NIST getting in on the AI security bandwagon. I'd be happier about that if I trusted anyone in the district anymore.

https://www.infosecurity-magazine.com/news/nist-limitations-ai-ml-security/

What we really need is some edits to the PTES or something with a GenAI test plan.

Physical Key Copying Starts With a Flipper Zero - A moment’s inattention is all it takes to gather the information needed to make a ... - https://hackaday.com/2025/03/25/physical-key-copying-starts-with-a-flipper-zero/ #lockpickinghacks #duplicating #flipperzero #lockpicking #locksports #pentesting

Whoa, the IT security world was on FIRE this week! Open source supply chain attacks, malware sneaking into the Play Store, ransomware bypassing EDR... and is AI just pouring gasoline on the phishing flames?! Seriously intense! Cloud security's getting a raw deal and let's be real, backups are only as good as their security.

It's wild how rapidly the threat landscape's evolving, isn't it? Gotta stay sharp, folks! Automated vulnerability scans? They're definitely nice, but manual penetration tests are still essential. And AI? Awesome tech, but also seriously risky. Disinformation and manipulation are spiraling out of control. We've gotta stay vigilant!

So, what are *your* biggest IT security pain points right now? Spill the beans!

Alright, Okta and similar tools are cool and all, but don't think they're a get-out-of-jail-free card for security! I frequently see IAM systems configured incorrectly. For instance, MFA is often forgotten. What about outdated accounts? Or giving admin rights to everyone? Boom! You've got a potential breach on your hands.

Listen up: IAM isn't just about setting it up and forgetting about it; you've *got* to *live* it! Automation definitely helps, but it's no substitute for manual checks. Regular pentests are a must, and certificates only tell part of the story.

So, what IAM best practices do you use (beyond the standard documentation)? Let's share some insights! #infosec #pentesting #okta #security

Hey #appsec people. How do you handle organization of testing artifacts when you are dealing with tons of apps? I have a new client in deep water, their app suite is 20 years old and shows it. They have 53 endpoints.

My testing strategy is not designed for that.

How do you keep things organized? Is there a cool tool I need to know about? Is it Burp Suite Enterprise time for POINT? How do you keep your notes?

I know a lot of this is kinda up to your own personal philosophy for testing, but I thought it would make for informative conversation fodder for St. Paddy.

#Hetty: #OpenSource #HTTP toolkit for security research

https://www.helpnetsecurity.com/2025/03/10/hetty-open-source-http-toolkit-security-research/

I'm excited to share CVE Crowd's Top 5 Vulnerabilities from February 25!

These five stood out among the 352 CVEs actively discussed across the Fediverse.

For each CVE, I’ve included a standout post from the community.

Enjoy exploring!

Hey everyone, what's cooking in the open-source universe? I just stumbled upon something that's seriously mind-blowing.

So, there's this Python library pretending to be a music tool (automslc), but get this – it's actually illegally downloading songs from Deezer! And the worst part? It turns your computer into an accomplice in a huge music piracy operation. Seriously, a digital pirate cove.

And then there's this npm saga with @ton-wallet/create... Crypto wallet emptied, just like that!

The moral of the story? Open source rocks, but blindly trusting everything is a recipe for disaster. Always double-check those dependencies! Automated scans are cool, but a real penetration test? That's pure gold.

Clients are always so appreciative when we can spot and fix this kind of stuff beforehand!

Now, I'm curious: What are your go-to methods for keeping your codebase squeaky clean and secure? Any tips or tricks you'd like to share?

Hackers Call Current #AI Security Testing 'Bullshit'

https://it.slashdot.org/story/25/02/11/191240/hackers-call-current-ai-security-testing-bullshit

This Week in Security: ClamAV, The AMD Leak, and The Unencrypted Power Grid - Cisco’s ClamAV has a heap-based buffer overflow in its OLE2 file scanning. That’s ... - https://hackaday.com/2025/01/24/this-week-in-security-clamav-the-amd-leak-and-the-unencrypted-power-grid/ #thisweekinsecurity #hackadaycolumns #securityhacks #pentesting #microcode #clamav #news

The website is live!

https://www.bashcore.org/

Microsoft's own red team looked at all of their AI products.

Conclusions: we fucked.

https://www.theregister.com/2025/01/17/microsoft_ai_redteam_infosec_warning/