Josh Grossman (tghosth 👻)
@joshcgrossman.com
About to head home after a packed week+ in Vegas for Hacker Summer Camp.
Some highlights for me:
Some highlights for me:
August 11, 2025 at 2:07 AM
About to head home after a packed week+ in Vegas for Hacker Summer Camp.
Some highlights for me:
Some highlights for me:
My searing hot take for today is that everyone hitting out at "security influencer" culture might want to consider that being able to persuade and influence is probably the most important tool in your security skillset.
August 6, 2025 at 3:34 PM
My searing hot take for today is that everyone hitting out at "security influencer" culture might want to consider that being able to persuade and influence is probably the most important tool in your security skillset.
Excited to be back delivering my course again at Black Hat USA!
August 5, 2025 at 12:28 AM
Excited to be back delivering my course again at Black Hat USA!
The final two parts of my blog series about delivering training at conferences have now been released!
You can check them out on the @BounceSecurity website now!
You can check them out on the @BounceSecurity website now!
July 17, 2025 at 11:30 AM
The final two parts of my blog series about delivering training at conferences have now been released!
You can check them out on the @BounceSecurity website now!
You can check them out on the @BounceSecurity website now!
Pulled last year's class workbook out so that I can prepare the updated version for this year.
You still have time to sign up for my updated course at @blackhatofficial.bsky.social #BHUSA, in person in Las Vegas, August 4-5.
You still have time to sign up for my updated course at @blackhatofficial.bsky.social #BHUSA, in person in Las Vegas, August 4-5.
June 24, 2025 at 9:32 AM
Pulled last year's class workbook out so that I can prepare the updated version for this year.
You still have time to sign up for my updated course at @blackhatofficial.bsky.social #BHUSA, in person in Las Vegas, August 4-5.
You still have time to sign up for my updated course at @blackhatofficial.bsky.social #BHUSA, in person in Las Vegas, August 4-5.
So you have a great training course with super-cool interactivity, now you have to get it accepted.
In my next blogpost, I talk about writing a proposal which appeals to both the review board and also your potential attendees.
Check it out here:
www.bouncesecurity.c...
In my next blogpost, I talk about writing a proposal which appeals to both the review board and also your potential attendees.
Check it out here:
www.bouncesecurity.c...
June 12, 2025 at 11:32 AM
So you have a great training course with super-cool interactivity, now you have to get it accepted.
In my next blogpost, I talk about writing a proposal which appeals to both the review board and also your potential attendees.
Check it out here:
www.bouncesecurity.c...
In my next blogpost, I talk about writing a proposal which appeals to both the review board and also your potential attendees.
Check it out here:
www.bouncesecurity.c...
Last week, I was honoured to received a Distinguished Lifetime Member award from OWASP at Global AppSec EU Barcelona 2025.
I wrote more about it here:
www.linkedin.com/pos...
I wrote more about it here:
www.linkedin.com/pos...
June 11, 2025 at 6:24 PM
Last week, I was honoured to received a Distinguished Lifetime Member award from OWASP at Global AppSec EU Barcelona 2025.
I wrote more about it here:
www.linkedin.com/pos...
I wrote more about it here:
www.linkedin.com/pos...
Last week to save before prices go up on 23rd May!
Unless you Accelerate your AppSec Programme, you are going to get left behind..
Join me @blackhatofficial.bsky.social #BHUSA this summer in Las Vegas (4-5 Aug) for a practical guide on how to build bridges with developers and build securely!
Unless you Accelerate your AppSec Programme, you are going to get left behind..
Join me @blackhatofficial.bsky.social #BHUSA this summer in Las Vegas (4-5 Aug) for a practical guide on how to build bridges with developers and build securely!
May 19, 2025 at 12:00 PM
Last week to save before prices go up on 23rd May!
Unless you Accelerate your AppSec Programme, you are going to get left behind..
Join me @blackhatofficial.bsky.social #BHUSA this summer in Las Vegas (4-5 Aug) for a practical guide on how to build bridges with developers and build securely!
Unless you Accelerate your AppSec Programme, you are going to get left behind..
Join me @blackhatofficial.bsky.social #BHUSA this summer in Las Vegas (4-5 Aug) for a practical guide on how to build bridges with developers and build securely!
Want to make your security training course memorable? 🎯
My latest post dives into creative ways to get students' hands dirty, from cloud-hosted labs to simulated stakeholder exercises. Learn how to make practical exercises the highlight of your course, not just an afterthought.
My latest post dives into creative ways to get students' hands dirty, from cloud-hosted labs to simulated stakeholder exercises. Learn how to make practical exercises the highlight of your course, not just an afterthought.
May 13, 2025 at 8:08 AM
Want to make your security training course memorable? 🎯
My latest post dives into creative ways to get students' hands dirty, from cloud-hosted labs to simulated stakeholder exercises. Learn how to make practical exercises the highlight of your course, not just an afterthought.
My latest post dives into creative ways to get students' hands dirty, from cloud-hosted labs to simulated stakeholder exercises. Learn how to make practical exercises the highlight of your course, not just an afterthought.
This year should hopefully be the 3rd year that I train at @BlackHatEvents #BHUSA and also at @OWASP #AppSecEU?
But how did I get to this stage?
The short answer is a lot of thought and hard work.
And the long answer?
Well I thought I'd write some thoughts down...
🧵 1/x
But how did I get to this stage?
The short answer is a lot of thought and hard work.
And the long answer?
Well I thought I'd write some thoughts down...
🧵 1/x
March 24, 2025 at 11:00 AM
This year should hopefully be the 3rd year that I train at @BlackHatEvents #BHUSA and also at @OWASP #AppSecEU?
But how did I get to this stage?
The short answer is a lot of thought and hard work.
And the long answer?
Well I thought I'd write some thoughts down...
🧵 1/x
But how did I get to this stage?
The short answer is a lot of thought and hard work.
And the long answer?
Well I thought I'd write some thoughts down...
🧵 1/x
At @BlackHatEvents #BHUSA on 4-5 Aug in Las Vegas, you can attend "Accelerated AppSec: Hacking your Product Security Programme for Velocity and Value".
This course helps you build a successful programme to bridge the gap between developers and security, without losing speed.
4/5
This course helps you build a successful programme to bridge the gap between developers and security, without losing speed.
4/5
March 18, 2025 at 11:38 AM
At @BlackHatEvents #BHUSA on 4-5 Aug in Las Vegas, you can attend "Accelerated AppSec: Hacking your Product Security Programme for Velocity and Value".
This course helps you build a successful programme to bridge the gap between developers and security, without losing speed.
4/5
This course helps you build a successful programme to bridge the gap between developers and security, without losing speed.
4/5
At #GlobalAppSec EU on 26-27 May at the CCIB in Barcelona, you can attend "Building a High-Value AppSec Scanning Programme", with big updates for 2025.
If you want to build effective and valuable processes around tools like SAST, DAST and SCA, this is the course for you.
2/5
If you want to build effective and valuable processes around tools like SAST, DAST and SCA, this is the course for you.
2/5
March 18, 2025 at 11:38 AM
At #GlobalAppSec EU on 26-27 May at the CCIB in Barcelona, you can attend "Building a High-Value AppSec Scanning Programme", with big updates for 2025.
If you want to build effective and valuable processes around tools like SAST, DAST and SCA, this is the course for you.
2/5
If you want to build effective and valuable processes around tools like SAST, DAST and SCA, this is the course for you.
2/5
For the third year running, I am going to be delivering application security training at both @OWASP #GlobalAppSec EU in Barcelona (26-27 May) and also @BlackHatEvents #BHUSA in Las Vegas (4-5 Aug) and I am super excited!
Want to hear more? Keep reading...
1/5
Want to hear more? Keep reading...
1/5
March 18, 2025 at 11:38 AM
For the third year running, I am going to be delivering application security training at both @OWASP #GlobalAppSec EU in Barcelona (26-27 May) and also @BlackHatEvents #BHUSA in Las Vegas (4-5 Aug) and I am super excited!
Want to hear more? Keep reading...
1/5
Want to hear more? Keep reading...
1/5
At @BlackHatEvents #BHUSA on 4-5 Aug in Las Vegas, you can attend "Accelerated AppSec: Hacking your Product Security Programme for Velocity and Value".
This course helps you build a successful programme to bridge the gap between developers and security, without losing speed.
4/5
This course helps you build a successful programme to bridge the gap between developers and security, without losing speed.
4/5
March 11, 2025 at 12:07 PM
At @BlackHatEvents #BHUSA on 4-5 Aug in Las Vegas, you can attend "Accelerated AppSec: Hacking your Product Security Programme for Velocity and Value".
This course helps you build a successful programme to bridge the gap between developers and security, without losing speed.
4/5
This course helps you build a successful programme to bridge the gap between developers and security, without losing speed.
4/5
At #GlobalAppSec EU on 26-27 May at the CCIB in Barcelona, you can attend "Building a High-Value AppSec Scanning Programme", with big updates for 2025.
If you want to build effective and valuable processes around tools like SAST, DAST and SCA, this is the course for you.
2/5
If you want to build effective and valuable processes around tools like SAST, DAST and SCA, this is the course for you.
2/5
March 11, 2025 at 12:07 PM
At #GlobalAppSec EU on 26-27 May at the CCIB in Barcelona, you can attend "Building a High-Value AppSec Scanning Programme", with big updates for 2025.
If you want to build effective and valuable processes around tools like SAST, DAST and SCA, this is the course for you.
2/5
If you want to build effective and valuable processes around tools like SAST, DAST and SCA, this is the course for you.
2/5
For the third year running, I am going to be delivering application security training at both @OWASP #GlobalAppSec EU in Barcelona (26-27 May) and also @BlackHatEvents #BHUSA in Las Vegas (4-5 Aug) and I am super excited!
Want to hear more? Keep reading...
1/5
Want to hear more? Keep reading...
1/5
March 11, 2025 at 12:07 PM
For the third year running, I am going to be delivering application security training at both @OWASP #GlobalAppSec EU in Barcelona (26-27 May) and also @BlackHatEvents #BHUSA in Las Vegas (4-5 Aug) and I am super excited!
Want to hear more? Keep reading...
1/5
Want to hear more? Keep reading...
1/5
If you want to find the finest vulnerabilities, look for the feature that was considered a critical delivery from a business perspective and was therefore rushed out super fast...
February 11, 2025 at 2:42 PM
If you want to find the finest vulnerabilities, look for the feature that was considered a critical delivery from a business perspective and was therefore rushed out super fast...
What fresh hell is this!!!
And where is my Right-Ctrl!!!
And where is my Right-Ctrl!!!
February 10, 2025 at 12:31 PM
What fresh hell is this!!!
And where is my Right-Ctrl!!!
And where is my Right-Ctrl!!!
Inspired by @sethlaw.bsky.social on the @absoluteappsec.bsky.social podcast...
Eliminate entire classes of vulnerabilities in your app by learning which findings from your SAST are always nonsense and ignoring them...
Eliminate entire classes of vulnerabilities in your app by learning which findings from your SAST are always nonsense and ignoring them...
February 4, 2025 at 3:18 PM
Inspired by @sethlaw.bsky.social on the @absoluteappsec.bsky.social podcast...
Eliminate entire classes of vulnerabilities in your app by learning which findings from your SAST are always nonsense and ignoring them...
Eliminate entire classes of vulnerabilities in your app by learning which findings from your SAST are always nonsense and ignoring them...
I wrote a blog for AppSec practitioners about how you gather information about what is going on in the development organization.
Some of it is more relevant when contracting but a lot of it is relevant to internal people as well.
Some of it is more relevant when contracting but a lot of it is relevant to internal people as well.
February 3, 2025 at 12:19 PM
I wrote a blog for AppSec practitioners about how you gather information about what is going on in the development organization.
Some of it is more relevant when contracting but a lot of it is relevant to internal people as well.
Some of it is more relevant when contracting but a lot of it is relevant to internal people as well.
Attention 3rd party library risk experts!
On a scale of 1 to 10, how high would you rate the risk for: "library is hosted on SourceForge"
Is the library considered "end of life"?
Never mind that, is the platform which hosts it considered "end of life"....?!?!?
On a scale of 1 to 10, how high would you rate the risk for: "library is hosted on SourceForge"
Is the library considered "end of life"?
Never mind that, is the platform which hosts it considered "end of life"....?!?!?
February 3, 2025 at 8:49 AM
Attention 3rd party library risk experts!
On a scale of 1 to 10, how high would you rate the risk for: "library is hosted on SourceForge"
Is the library considered "end of life"?
Never mind that, is the platform which hosts it considered "end of life"....?!?!?
On a scale of 1 to 10, how high would you rate the risk for: "library is hosted on SourceForge"
Is the library considered "end of life"?
Never mind that, is the platform which hosts it considered "end of life"....?!?!?
0-days since last time it was DNS
January 29, 2025 at 11:17 AM
0-days since last time it was DNS
Apparently moving blogging platform on the same day as publishing a popular blog post was not a smart move by me...
January 29, 2025 at 11:17 AM
Apparently moving blogging platform on the same day as publishing a popular blog post was not a smart move by me...
If you were looking for a comprehensive update and clarification on what has happened with @Semgrep and @opengrep so far, I wrote up a post about it.
There are some nuances that got lost in this story but overall I think this is a positive thing for the Semgrep engine.
There are some nuances that got lost in this story but overall I think this is a positive thing for the Semgrep engine.
January 28, 2025 at 2:30 PM
If you were looking for a comprehensive update and clarification on what has happened with @Semgrep and @opengrep so far, I wrote up a post about it.
There are some nuances that got lost in this story but overall I think this is a positive thing for the Semgrep engine.
There are some nuances that got lost in this story but overall I think this is a positive thing for the Semgrep engine.
What I should have done this morning:
Published my 6 page blog post about what's going on with @Opengrep and @Semgrep
What I actually did this morning:
Migrated my website, blog and all historic posts over to Jekyll 🤦♂️
I'll get there, I promise.
Published my 6 page blog post about what's going on with @Opengrep and @Semgrep
What I actually did this morning:
Migrated my website, blog and all historic posts over to Jekyll 🤦♂️
I'll get there, I promise.
January 28, 2025 at 12:13 PM
What I should have done this morning:
Published my 6 page blog post about what's going on with @Opengrep and @Semgrep
What I actually did this morning:
Migrated my website, blog and all historic posts over to Jekyll 🤦♂️
I'll get there, I promise.
Published my 6 page blog post about what's going on with @Opengrep and @Semgrep
What I actually did this morning:
Migrated my website, blog and all historic posts over to Jekyll 🤦♂️
I'll get there, I promise.