Is AI replacing technical writers and developer advocates? — I recently stumbled on a Twitter discussion debating whether the role of developer relations (DevRel) / developer advocates would become obsolete due to generative AI, such as GPT. DevRels are the people who create and maintain a community around a product. Their responsibilities include writing documentation and blog posts, producing…

Using ChatGPT to build a simple hacking recon tool — In Chapter 5 of Bug Bounty Bootcamp, I talked about how you can write a simple bash script to automate recon tasks before hacking and bug bounty hunting. Then just a year later, ChatGPT came around. I am still a huge proponent of learning to script so that you can…

AppSec engineer’s book club #001 — discussing Loren Kohnfelder’s book — Many of my followers have been asking me for book recommendations. After all, who doesn’t love a new tech book? Books are my favorite way to absorb new information, especially when learning something new. I’ve wanted to start a security engineer’s book club to share book recommendations, notes, and summaries…

And what subdomain takeovers mean for your SameSite cookies — I published an article a while ago about how Chrome is making SameSite the default behavior for cookies to prevent Cross-Site Request Forgery (CSRF) attacks. After that, jub0bs reached out to me about how the nuances of SameSite can leave websites vulnerable. Thanks for bringing this issue to my attention! …

Interview with Shinesa Cambric, Principal Product Manager at Microsoft — Our guest today, Shinesa Cambric, is an IT security professional who is passionate about designing roadmaps for identity and access management programs, and architecting security strategies for emerging technologies. In this episode of Sources and Sinks, Vickie Li, developer evangelist at ShiftLeft, interviews Shinesa about her research in identity and…

Launching your career in cybersecurity with self-study — Our guest today, Jasmine Jackson, is an experienced cybersecurity professional who got her start through self-teaching. Looking at Jasmine’s resume right now, it’s difficult to imagine that she was not able to find a job at all when she first started in the field! Jasmine has a technical background, but…

Spring unauthenticated RCE via classLoader manipulation — A critical zero-day vulnerability in the Spring framework was recently reported to Spring’s maintainer, VMWare. The vulnerability is an unauthenticated remote code execution vulnerability that affects Spring MVC and Spring WebFlux applications. You can find the CVE here: https://tanzu.vmware.com/security/cve-2022-22965. What is affected? The Spring4Shell RCE vulnerability allows attackers to execute code on applications…

The most common vulnerabilities to look out for in Angular and React applications: template injection, XSSI, authentication bypass, and more. — Securing applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, building a secure application can seem really daunting.

Passionate about securing software? Become an AppSec Ambassador! — Interested in helping developers write secure code from the start? ShiftLeft has launched a program to support you in the mission of helping your community write secure code. We will be financially supporting conference speakers, content creators, and infosec influencers. Read on to find out more! The ShiftLeft conference scholarship