OH: to SAST Tools. When dealing with "OWASP Top 10 A9 Using Components with Known Vulnerabilities" please, unless you have a POC, do not set the risk as "absolute" value. 1/3

Catch the replay of @xcorail's talk about #CodeQL at #CNSCon! To shift security left, empower your developers with the Security as Code approach.

@WeldPond @manicode Reachability is not exploitabiity. And even if we consider technically reachable, exploitable data flows, the security impact is encoded in the threat model, not code (is it in internal tool? Is the functionality only exposed to admin roles? Would anyone benefit from exploiting?)

☕ Java XML security can be quite a mess. 🧘 Sit down with our security researchers Pieter and Vasilii as they untangle XML security options across different XML parsers. 📓

As AppSec testing capabilities mature in our industry, intricate details and capabilities of various AppSec tools matter. Like does your SCA tool understand if the lib is exploitable or not? And I find that pros out there that understand this level of detail are rare.

Let's get the many OWASP Top 10's going again! If you are interested in contributing to any of the various OWASP Top 10's or Proactive Controls, please RSVP to one of these: Option 1 https://t.co/y8uxN5UOxM Option 2 https://t.co/A7YDIkem4N Option 3

Excellent article with lots of OWASP Cheatsheet references! https://t.co/zPZTPVoSgr

🤬 XML Security in Java Turns out, it's crazy! Varying mitigations, security features that don't work as documented, and more @0xDC0DE and @ermil0v give probably the most through treatment of Java XML security I've seen https://t.co/hMTBzrky5w

We're launching a new VRP for Google's open source software, specifically focused on supply chain issues and build compromises. https://t.co/1j8X5MrRyh (this time with a proper link!)

a🧵 ⚠️Orgs with mature security programs⚠️ Want a masterclass in scoping/running a bug bounty program? Read more from a program owner, (former) bounty platform employee, and top bug hunter (me😂) 🚨 Retweet, follow, & like for more sec content! 🚨 1/x

Who would be interested in building and publishing git-secrets and truffle hog rules based on #OWASP #WrongSecrets? (Asking for a volunteer)

Thank you @left4deaf for adding Relationship-Based Access Control (ReBAC) to the Authorization cheatsheet! https://t.co/2eT0zqRoCN #AppSec #OWASP #owaspcheatsheetseries @owasp @manicode

ZAP needs your help! https://t.co/2VJ7i64e9u

(1/5) If you're using log4j library, you should bump it as soon as possible to 2.15+. Dangerous RCE has been spotted a few days ago and it can be used by literally ANY user just by logging an incoming data in some way. You should probably notify people you know about it #Java

Sometimes you get to scratch an itch and take something off your backlog that's been bugging you! We're now using CSP nonces in an enforced policy over at @reporturi 😎

I highly recommend check out this new @owasp project https://t.co/b3QEaEVEsM Kudos for @bendehaan @commjoenie for creating this! #appsec #owasp

https://t.co/mKj5gxf55R looks like a solid list of breached passwords we plan to add as a open source reference to one of the ASVS sections. Are there other lists we should reference?

It's been a year since @drdr_zz wrote a series of articles about #OAuth. We hope you still keep it secure 🛡 https://t.co/JE1V77lfxP #ITSecurity #appsec

I’m having difficulty making a call for a cheatsheet regarding guidance to HMAC a password before sending it over TLS. Please chime in here if interested and have expertise in this area https://t.co/dXVN4G5hsK.

Bypass SSRF protection with different encodings. A thread. 🧵👇