Olivia
Online
Evan Ippolito | ZeroCreds
@evan_cloudops
Security judgment for B2B SaaS teams. 6 years at Nike, ZeroFox, IDX — I know which controls actually matter for your stack. Delivered as code you keep.
US
Joined December 2023
36 Following
21 Followers
88 Posts
Pinned Tweet
Things I've found at companies that passed SOC 2:
• Containers running as root
• Action: *, Resource: * IAM policies
• GitHub Actions pinned to @main
• 387-day-old AWS access keys
• No network policies
The audit checked the box.
The infrastructure didn't care.
Nobody knew this was running.
pgAdmin on an EC2 box. Multiple major versions behind. CVSS 9.9. Remote code execution. Auth bypass. Public PoC exploits. Active exploitation in the wild.
Sitting there unpatched, unmonitored, invisible to every security review until a scanner caught it.
The scary stuff isn't zero-days. It's the forgotten admin tool that's been silently exposed for months because nobody inventoried what's actually running on their infrastructure.
Every company has some version of this. You just don't know about yours yet.
Most GitHub Actions workflows I audit use `actions/checkout@v4`.
That resolves to whatever `v4` points to TODAY. The maintainer can move that tag tomorrow.
Pin to the full SHA. It's the only immutable reference.
OAuth tokens with no expiration and overly broad scopes are just long-lived credentials wearing a trenchcoat.
If you're not auditing which third-party apps have consent grants in your IdP, you have shadow access you don't know about. Revoke what you don't recognize.
This is a defaults problem, not a knowledge problem.
Teams ship fast, security configs stay at whatever the framework gave them.
Things I've found at companies that passed SOC 2:
• Containers running as root
• Action: *, Resource: * IAM policies
• GitHub Actions pinned to @main
• 387-day-old AWS access keys
• No network policies
The audit checked the box.
The infrastructure didn't care.
1,200+ malicious npm packages this month alone. Typosquatting is the new phishing — except it hits your build server, not your inbox. Run `npm audit` in CI and actually BLOCK on critical findings instead of logging and ignoring.
The Ollama supply chain attack is a perfect example of why you never pull unsigned container images — even from repos you trust.
Attackers pushed a poisoned Docker image that exfiltrated AWS creds and .env files 4.5K+ times before anyone noticed.
Sign your images. Verify digests. Isolate runtime credentials.
Happy Place
Most teams grant their CI runner admin-level repo tokens by default. `permissions: contents: read` at the workflow level cuts that blast radius dramatically. Your build step doesn't need write access to your repo.
@ppetryszen Right? The essentials!
Your IAM policy probably has `Resource: "*"` on at least one statement. That wildcard is doing more work than your entire security team. Scope it to specific ARNs — even partial wildcards like `arn:aws:s3:::logs-*` are a massive improvement.
Most GitHub Actions workflows I audit use `actions/checkout@v4` instead of pinning to a SHA.
That means a compromised tag update hits your pipeline automatically. No PR, no review, no alert.
Pin to the commit SHA. It takes 30 seconds and removes an entire attack vector.
What's included:
- AWS posture (Prowler)
- GitHub org + CI/CD security
- Container scanning (Trivy)
- App security (Semgrep)
- External exposure assessment
You get a prioritized findings report + mergeable remediation artifacts.
20-200 engineers, AWS, GitHub? DM me.
https://t.co/7FjFhuBL5H
I've been building ZeroCreds — security consulting that ships working remediation code instead of slide decks.
Offering 3 free security baseline audits for B2B SaaS startups. I'm building case studies and being transparent about it.
Details below.
Most teams set up IAM roles for their EKS pods and never revisit them. Six months later half those roles have permissions for services the app doesn't even call anymore. Audit your IRSA bindings quarterly or accept the blast radius.
Your first SOC 2 audit doesn't need a full-time security hire. It needs someone who's scoped one before. A fractional CISO for 3 months costs less than a bad first hire and gets you through Type I without building a team you can't sustain yet.
@PLBompard Ship code, not CVEs.
https://t.co/9Wllso4WHA
Signed up 💪
We're launching Claude Community Ambassadors. Lead local meetups, bring builders together, and partner with our team.
Open to any background, anywhere in the world.
Apply: https://t.co/DTQBAzgQug
If your GitHub Actions workflow uses `aws-actions/configure-aws-credentials` but you're still passing in a secret key, you're doing OIDC wrong. The `role-to-assume` param with `role-session-name` and NO access key inputs is the actual zero-credential setup.
Also — commit your lockfiles. If you're not committing them, dependency review can't diff what changed. It's the whole mechanism.
Full config walkthrough with production-ready examples here: https://t.co/cUk9ik67hp
One npm package added in a PR. 47 transitive dependencies pulled in. Three critical vulns. One license that quietly switched from MIT to AGPL.
Nobody caught it. Merged and shipped to production.
The move most teams miss: pair dependency review WITH Dependabot.
Dependency review catches bad deps coming in. Dependabot catches bad deps already there. Together they cover both directions.
Last Seen Users on Sotwe
Journal of Dermatology and Aging
Seen from Netherlands
AV TVHUP
Seen from Thailand
kosong
Seen from Singapore
دكتور مساج وفحل صنعاء
Seen from Malaysia
🖤♠️Cemba 🖤♠️
Seen from Turkey
Old lover
Seen from India
Nari
Seen from Germany
Hassas Haber
Seen from Turkey
القناص
Seen from Egypt
Adalyn Noceda-Blight
Most Popular Users
Elon Musk 
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.6M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.5M followers
Lady Gaga
@ladygaga
73M followers
Virat Kohli
@imvkohli
69.9M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.9M followers
Neymar Jr
@neymarjr
62.6M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers