Pinned
Finaris
@madelyn.dev
· Oct 18
Newsletters that I subscribe to posted in 🧵
New OWASP Top 10! I know there's an initial bump in security vulnerabilities due to vibe coding, but surely the floor on exploiting some risk categories has gone up. As LLMs learn to produce secure code better, I wonder how this list will change.
owasp.org/Top10/2025/0...
owasp.org/Top10/2025/0...
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 14, 2025 at 4:05 AM
New OWASP Top 10! I know there's an initial bump in security vulnerabilities due to vibe coding, but surely the floor on exploiting some risk categories has gone up. As LLMs learn to produce secure code better, I wonder how this list will change.
owasp.org/Top10/2025/0...
owasp.org/Top10/2025/0...
I believe something like this would need to be paired with tooling and processes that insert such "watermarks" in sensitive assets, but in general this kind of insider threat modeling is fun and creative. I'm curious to see how this will be iterated upon!
research.eye.security/prompt-injec...
research.eye.security/prompt-injec...
Battling Shadow AI: Prompt Injection for the Good
Explore how Eye Security tackles the rising threat of Shadow AI by using prompt injection for good: enhancing data security, boosting AI awareness, and defending corporate intelligence across LLMs lik...
research.eye.security
November 2, 2025 at 4:37 AM
I believe something like this would need to be paired with tooling and processes that insert such "watermarks" in sensitive assets, but in general this kind of insider threat modeling is fun and creative. I'm curious to see how this will be iterated upon!
research.eye.security/prompt-injec...
research.eye.security/prompt-injec...
Conversely, I wonder what paths might exist for developers in different orgs to get exposure to and assist in tasks outside of their roles' typical scopes.
Even at a lower level, I think more interdisciplinary work is both fun and arguably more productive.
www.assembled.com/blog/why-i-c...
Even at a lower level, I think more interdisciplinary work is both fun and arguably more productive.
www.assembled.com/blog/why-i-c...
Why I code as a CTO
Assembled CTO John Wang on why coding makes him a better leader—and how AI tools are redefining what it means to build at scale.
www.assembled.com
October 28, 2025 at 3:18 AM
Conversely, I wonder what paths might exist for developers in different orgs to get exposure to and assist in tasks outside of their roles' typical scopes.
Even at a lower level, I think more interdisciplinary work is both fun and arguably more productive.
www.assembled.com/blog/why-i-c...
Even at a lower level, I think more interdisciplinary work is both fun and arguably more productive.
www.assembled.com/blog/why-i-c...
Looks like banking is really picking up momentum in its use of AI. I'm curious to see whether this will be used to train up more junior analysts faster, or as more of a replacement measure.
www.bankingdive.com/news/banks-c...
www.bloomberg.com/news/article...
www.bankingdive.com/news/banks-c...
www.bloomberg.com/news/article...
www.bloomberg.com
October 23, 2025 at 11:27 PM
Looks like banking is really picking up momentum in its use of AI. I'm curious to see whether this will be used to train up more junior analysts faster, or as more of a replacement measure.
www.bankingdive.com/news/banks-c...
www.bloomberg.com/news/article...
www.bankingdive.com/news/banks-c...
www.bloomberg.com/news/article...
I used jj in my previous role (there was a pretty active jj community there!), and often use it in my own projects. In addition to the benefits outlined in this post, its user base regularly shares workflows, scripts, etc. that make using it even more enjoyable.
steveklabnik.com/writing/i-se...
steveklabnik.com/writing/i-se...
I see a future in jj
Blog post: I see a future in jj by Steve Klabnik
steveklabnik.com
October 23, 2025 at 1:00 PM
I used jj in my previous role (there was a pretty active jj community there!), and often use it in my own projects. In addition to the benefits outlined in this post, its user base regularly shares workflows, scripts, etc. that make using it even more enjoyable.
steveklabnik.com/writing/i-se...
steveklabnik.com/writing/i-se...
"Instead, we are to embrace scattered cognition and context switching between a swarm of Agents that are doing our thinking for us. Creative puzzle-solving is left to the machines, and we become mere operators disassociated from our craft."
hojberg.xyz/the-programm...
hojberg.xyz/the-programm...
The Programmer Identity Crisis ❈ Simon Højberg ❈ Principal Frontend Engineer
On AI, Creativity, and Craft
hojberg.xyz
October 22, 2025 at 3:34 AM
"Instead, we are to embrace scattered cognition and context switching between a swarm of Agents that are doing our thinking for us. Creative puzzle-solving is left to the machines, and we become mere operators disassociated from our craft."
hojberg.xyz/the-programm...
hojberg.xyz/the-programm...
When ChatGPT Agent launched, I tried to see how easy it was to pull off a prompt injection attack; I had a POC in a few hours. As these agentic tools are released, it's important to remember they often make use of non-deterministic security controls.
securetrajectories.substack.com/p/claude-ski...
securetrajectories.substack.com/p/claude-ski...
How We Hijacked a Claude Skill with an Invisible Sentence
A logic-based attack bypasses both the human eyeball test and the platform's own prompt guardrails, revealing a critical flaw in today's agent security model.
securetrajectories.substack.com
October 21, 2025 at 3:17 AM
When ChatGPT Agent launched, I tried to see how easy it was to pull off a prompt injection attack; I had a POC in a few hours. As these agentic tools are released, it's important to remember they often make use of non-deterministic security controls.
securetrajectories.substack.com/p/claude-ski...
securetrajectories.substack.com/p/claude-ski...
I've had to review a lot of SOC 2 reports, and the variance in quality is pretty high. This makes risk management difficult since these reports are usually the main documents newer (and thus riskier) SaaS vendors share. Would love to see a new standard someday!
sensiblesecurity.xyz/p/soc-2-is-d...
sensiblesecurity.xyz/p/soc-2-is-d...
SOC 2 is dead, long live SOC 2!
With a healthy dose of in-depth continuous assurance
sensiblesecurity.xyz
October 19, 2025 at 8:50 PM
I've had to review a lot of SOC 2 reports, and the variance in quality is pretty high. This makes risk management difficult since these reports are usually the main documents newer (and thus riskier) SaaS vendors share. Would love to see a new standard someday!
sensiblesecurity.xyz/p/soc-2-is-d...
sensiblesecurity.xyz/p/soc-2-is-d...
BSidesNYC is a wonderful time, would recommend to anyone in the area! Saw some great talks today, including Amit Serper's presentation on k8s (plus related hacking) and Jonathan Fuller's talk on hunting dead drops (a very cool application of symbolic execution, which I haven't seen since college).
October 18, 2025 at 10:07 PM
BSidesNYC is a wonderful time, would recommend to anyone in the area! Saw some great talks today, including Amit Serper's presentation on k8s (plus related hacking) and Jonathan Fuller's talk on hunting dead drops (a very cool application of symbolic execution, which I haven't seen since college).
Newsletters that I subscribe to posted in 🧵
October 18, 2025 at 4:28 AM
Newsletters that I subscribe to posted in 🧵
"One in two EC2 instances enforces IMDSv2, but older instances lag behind."
I'm curious to know the distribution of reasons on why this is the case. I imagine this is some mix of limited security scanning and upgrade challenges (e.g. from a complex ECS setup).
www.datadoghq.com/state-of-clo...
I'm curious to know the distribution of reasons on why this is the case. I imagine this is some mix of limited security scanning and upgrade challenges (e.g. from a complex ECS setup).
www.datadoghq.com/state-of-clo...
State of Cloud Security | Datadog
For our 2025 report, we analyzed AWS, Google Cloud, and Azure data from thousands of organizations to understand the latest trends in cloud security posture.
www.datadoghq.com
October 18, 2025 at 3:52 AM
"One in two EC2 instances enforces IMDSv2, but older instances lag behind."
I'm curious to know the distribution of reasons on why this is the case. I imagine this is some mix of limited security scanning and upgrade challenges (e.g. from a complex ECS setup).
www.datadoghq.com/state-of-clo...
I'm curious to know the distribution of reasons on why this is the case. I imagine this is some mix of limited security scanning and upgrade challenges (e.g. from a complex ECS setup).
www.datadoghq.com/state-of-clo...
There's a reason Broken Access Control is setting comfortably in the OWASP Top Ten (and I would be surprised if it isn't in next month's updated list). LLMs make this kind of enumeration, for both REST and gRPC, so much easier.
www.adversis.io/blogs/blind-...
www.adversis.io/blogs/blind-...
www.adversis.io
October 16, 2025 at 5:27 PM
There's a reason Broken Access Control is setting comfortably in the OWASP Top Ten (and I would be surprised if it isn't in next month's updated list). LLMs make this kind of enumeration, for both REST and gRPC, so much easier.
www.adversis.io/blogs/blind-...
www.adversis.io/blogs/blind-...