Darren Meyer 

@darrenpmeyer@infosec.exchange
468 Followers
106 Following
93 Posts

A Gray Jedi Capybara / weirdo geek into socio-technical systems resilience. Part-time #coffee and #Arduino nerd. If you “move fast and break things”, I’m the one who makes you clean up. #devsecops and #securityResearch focused on #appsec and #productSecurity.

Do not bother to follow me if you have anything against LGBTQIA+ folks, I have no patience left

- Security Research Advocate for Checkmarx;
- Managing Principal Consultant for Substance 36 LLC;

Opinions here are mine alone, not necessarily shared by organizations I work with or for

#embedded #espresso #biking #electronics

bloghttps://darrenpmeyer.com/
photoshttps://pxlmo.com/darrenpmeyer
Darren Meyer 18h ago
Show threadJordan22h ago
@mcc “A compiler is a tool for reporting issues in code. If none are found, it emits an object file as a side effect.”
Darren Meyer 2d ago
Very Hairy Jerry2d ago
Some cell phone pics of fireworks my youngest and his friends set of tonight.
Darren Meyer 2d ago

Is there a non-US equivalent of the ISRG and/or LetsEncrypt? They’ve done excellent work making a more secure web, but having all our eggs in one country’s regulatory regime makes me nervous

And no, I don’t consider commercial offerings to be a solution — they have their place, but LetsEncrypt-style, no-cost, low-friction TLS certs are important too.

Show threadDarren Meyer 3d ago

I've written before about the business side of security. How the measure of a security program is ultimately "dollars of risk managed per program dollar spent", etc.

And I think some people have missed that while that's all true, it MUST operate in a broader context of global ethics. And I'm learning that far more "infosec people" than I would have expected can't be assumed to agree with that.

So on my side, expect to see me be a LOT more explicit about our duty to protect the network and community as a whole. Because tbh, that is and ought to be the whole fucking point.

Show threadDarren Meyer 3d ago

If you work for a security team in an organization, your job is to help that organization achieve its purpose *while behaving safely on the network*.

Sometimes that's an easier argument—hey org, if you don't have a control here, you could lose money. Other times it's much harder—hey org, I know this is cheaper for you, but if you go this route, you're externalizing risk to other people *and that's not ok*.

But it's your job to force that conversation, and its your duty to be clear-headed about when you accept compromise in exchange for improvement, and when you draw a bright line and stand your ground on it.

Show threadDarren Meyer 3d ago

It's beyond frustrating, but it's not *new*. It's just that the AI push and a few other things going on in the industry and wider community are shining a spotlight on how much we've lost our way.

Infosec, IMO, should be about ensuring that when people and organizations want to do stuff (even cool stuff!) with information, they don't get to ignore safety. They don't get to play fast and loose with data they're custodians for. They don't get to put other people's data and systems at risk to save a buck or "move fast".

Of course compromise is always going to be a part of that, but we should be the people who are asking the hard questions and pushing for better decisions.

Darren Meyer 3d ago

A lot of people are noticing that infosec is broken; and a lot of people are framing it like this is new. It's not. Infosec as a practice has been broken for *at least* a decade IMO.

The moment that it started to be "an industry", largely funded by VC money, it started to erode. Somewhere along the way it hit an inflection point and "doing infosec" became more about tool selection and deployment than about keeping people safe.

And that has led to all kinds of bad outcomes, like over-valuing offensive security (because it fuels the FUD that drives demand for products), burdensome compliance regimes (with requirements written in large part by vendors), and "best practices" that are little more than marketing fluff.

Darren Meyer Jun 30

Very cool that the Checkmarx One platform for Government has now achieved #FedRAMP High Ready! Amazing work across multiple teams to coordinate this process. AFAIK we're the only AppSec platform addressing the High impact level for FedRAMP. https://marketplace.fedramp.gov/products/FR2514624801

Anyone who's been through FedRAMP High will appreciate the effort that takes...

Darren Meyer Jun 29
Show threadr҉ustic cy͠be̸rpu̵nk🤠🤖Jun 28

Same person got Linux working inside a PDF document

An entire kernel and OS running in a PDF. What a time to be alive

https://github.com/ading2210/linuxpdf

Darren Meyer Jun 29

My kids randomly asked me what Base64 is; I may have gotten a little excited.

Turns out an ARG encodes some clues with base64 for simple obfuscation. I got to show them how it works, that it isn’t a cipher, and introduce them to the concept of data encoding and CTFs.

Thank you random ARG for piquing my kids’ interest!

×
Darren Meyer Jun 3

I know, I know: "RSS is dying". Well, I still use it, and I bet some of you do too! Which is why I'm happy to announce that the #CheckmarxZero research blog now has an #RSS feed: https://checkmarx.com/feed/?post_type=zero-post

Autodiscovery is coming soon, but you can pop that into your feed reader of choice today!

Show threadEpic NullJun 3
@darrenpmeyer RSS dies when we stop using it. Besides, I suspect it is about to get a lot more popular.