Olivia
Online
Roman
@securecodeninja
a web builder & defender 🕷️
proud to be pinoy 🇵🇭
appsec quarterback 🛡️
Manila
Joined September 2018
755 Following
121 Followers
433 Posts
Pinned Tweet
I learned that the lack of proper input validation is where many of vulnerabilities start.
I condensed these lessons into a 30-min course for C# developers.
Free with your Pluralsight subscription 👇
https://t.co/dPnCI0ytBy
#csharp #security #dotnet #appsec #securecode
Had a great time at the Pen Testing Village yesterday diving into secure code reviews in the CTF! #bluehat #securecode #appsec
You may have read @AnthropicAI Frontier Red Team's blogpost about finding zero-day vulnerabilities at scale. I think it's more than that - LLM workflows greatly improve "negative-day" and "never-day" discovery. Here's the tool I built to do this.
https://t.co/2U5VHOiBBD
We just shipped automated security reviews in Claude Code. Catch vulnerabilities before they ship with two new features:
- /security-review slash command for ad-hoc security reviews
- GitHub Actions integration for automatic reviews on every PR
Wasting time fuzzing hardened code without hitting new vulnerabilities.
Legacy black-box fuzzers stall at validation checks, missing deeper bugs.
In Chapter 8 of my new book From Day Zero to Zero Day, you'll explore the advanced techniques behind coverage-guided fuzzing using AFL++, and how to remove fuzz blockers that halt progress.
Key lessons you’ll learn:
✅ Why code coverage feedback outperforms black-box fuzzing
✅ How to write your own fuzzing harness for optimized inputs
✅ Where AFL++ shines over older fuzzing tools
✅ What to patch in code to unlock deeper fuzzing
✅ How to use afl-cov and Fuzz Introspector for blind-spot analysis
Ready to level up your fuzzing stack? Grab your copy of From Day Zero to Zero Day today! (🔗 link in comments)
#BugBounty #Fuzzing #Cybersecurity #AFLplusplus #ApplicationSecurity
McDonald's uses an AI bot called "Olivia" for hiring. A pair of hackers found they could access every conversation job applicants had with it—including all the personal info they shared—by exploiting security flaws as basic as using the password "123456". https://t.co/55WueJz3Of
Oktajacking - Using Okta to keylog for initial access or as a sneaky form of SAMLjacking for lateral movement from a compromised SaaS app.
Massive shoutout to @_xpn_ as I used his great research for this, I just applied it to different kill chain phases.
https://t.co/7R5UzDbG6c
👔 Security Architect & Principal Security Engineer Interview Questions
A consolidated list of questions pulled from Glassdoor
From: Netflix, Morgan Stanley, Wiz, & more
* Technical
* Behavioral and Influential
* Frameworks/Design/Threat Modeling
https://t.co/gKg5ZpREXx
Just because you're using Okta, doesn't mean you're using SSO.
I wrote a blog post covering:
• What is SWA and what are the risks?
• Extracting SWA passwords
• Bypassing password reveal restrictions
• Detection and response for Okta account breaches
https://t.co/gJuytf85Ql
🛠️ Building a free Burp Collaborator with Cloudflare Workers
How to use Cloudflare Workers to receive out-of-band connections during your web app testing (e.g. track when blind XSS triggers) and pipe the results to Discord
https://t.co/CJoB4P5IkV
After the success of our security research, we decided to invest a $120k bounty and share our story and tools with you.
Now, we are releasing an Automated Scans feature on VIDOC, allowing you to easily automate your #bugbounty hunting on a large scale!
https://t.co/Ue5JKrVrdL
😈 The Offensive ML Playbook
A database of offensive ML TTPs covering:
* Supply chain attacks
* Offensive ML techniques
* Adversarial ML
Examples:
* Poisoning an LLM’s ground truths
* How to put malware in a model and distribute it
By @WHITEHACKSEC
https://t.co/eszzIi1uGp
What are HAR files?
A HAR file is a recording of your current session & includes all web traffic including secrets & tokens.
Admins usually share these files with customer support when troubleshooting issues.
Here's a thread on how you can handle .har files safely.
🧵⬇️
🎓 Free Cybersecurity Course from Harvard
An introduction to #cybersecurity for technical and non-technical audiences
Self-paced, 2-6 hours/week over 5 weeks
https://t.co/vtLVtzlqho
Chalk is now officially open source. Total visibility of your software engineering lifecycle. Designed for platform and security teams. https://t.co/HBadM0RW7m
𝗟𝗲𝗮𝗿𝗻 𝗝𝗪𝗧 𝗹𝗶𝗸𝗲 𝘆𝗼𝘂'𝗹𝗹 𝗻𝗲𝘃𝗲𝗿 𝗳𝗼𝗿𝗴𝗲𝘁.
🧵
Now Generally Available: GitHub Advanced Security for Azure DevOps is ready for you to use https://t.co/WdiCvccphJ
🗒️ Source Code Management Platform Configuration Best Practices
Guide by @OpenSSF for securing SCM platforms
* Harden CI/CD pipelines against supply chain attacks
* Branch protection policies and access controls/permissions
* Server-level policies
https://t.co/j0Tkbzzp41
🤖 promptfoo
A tool for testing your prompts.
Evaluate and compare LLM outputs, catch regressions, and improve prompt quality.
https://t.co/wsoazuBBnk
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers