Lisi HockeAug 25, 2025
Had a #ThreatModel session with two engineering teams today. A real extensive one, where preparation included a full review of what's already there. A tech stack we haven't touched on at this company yet. A model where I could really build on my past experience, and still felt I worked for way too long. And yet, it paid off. Had an insightful conversation with folks, we all learned from each other, and we paved the way for future small, lean modeling sessions. Huge win! 🎉 #AppSec #ProdSec
DCNTTMAug 4, 2025

Registration is open for DC's Next Top Threat Model at @defcon 33. Visit https://threatmodel.us to learn more about our contest and register.

#DEFCON #DEFCON33 #DC33 #AppSec #InfoSec #ProdSec #ThreatModeling

Lisi HockeJul 18, 2025
Joined very interesting sessions at #SoCraTes2025 today and gave two myself. "Building Secure Enough Products - Bumps & Boosters" led to an impactful experience exchange of what holds us back & what helps us move in good directions. 💡And to build on the streak started the last years at #SoCraTes: "Capture the Flag Together" to practice #security testing hands-on in a collaborative way. 🙌🏻 Thanks to all the amazing folks who joined and made it a great learning experience! 😃 #AppSec #ProdSec
Open Security ConferenceMay 15, 2025

It's that time of the year: Global Accessibility Awareness Day. Have you ever felt that you don't need accessibility features or any accommodations? We need to increase awareness on what these actually mean and why they make everyone's lives better!

Let's take an example. Are you wearing any visual aids like glasses or contact lenses? How about a temporary eyepatch after a surgery? Or maybe sunglasses to protect your eyes and help your sight when circumstances are not ideal? What about using reduced blue light and dark mode when you're struggling with headaches?

All of these are accommodations to meet accessibility needs. No matter if continuous, temporary or situational. There are tons more for you to go and find out about!

Let's stay curious for each other's needs, and that includes our own needs as well.

https://accessibility.day/

#GlobalAccessibilityAwarenessDay #accessibility #a11y #inclusion #osco #osco25 #CyberSecurity #Security #InfoSec #AppSec #ProdSec #OTsecurity [lisi]

GAAD

Thursday, May 15, 2025, help us celebrate the 14th Global Accessibility Awareness Day (GAAD)! The purpose of GAAD is to get everyone talking, thinking and learning about digital access and inclusion, and the more than One Billion people with disabilities/impairments.

GAAD
Show threadS10kSep 2, 2024
@SheHacksPurple Happy #CyberMentoringMonday! I’m a Dev looking to formally get into the security space. While #appsec and #prodsec seem like natural pivot points, I’m open to other options too. Would love to connect with a #mentor.
Currently trying to learn hacking techniques to better understand it all
Freya Jun 28, 2024
Oh gosh.. so I decided to look at the repos for @UniversalBlue and specifically #Bazzite to see what I can do on my machine that they do. Instead I got into a rabbithole investigating how likely #universalblue can become compromised if just one person is compromised. And from what I can gather it is highly likely.

Taking Bazzite, there is no branch security, no approvals required, automatic releases with signing done for main and testing branches.
Taking ucore, there is no approvals required for PRs and many of the contributors merge without approval.

Likely more with other repos too but haven't looked further. Holy heck.

I'm not a huge #prodsec person to ensure secure releases, but this seems like a huge red flag to me if all it takes to get a release into people's machines is one compromised account.

Here's hoping I'm just super off about the whole thing and the security is actually good. But from an outside perspective I just feel scared using ublue atm.

Opened a ticket here as I don't have an account in their forums
github.com/ublue-os/bazzite/issues/1290
Insecure delivery pipeline · Issue #1290 · ublue-os/bazzite

Currently there is a GitHub action that builds for testing and main respectively, which is then automatically released. But there doesn't seem to be any branch security or for that matter admin sec...

GitHub
PathetiQApr 16, 2024

Hey all, I want to start to discuss more internal appsec/prodsec teams subjects, challenges and how to build a good programs. Anyone interested ?

And who should I follow for similar space?

#appsec #prodsec #programbuilding #infosec

OWASP BostonApr 4, 2024

We start our afternoon talks with Don McKeown talking about maturing #securedevelopment lifecyle, Gautam Peri showing us the art of #authbypass and Chris Smith discuss about #securityatspeed with Discord's #prodsec program. Check out all of this at OWASP BASC 2024.

#owasp #owaspboston #basconf #basconf24 #appsec

OWASP BostonMar 28, 2024

Listen to Chris Smith talk about Discord's #prodsec program and how they managed #securityatspeed . This and many more exciting talks! Register at www.basconf.org

#owasp #owaspboston #appsec #basconf #basconf24

2024 BASC

The Boston Application Security Conference (BASC) is an annual conference held by the Boston chapter of the Open Web Application Security Project (OWASP) that includes presenters and workshops focused on current trends in application security. OWASP® is a nonprofit foundation that works to improve

Neil MatatallFeb 10, 2024
The Loco Moco Security Conference (LocoMocoSec) #cfp is open until March 21st. The event takes place July 17th and 18th in Līhuʻe on Kauaʻi, Hawaiʻi https://sessionize.com/loco-moco-security-conference-2024 #appsec #prodsec #cloudsec
Loco Moco Security Conference: Call for Speakers