Last quarter I rolled out Microsoft Copilot to 4,000 employees. $30 per seat per month. $1.4 million annually. I called it "digital transformation." The board loved that phrase. They approved it in eleven minutes. No one asked what it would actually do. Including me. I

A POC for CVE-2025-55182 https://t.co/BcyJ1UbivA

I remember being excited about AI. I remember 20 years ago, being excited about neuroevolutionary methods for learning adaptive behaviors in video games. And I remember three years ago, mouth watering at the thought of tasty experiments in putting language models inside

Looking forward to day 2 talks today!

"Beyond the Surface: Exploring Attacker Persistence Strategies in Kubernetes" by @raesene. Live demos are always a sign of bravery, and I personally love talks where the narrative revolves around red team-style engagements and operational tricks. https://t.co/PgQyAugLtY

"Friend or foe? TypeScript security fallacies" by @liran_tal. Engaging talk about how TypeScript doesn't automatically prevent security issues, sometimes very counter-intuitively! Good memes as well :P https://t.co/ZEuHh2dQVl

"Securing cross-platform mobile applications" by @Dauntless. Really well thought and presented, with experiments comparing the output of the most popular cross-platform mobile app frameworks out there and common mobile vulnerabilities. https://t.co/cskKKM6vEC

My highlights from yesterday's talks at @owasp AppSec Global Barcelona:

New blog post with @infosec_au: We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here:

Security in Action(s): extending CodeQL to detect Workflow vulnerabilities 🎤 Álvaro Muñoz Protege tus pipelines de CI/CD con detección avanzada de vulnerabilidades en GitHub Actions. --- SALA A2 - Miércoles 13 Noviembre de 14:45 a 15:30 hs @ekoparty CEC Buenos Aires

As someone who has always toyed with the idea of learning more about low-level exploitation (but is currently very bad at), I enjoyed this post a whole lot. Not only because of the insights about the whats and whys, but also because of the transversal look at the offsec industry.

🚨 New Blog Alert! 🚨 Can an attacker execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities in Ruby can be exploited and how they can be detected with CodeQL. 🔗 Read the full post: https://t.co/tdumVwrfKC Stay safe and code responsibly! 🛡️💻

This is happening today at 1pm CET. Those of you attending, see you there!

GHSL-2024-013_GHSL-2024-014: SQL injection vulnerability in Meshery - CVE-2024-35181, CVE-2024-35182

Happy to share that @pwntester and I will be presenting our talk "Finding vulnerabilities at scale in Jenkins plugins with CodeQL" at @BarcelonaBsides, happening on May 29-30. Join us to learn about CodeQL, vulnerability research at scale, and the Jenkins plugin ecosystem!

Learn to audit applications for vulnerabilities with CodeQL and find them in thousands of GitHub repositories at once. 🚀 My blog, CodeQL zero to hero part 3: Security research with CodeQL is out! https://t.co/Xt4xAJ5S8h

This is my favorite kind of talk: great storytelling, cool visuals, technically interesting scenarios, and inspiring discourse. Consider me impressed @curi0usJack :D https://t.co/yLQOMgk3lb

GHSL-2023-277: Arbitrary File Deletion (AFD) in Owncast - CVE-2024-31450

Ever wondered how the @GHSecurityLab performs security research? Find out how they leverage code scanning, CodeQL, Codespaces and more🔒 ⬇️ https://t.co/nTxq1iLBMd

Level up your security game on GitHub with seamless security research! Discover code scanning, CVE management, and more within GitHub's ecosystem. Check out this insightful blog post now! 🔒 #GitHub #SecurityResearch #CodeScanning #CVEManagement https://t.co/XDXhepHZgX