I am separating my manual and automated tweets. Follow @and1hofbot for reminders whenever I upload a new YouTube video. Follow this account to hear my thoughts and ideas.

This morning I released a deep-dive and technical breakdown of a sophisticated XSS vulnerability that was exploited against 80+ govs last year. It uses an unusual & uncommon XSS sink. #appsec #infosec #CyberSecurity.

I just released an important blog post regarding a new and upcoming SCA feature that all next-gen platforms will have. #infosec #cybersecurity .

SCA tells you if a library is vulnerable, but does not tell you if you are making use of the library in a vulnerable way. Next-gen SCA will all support "reachability" combining SCA & SAST to close this gap. #infosec.

RT @echetus: If you use Wikipedia, you've seen pop-ups like this. If you're like me, you may have donated as a result. Wikipedia is an am….

Decentralized apps don’t have to be built on blockchains. #programming.

Do note, "crypto" has referred to cryptographic algorithms for far longer than it has referred to cryptocurrency. #security.

Piggybacking on the previous data privacy tweet: remember not to roll your own crypto. NIST has good breakdowns of what crypto algorithms are secure in 2022 and beyond.

One often forgotten element of good security posture is data privacy. If companies would encrypt PII more often, then even in the case of a data breach the blast radius would be limited and the most valuable data would be un-useable by a hacker.

If a library has 200 separate functions and 1 of those functions is vulnerable it should not be an incident unless your code is invoking the vulnerable function. #security.

In any other industry suggesting “hash and salt” to a co-worker means you want to get brunch at the local diner. #CybersecurityAwarenessMonth.

Regression testing is essential for a good long term security posture. Fix the vulnerability once, write a test and than block merge if a developer ever reopens the bug. #CybersecurityAwarenessMonth2022.

The goal of a threat model should be four-fold. a) identify threats, b) identity mitigations, c) identify delta between "a" and "b", and finally e) document knowledge #CybersecurityAwarenessMonth.

For cryptocurrency to succeed in the long run, it needs to deliver value by replacing or creating new financial tools. Coins solely used for price speculation and trading aren't worth considering as part of your long term strategy.

RT @ACouedelo: Great Explainer about Zero Trust Architecture by @and1hof . He made me realize that I had missed some elements in my researc….

Don’t forget to vote in the upcoming midterm elections. As a US citizen, these elections are your best voice into changing outdated laws, introducing new ones and of course preserving and improving our democracy! #Midterms2022.

RT @DanaEpp: I’m giving away the perfect API Hacker’s library to one of my readers - @hAPI_hacker’s “Hacking APIs”, @DafyddStuttard’s “The….

I am releasing a comprehensive video on #ZeroTrust architecture in 1 hour on my YouTube channel (and1hof). Head on over to YT and check it out #CybersecurityAwarenessMonth

RT @cianmaher0: "Graphics are the first thing finished in a video game" . Here's a Thunderjaw from an early build of Horizon: Zero Dawn htt….

If you haven't already, check out my short documentary on hacking Pokémon games: #pokemon.

Yes, you too can design an app that is difficult to hack as long as your architects evaluate security cost benefit trade offs alongside functionality requests. It’s much harder to secure an app after it’s been built. #cybersecurity.