A Gray Jedi Capybara / weirdo geek into socio-technical systems resilience. Part-time #coffee and #Arduino nerd. If you “move fast and break things”, I’m the one who makes you clean up. #devsecops and #securityResearch focused on #appsec and #productSecurity.
Do not bother to follow me if you have anything against LGBTQIA+ folks, I have no patience left
- Security Research Advocate for Checkmarx;
- Managing Principal Consultant for Substance 36 LLC;
Opinions here are mine alone, not necessarily shared by organizations I work with or for
#embedded #espresso #biking #electronics
| blog | https://darrenpmeyer.com/ |
| photos | https://pxlmo.com/darrenpmeyer |
Champions aren't "bonus staff" for the security team. They're trusted partners in building a security culture.
A Security Champions Program should work more like a Safety Warden program. The goal is to create a network of people who act as liasons between their teams and the professional security teams. As a bonus, you get a network of trained rapid-responders when there's a high-priority issue.
Did your Security Champions program fail, or did your org do something silly and ill-advised and stick a "Security Champions Program" label on it? Way too many orgs try to "Shit Left", dumping security accountability on team members, declaring them "Champions", and providing them wildly insufficient support.
And then leaders are confused that this fails, and ultimately decide that champions programs don't work.
The "Last Week in AppSec" for 2025-07-15 is out, covering just two interesting vulnerabilities you might not have noticed last week: https://checkmarx.com/zero-post/last-week-in-appsec-2025-07-15/
(This work is mine, but done for my employer and is hosted on their site)
Here are some AppSec news items you might have missed in the last week. Kubernetes Code Injection (CVE-2025-53547) The Kubernetes package manager Helm has a high-severity Code Injection vulnerability CVE-2025-53547. An adversary could link Chart.lock to an executable file, then craft a Chart.yaml file that, when processed during a Helm dependency upgrade, would write arbitrary content to that executable file via […]
*unhinged laughing* a study where everyone involved assumed AI would improve developer productivity actually ended up showing a huge net productivity loss. I am going to be pasting this graph in SO many chats
Paper: https://metr.org/Early_2025_AI_Experienced_OS_Devs_Study.pdf
I don't think that people get what I mean when I say "attack surface the size of natural language."
I mean "capable of near-infinite or possibly actually infinite permutations and combinations."
In natural language, you can approach one meaning in many directions. Cutting off one, or several, directions, does not remove the ability to produce the intended meaning.
I mean "you cannot reduce that attack surface in a way that matters."
I’m never one to victim-blame after a breach. Security is hard, social engineering always works eventually, and risk management is genuinely complex. Unless an org was WILDLY negligent, I’m a big believer in not shaming them for getting breached.
That said, the moment a breached org describes the breach as being the result of a “sophisticated” attack, every neck hair I have stands on end and I prepare to retract the benefit of the doubt. Because 99% of the time*, that “sophistication” was a kid claiming to be the county password inspector in an email or some shit.
A capacitive key switch might actually be a bit too sensitive, now that I think about it. I can probably implement my own rubber dome if I turn the annular rings into isolated pads
Thanks to the huge UX improvements to #KiCAD since I used it last, this was fairly straightforward
This is coming along nicely. I moved away from the custom capacitive key switch to a standard Cherry MX profile
Vias are all the rage #KiCAD
calcifer 
Get Verbed
hexamander
r҉ustic cy͠be̸rpu̵nk🤠🤖