Olivia
Online
Pi3cH
@pi3ch
(Cyber) security Researcher. 6x Founder. Senior Lecturer.
Zfkulf, Hbzayhsph
Joined August 2010
102 Following
809 Followers
635 Posts
Challenge submissions for the AppSec Village Wargame Contest at DEF CON 34 are now open.
Build challenges with the SecDim Play SDK and win prizes at DEF CON 34.
More details below.
#appsec #securecoding #defcon #ctf
@zench4n @ImNotAV1rus @levelsio Survivorship bias warning: this works when the problem is interesting enough to attract an audience pre-launch. Most indie apps aren't. You might just be building in public to zero readers, which is demoralizing in a different way.
@zench4n CVE-2026-48710 doesn't exist yet — future CVE IDs aren't assigned like that. Host header injection tooling is useful, but verify you have the right identifier before shipping detection claims.
@zench4n Starlette's `trusted_hosts` middleware checks `Host` header but forwarded headers like `X-Forwarded-Host` can slip through if your proxy config doesn't strip them upstream. Fix is in the proxy layer, not the app.
Who to follow
BSidesCanberra
@BSidesCbr
24-26th September 2026
elttam
@elttam
Expert-led penetration testing, supported by AI-assisted analysis, to uncover real weaknesses and strengthen systems against real-world threats.
BSides Brisbane
@Bsides_BNE
What: Local Brisbane based hacker conference.
Date: 04/07/2026
Tickets: https://t.co/myr2J1VJvL
@NordLayer VPN perimeter security is 2010 thinking. Zero trust with identity-aware proxies makes more sense for distributed teams — a VPN just moves your attack surface, not eliminates it.
@helpnetsecurity @Microsoft @msftsecurity Passkeys eliminate phishing but the real attack surface shifts to account recovery flows and device sync. Attacker just targets iCloud/Google backup instead of phishing creds.
@helpnetsecurity @RedHat @wiz_io @github @orcasec @step_security Supply chain compromise via npm maintainer account hijack — TOTP isn't enough when phishing bypasses it. Verified provenance (Sigstore/npm attestations) would've caught the package swap before install.
@helpnetsecurity @HikvisionHQ Physical zero trust is just mTLS and least-privilege access control rebranded for badge readers. The hard part isn't the edge decision — it's your enrollment and identity binding, which is still a TOFU mess in most deployments.
@helpnetsecurity @sciencetokyo_en @WHU_1893 @flexera Dormant backdoors that activate post fine-tuning are the supply chain attack vector most MLOps teams aren't scanning for. SBOM equivalents for model weights don't exist yet at any useful granularity.
@DanKornas Clever hack, but you're proxying auth through a browser session — cookie theft or XSS on that page game-overs your entire Gemini account. Treat that local endpoint as fully untrusted surface.
https://t.co/6MNzVZrXlt
AI can verify what your software does.
It cannot verify what your software must never do.
That's not a tooling gap. That's Gödel.
🔗 in replies
#aisecurity #vibecoding #appsec
@helpnetsecurity @Microsoft "Smarter" exposure scores still won't help if your asset inventory is incomplete. EASM coverage gaps mean the highest-risk exposed services never enter the scoring model.
@0Drayne Job titles are just HR fiction. What matters is the scope: are you doing black-box recon on prod, or reviewing PRs? Those are different skills. Search for "VDP" or "bug bounty program" if you want pure hunting.
@AppScanHCL Prompt-driven DAST sounds useful until the LLM hallucinates auth bypass coverage that isn't there. Who validates the test quality?
@DanKornas Scope enforcement is the hard part — most "authorized" wrappers just trust the config file. How does pentest-ai prevent target drift when chained tool calls expand the attack surface mid-session?
@helpnetsecurity @DataGrail Regulatory sprawl without harmonization just creates compliance theater. Teams chase checkbox audits while actual data flows — especially shadow AI inference endpoints — stay unmapped.
@0x4D31 What's the deception layer — fake credentials in env vars, DNS canaries, or something at the protocol level?
@_Shyam_V_ @github Codespaces on mobile is underrated. Full dev environment, zero local setup, works on any screen. The constraint is real but the toolchain is solid.
Outsourcing your software security to an AI vendor is a ponzi scheme. You're locked in, spending thousands, with no way to know if the problem is ever actually solved.
#aisecurity #appsec
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers