Ronnie Flathers
@ropnop
Followers
6K
Following
4K
Media
176
Statuses
2K
security engr, pentester, researcher. i sometimes blog and code based on motivation/caffeine levels. Principal Security Engineer @Marqeta
Chicago
Joined October 2013
RT @JerrinJacob26: Huge shoutout to @ropnop on this article of SOP, CORS and CSRF. I don't know how many times I ha….
blog.ropnop.com
0
3
0
RT @clintgibler: 🚧 AWS Perimeter Mod for @steampipeio. An AWS perimeter checking tool that can be used to look for resources that are:.* Pu….
github.com
Is your AWS perimeter secure? Use Powerpipe and Steampipe to check your AWS accounts for public resources, resources shared with untrusted accounts, insecure network configurations and more. - tur...
0
17
0
100% best group of attendees and conversations I’ve ever had at a con. So many great people it was awesome meeting you all!.
1
0
4
Yes great talk!! Tons to unpack and think about how to “productive” security more.
0
1
2
RT @manicode: Brilliant talk from @coffeetocode on bonding security to developer productivity.
0
6
0
RT @manicode: When it literally rains on your parade at @LocoMocoSec with @ropnop @SammyHep @ndm @h4ck3rky13 and @coffeetocode #stillHaving….
0
4
0
Aloha @LocoMocoSec 😎 so excited to be here - have wanted to attend this con for a long time! Really looking forward to learning a lot, talking prodsec and meeting new friends. Anyone else gonna be here? And can’t wait to catch up @coffeetocode been too long!
0
1
8
So this is a bad/crazy idea right? Maybe? I hacked together a valid OpenPGP entity that uses AWS KMS backed signing and encryption keys. Idea was to use PGP without actually needing to handle key data or mess with gpgagent/pkcs11
0
0
3
RT @mubix: Finally decided to post 10+ years worth of notes on using ldapsearch - it references great work from @ropnop @agsolino @harmj0y….
malicious.link
ldapsearch is a extremely powerful tool, especially for Windows Active Directory enumeration. It’s one of my primary tools when performing pentesting or red teaming against an environment with Active...
0
220
0
RT @projectsigstore: 🥳🎉 We are happy to announce that sigstore is now an @theopenssf project! 🎉🥳.
0
40
0
What's the current take on format preserving encryption (FPE)? I'm not super familiar with it, but the more I research it seems like it's probably not the best idea unless you *really really* have to?.
2
0
0
Oh this neat! Seems like this will also lead to better experience developing in a multi-module monorepo with needing something like Bazel.
0
0
1
Welp that wasn't too hard. Minisign's spec is pretty easy to implement. Can now minisign things with ed25519 keys stored in Vault (and eventually other kms's). Might opensource it if i can clean it up and generalize
Before I go coding something new, has anyone used @hashicorp Vaults transit engine with ed25519 keys to output minisign compatible signatures? Seems like a great plug-in or feature to have, but I’m pretty sure it wouldn’t be too difficult to wrap the vault api if I have too….
0
0
1
Before I go coding something new, has anyone used @hashicorp Vaults transit engine with ed25519 keys to output minisign compatible signatures? Seems like a great plug-in or feature to have, but I’m pretty sure it wouldn’t be too difficult to wrap the vault api if I have too….
0
1
2
Is there a term for something like “security through obscurity” but for just “redundant security”, or controls that look good at first glance but ultimately don’t solve anything? E.g. hashing passwords client side in a web app before sending over HTTPS to a server.
14
1
4
RT @dinodaizovi: It's great to see GCP include code examples for app-layer, client-side encryption for data stored in MySQL, including how….
cloud.google.com
0
12
0
My company is hiring for several security roles (appsec, privacy, cloudsec) if you’re looking for a change! Awesome team and culture, and remote friendly. Come help me solve some really cool and interesting problems! Lmk if you wanna chat DMs open
marqeta.com
Join Marqeta and empower innovation in fintech! Enjoy flexible work, top benefits, and a diverse, award-winning culture. Explore our career opportunities!
1
1
6
RT @dinodaizovi: This type of cross-tenant attack against Azure's Cosmos DB is a great example of why you should want client-side, app-laye….
wiz.io
As part of building a market-leading CNAPP, Wiz Research is constantly looking for new attack surfaces in the cloud. Two weeks ago we discovered an unprecedented breach that affects Azure’s flagship...
0
32
0