Frederik Braun �

@[email protected]
1.6K Followers
612 Following
4.8K Posts

A web/browser security nerd. Working on security for Firefox and the web at Mozilla. Taught web security at Ruhr Uni Bochum.

I'm often spend my summer on multi-week #bikepacking trips with the family.

The posts here are my own and I do not speak for my employer

Websitehttps://frederikbraun.de/
LocationBerlin, Germany :club_mate:
Pronounshe/him
Signal usernamefreddy.{default HTTPS port}
Show threadFrederik Braun �2h ago
@jann I got into a (mild) argument multiple times with our localizers and gave up. I disagree with them but I also don’t have to live with the feedback they get elsewhere. Firefox in English it is… :)
Show threadFrederik Braun �2d ago

@bkastl Will damit sagen: Es ist viel Hype und daher auch viel gerechtfertigte Skepsis.

Aber nur weil wir skeptisch gegenüber dem AI-Hype sind, können wir auch nicht die Augen vor der Wahrheit verschließen. Es kommt gerade eine riesige Tsunami-Welle an Security bugs auf alles an OSS-Software zu. Manche spüren schon die Tropfen, aber eben noch nicht alle :|

Show threadFrederik Braun �2d ago
@bkastl ach und noch was: Ich wünscht es wäre anders :)
Show threadFrederik Braun �2d ago

@bkastl Deine Kritik ist nicht so ganz angebracht: 1) Zu Firefox: alle diese Bugs waren sehr gut, wir haben auch sandbox-escape exploits gesehen. Dass wir die "sec-high" nennen, ist nach gründlicher Analyse passiert. 2) NFS ist ziemlich oft "offen für alle im Netzwerk". Wenn der Angreifer 1 socket aufmachen kann, kann er auch 2 aufmachen.

Was ich sagen will: ich mach seit über 15 Jahren Security. Ich habe die Bugs gesehen. Sie sind wirklich krass.

Frederik Braun �4d ago
OWASP Germany Chapter 4d ago

Hello AppSec community!

Our preparations for German #OWASP Day 2026 (GOD) are in full swing. As some of you may have noticed, the website is already live (and kicking): https://god.owasp.de/

This year’s GOD will take place on September 24, 2026, in Karlsruhe. It's a one-day conference with two tracks. We will once again be offering community training sessions on the day before, i.e. the 23rd of September. That evening will -- as usual -- feature networking and professional discussions in a relaxed atmosphere with food and beverages.

We recently opened the call for community trainings. They were extremely well-received last year, and we’d like to build on that success this year.

So if you have a topic you’d like to present in a half-day session, check out the Call for Community Trainings (CfT): https://lnkd.in/edAnfmZ4 . It's planned to stay open until April 12, 2026. If you happen to know someone who's good explaining a relevant topic (see CfT) to a small group of people, feel free to forward the pointer to the CfT.

The Call for Presentations will open next week.

#AppSec #infosec #Security #SDLC #AI #LLM #CISO

Frederik Braun �4d ago
Tom Schuster5d ago
To my security peeps: Was the introduction of widespread fuzzing similar to AI-based bug hunting now, or is this really a different beast?
Show threadFrederik Braun �4d ago
@simon looks so pretty, I can’t shake the feeling it was trained for this :)
Show threadFrederik Braun �5d ago
@buherator true, using a mozilla build with our updater will ensure this doesn’t happen unexpectedly.
Show threadFrederik Braun �5d ago
@buherator I think your configuration might be borked. We do not force a restart. You should only get this error if the binary file on disk changed while browsing. In that case, Firefox is unable to create a new process due to API incompatibility. Do you use multiple Firefoxes in parallel?
Show threadFrederik Braun �5d ago
@bagder every browser, every library that does media parsing, compression, …