for you this year? 😅
#AppSec #DevSecOps #SecurityLife
I resolve to count to 10 before screaming at security scanner alerts
Which security tool sparked joy via uninstallation for you this year? 😅
#AppSec #DevSecOps #SecurityLife
New Year's Resolutions from your work colleagues: Cybersecurity edition
As we enter 2025, let's take a moment to appreciate these heartfelt security-related New Year's resolutions from our esteemed colleagues and friends.
substack.com
December 31, 2024 at 12:10 AM
🎉 New Year's Security Resolutions be like:
I resolve to count to 10 before screaming at security scanner alerts
Which security tool sparked joy via uninstallation for you this year? 😅
#AppSec #DevSecOps #SecurityLife
I resolve to count to 10 before screaming at security scanner alerts
Which security tool sparked joy via uninstallation for you this year? 😅
#AppSec #DevSecOps #SecurityLife