Olivia
Online
Graham Bleaney
@GrahamBleaney
Security Engineering Manager @meta, leading a team scaling the detection and prevention of web vulnerabilities
New York, New York
Joined March 2011
110 Following
269 Followers
61 Posts
ย Pinned Tweet
It's official: PEP 675 has been accepted! Once you've got Python 3.11 and a type checker that supports it (Pyre already does ๐), try using LiteralString to make your Python code safer by preventing SQLi and all other kinds of injection attacks:
https://t.co/5oDy3yCnH5
My team is hiring for a unique role, taking the static analysis tools we've developed for security use cases and applying them to solve some of our most pressing privacy needs:
https://t.co/mVmT2AwaVg
DMs are open if you want to learn more!
I'll be presenting "Teaching an old dog new tricks: Reusing security tools in novel domains" at #Enigma2022 in Santa Clara, February 1โ3, 2022. It provides case studies of how security tools like Pysa have been used in non-security applications at Facebook https://t.co/xZF7TAVwmg
Who to follow
streaak
@streaak
BBAC kidnapped me | I hack things, play video games and occasionally take photographs
Ian Carroll 
@iangcarroll
Founder at @SeatsAero. Travel/points, application security, security research, etc. https://t.co/q0VuCP7rXz
pwnmachine ๐พ
@princechaddha
@pdiscoveryio | Security | Web3 | AI | BioHacking | https://t.co/qHnHahlsIn
If you're curious about how it works, my co author and I will be presenting about LiteralString (and other uses of typing for security) at this year's PyCon:
https://t.co/y80RWP9h2z
It's official: PEP 675 has been accepted! Once you've got Python 3.11 and a type checker that supports it (Pyre already does ๐), try using LiteralString to make your Python code safer by preventing SQLi and all other kinds of injection attacks:
https://t.co/5oDy3yCnH5
@dmz Excellent summary of the talk! Thanks for live tweeting it.
Late to the game on this one but I really loved Ryan Pickren's latest writeup on UXSS on Safari. I think he undersells the work involved to get there, but does an excellent job highlighting how far you can get by looking at old protocols, file types, etc: https://t.co/LF26R1yARI
This functionality is already supported in Pyre if you want to try it:
https://t.co/dyLAPtRchh
Feedback on the PEP would be greatly appreciated!
We have a draft PEP up for adding a new Literal[str] type to #Python3:
https://t.co/BdAScqFBBq
When used correctly, this type can prevent all kinds of injection vulnerabilities. We've been experimenting with this at Meta for a while, and are excited to share with the world.
But queries safely built from only string literals will be allowed:
user_id: str
query = f"SELECT * FROM data WHERE user_id = ?"
if limit:
query += " LIMIT 1"
conn.execute(query, user_id) # Type Error!
@Samm0uda Sent you a potential option in your DMs
We are looking for an experienced application security engineer to help build a world where everyone, everywhere has secure access to the worldโs financial system. We have the vibe of a FinTech startup with the perks of a big company. Apply here:
https://t.co/MSqFPwlYm1
Our #PyCon 2021 talk "Unexpected Execution: Wild Ways Code Execution can Occur in Python" is now on YouTube:
https://t.co/dtQHVO5x8J
I guarantee there will be at least one RCE vector in there that you weren't aware of. It also comes with demos:
https://t.co/mpQOCsGqXE
For those attending @pycon (it's too late to sign up!), check out the out the talk @the_st0rm and I are giving on the myriad of APIs that can enable remote code execution in Python: https://t.co/4MHuxktC12
These examples were originally compiled as a part of our work on Pysa.
To go with the #PyConUS2021 talk, we've also got a demo repo with examples of functions that enable code execution in python: https://t.co/mpQOCsGqXE. There's a UI to test exploits against and a machine-readable dump of sinks to feed to your static analyzers (including Pysa ๐ )
The second round of our RFP is now published, with proposals being accepted until July 14!
"Towards Trustworthy Products in AR, VR, Smart Devices".
https://t.co/lTKlvardN8
๐ค Explain Like Iโm 5 ๐ค
In just over a minute, Jessica (@hey_its_jlin) gives an overview of #Pysa, an #OpenSource Python static analysis tool used to detect and prevent security issues in #Python code.
Check it out here: https://t.co/ZMpffpCWSa
https://t.co/BYACUhsStv
A decade of facebook bug bounty. 130,000 reports, 6,900 valid, 11.7million paid out.
An incredible team of folks lead this program now - it started in a basement and with us taking weekly trips to western union to send money orders to fulfill bounties.
Last Seen Users on Sotwe
Yudi12
Seen from Indonesia
Canberk Soysal
Seen from Turkey
ุณุงูุจ ุฑุดูู๐ฅ ุงู
ูุณ ุดููุงูู ๐ข ูุฑููู # Kirkuk
Seen from France
Laur (state-mandated gf)
Seen from United Arab Emirates
ูุญู
PlayBoyPrimoXXX
Seen from United Arab Emirates
socounty
Seen from Indonesia
U g h t e a Ngeunah
Seen from Singapore
paslamteng
Seen from United States
carol jardi
Seen from Netherlands
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers