I have some extra time in the coming months and I'd like to use it to start a small research project: I want to make a catalog of the security / privacy clauses that large enterprises often require in their contracts.

RT @DecryptedTech: @ImposeCost @bettersafetynet Let's not forget the industry's short attention span and lack of long-term memory.

Bug Bounty submission status: pending. 😴😴.

RT @AccidentalCISO: If you don’t like working with people, managing relationships, brokering deals, and finding ways to build influence out….

RT @HackingLZ: Infosec has a short memory forgetting all the marketing around ML stuff that was pushed years ago. It was the magic fix to s….

RT @patio11: You’d be surprised of how much of management, consulting, teaching, senior ICing, etc is:. “I want to X.”.“Have you written do….

RT @LuckyMcGee: Found the forest where Home Depot gets their lumber.

RT @_workchronicles: Learn to say No

here's a hot take: I think false positives (in infosec) are overrated as an issue. Instead, what's more important is the time spent to chase down and confirm no-issue. If that was instantaneous, we wouldn't care much about potential false positives. *ducks*.

Am I looking at this wrong? (Asking for a friend 😇).

But it seems a bit depressing from the founder point of view: bigco seems to have an insurmountable advantage when the idea is to integrate with (or assimilate) other tooling. Whereas small teams can often create an advantage where they are "the best" in a niche thing.

Also notice the nugget on security tooling consolidation for the next few years. This seems to be the consensus around the industry (and understandably: defence has been drowning in tools and alerts for too long).

I always admire it when someone puts his thoughts into words, it takes much more thought and courage than a throwaway tweet storm. Here is @txs with his view on the next years in cybersecurity: Worth a read!.

Raise your hand if you've seen this situation before 🙋‍♂️. from @DanielMiessler's blog post (. Read the whole thing, it's worth it. One can only hope he's right about the SEC intention and industry maturing.

What is the way to have some kind of approval flow to request resources? Ie: dev requests a s3 bucket and manager approves. Something low friction?.

RT @paularambles: if you’re not in tech then all you need to know about the past weekend is that your tech friends went through like three….

RT @DanielMiessler: The first rule for implementing something with machine learning or blockchain…is to figure out if you can implement it….

RT @planetlevel: @ddccffvv Over 62% of open source libraries are completely inactive - never even load into memory. Of code that does run,….

However, if you tell me I can only pick one scenario, I'm going with B (shift left be damned!). I'm fixing actual issues late, instead of hoping I've fixed everything early. Not even hesitating.

@planetlevel Scenario B is then an opportunity to get to the root cause. The best goal here might not be a "quick time to fix", but answering the question: "why did we not catch this issue earlier?".