"Penetration Test" is a crazy overloaded term. Important to start w/ discussion of goals and tradeoffs between testers and client team.

Thanks for the #BSidesSF Semgrep workshop @enncoded @LewisArdern @onefiftyman . You packed a *ton* into 2 hours. Really appreciate the work that went into it.

What can we say, twitter-driven development sometimes works :) .. Ya'll are good folks. Keep it going!.

Expanded a bit on this over at

I love formal forecasting exercises (esp those run by @Magoo) because they really force you to slow down consider all the potentially relevant facts, and introspect your biases. FWIW I was 80% here, but I think I was undervaluing the "autopilot" nature of modern CI/CD.

Of the ~950 people I follow on twitter, some hacky profile scraping says that about 60 of those currently have a Mastodon link. So for me that's basically from ~0% to 15% exodus (or at least strongly hedging) in a *week*.

Hah, this makes me feel so much better about my small pile of aborted "I think I should write something about. " drafts.

RT @tqbf: I don’t think there’s a SOC2 rule against banking 50 pre-approved empty PRs for future use.

When looking at a big backlog of known work we want to drive, it's *so easy* to just group into themes and call it good. I can think of times I've done that which really, really would have benefitted from asking if the framing leads to an ability to confidently prioritize. 2/2.

Someone asked today "Is that list of 'goals' *really* a list of goals, or just a some themes of work?" . I *love* that question & the insight behind it. True "goals" help prioritize among possible work, themes really don't. 1/2.

RT @aboodman: Chrome was delivered without any sprints at all. The team came in at 9 and left at 5 (figuratively, people actually kept thei….

Congrats to @Resourcely! Clear, exciting product vision at that critical touchpoint of developer velocity, security, and cloud resources. Very pleased to have joined this round, and looking forward to seeing where @travismcpeak and @0xshellrider take this idea.

Strong recommend for anyone thinking about sustainability, culture, and ultimately the humans in a security organization. @astha_singhal knows what she's talking about and delivers it so well. 🙌.

Web timing attacks: super cool in principle, still super janky in practice. Seems like TimeTrial ( and Nanown ( still best tools, but really janky to get running & require a known-good case. Anyone got suggestions? Banging my head.

Strong recommend. Some great examples that improve both risk and user experience, and also give metrics that make the wins feel real.

RT @manicode: Brilliant talk from @coffeetocode on bonding security to developer productivity.

Slides from my #LocoMocoSec talk on "Productizing Security"

#locomocosec.

RT @manicode: When it literally rains on your parade at @LocoMocoSec with @ropnop @SammyHep @ndm @h4ck3rky13 and @coffeetocode #stillHaving….

Woo! @LocoMocoSec has been on my list since it started; I'm finally here and so excited! Looking forward to meeting folks. Just hanging out today/tomorrow if anyone else in early wants to meet up!.

Woot! Let's do this! I'm really looking forward to sharing this.