The governor of New Jersey just put out the call on live TV that he is desperate for Cobol programmers right now.
Follow
Click to Follow manicode
Jim Manico @ Albany, NY
@manicode
Defense AppSec Educator. Udemy OWASP Top 10 author: udemy.com/course/introdu
Jim Manico @ Albany, NY’s posts
Replying to
This tweet went viral. I feel like Madonna.
Not joking at all; for the unemployment system.
Replying to
My wife gave me 1 key piece of advice over gender issues. It was “do not give yourself a pat on the back for communicating and working well with women. It’s basic human decency and is a basic expectation for your behavior as a man.” That was a smackdown that I needed to hear.
From my experience all software developers are now security engineers wether they know it, admit to it or do it. Your code is now the security of the org you work for. #GoldenAgeOfDefense
Replying to
Spam in a Hawaii store. It’s locked up because it’s so regularly stolen.
I married a woman who is more intelligent, more wise and more beautiful inside and out than I. She is also older than I with more life experiences. We get into vigirous debates that I often lose. The fact that my wife kicks ass and takes names is awesome and frankly very hot.
My new girlfriend accepted my proposal. I’m getting married December 27 on Kauai! 😎
MacOS: my mouse just works
Windows: I need to reinstall drivers for my mouse to work
Linux: I need to recompile the entire OS to get my mouse to work
Replying to
Question is “can you save the NJ state unemployment system and help people get needed unemployment checks?”
Wearing form fitting clothes for the first time in 15 years. Feeling good!
Azure freaking AD does not, at all, support access token revocation.
GIF
read image description
ALT
I’ve been a security pro for over a decade and (other than a few bad eggs) the people in the industry are some of the kindest, most supportive and intelligent people I’ve met. I really ❤️ InfoSec and the people that make up the industry. 🤙🏼
The new #OAuth2 Security Best Current Practices document was just updated yesterday! This is a critical doc for educators and OAuth2 implementors.
The biggest roadblock to secure software in my opinion is product managers who give security no priority.
Google released an open source SCA (Software Composition Analysis) security scanner a few days ago using osv.dev as the vuln data source.
Replying to
My most lit tweet ever which went viral on Twitter Reddit and several other platforms, was about fucking COBOL which makes me 😭 and 😂
This morning I weighted in at 189 - my lowest weight as an adult that I can recall. I’ve been working my ass off (literally) for a year or more and am hitting my fitness and weight goals. I feel like a different person in a very positive way. Life is grand. 🙏
If we test less for security bugs less security bugs will be found. #problemSolved
Do you know of any good secure coding books that teach the fundamentals well?
My grandmother Fran died today. She was the kindest, fiercest Sicilian lady I’ve ever met. We always had a great connection and spoke like adults for as long as I can remember. She stared death in the face with no fear. I’ll miss her for the rest of my life. Goodbye grandma. ❤️
Hi, I’m an AppSec professional. You might know me from my greatest hits like “No that tool will not automagical find or fix your bugs”, “Yes you still need to write secure code”, “No, a WAF will not perfectly block all attacks” and “Yes you need to update your 3rd party libs” 😎
Replying to
25,000,000 bottles of beer on the wall, 25,000,000 bottle of beer.. take one down pass it around...
I am thrilled to be starting a new cloud native product company to address several of the security issues with Kubernetes. Excited to be on this journey with and . They are two of the greatest technology leaders I have worked with. I'm honored. Let's do this!
If you are a security engineer who does not code and still adds tons of value, please tell me your story in this thread. I want to hear what you have to say.
Bought new pants yesterday. Size 42. I was size 58 less than 6 months ago. I’m stoked! And definately going to the gym tonight. 😎 •dance•
GitHub is going to warn devs about insecure dependencies
Manicode Security is now an official US Government approved vendor. So thrilled to be teaching in Washington DC today.
Developers do not need to think like an attacker they need to think like a skilled security engineer. There are plenty of great attack thinkers who do not understand security engineering. And developers only need a touch of attack knowledge to inform good secure coding.
One of the greatest joys of weight loss is that there is so much more to do and wear! 🤙🏼 Life is good. I’m grateful to have such strong community support. You’re all awesome!
I’m sorry but your code is NOT self documenting. Please provide meaningful comments to help me understand what the hell you are trying to do.
My theory is that Log4j was super pissed off that the OWASP Top Ten dropped the injection category from 1st place to 3rd place and was like “hold my beer, watch this.”
Manicode AppSec Top Ten
1) Lack of Security Testing
2) Insecure 3rd Party Libs
3) SSRF
4) SQL & Other Forms of Injection
5) Access Control Issues
6) XSS
7) AuthN Issues
8) Lack of AppSec Dev Champions
9) Lack of Secrets Management
10) Poorly configured HTTPS
I’m sorry but this message is BS. Modern networking tools do not automatically secure software. WAF’s require massive work integrated into the SDLC to give partial defense and letting uneducated devs “do their thing” leads to insecurity.
Quote
Or you just plug the app into a solid FW, WAF, IDS and SIEM framework and let the developers do what they are good at - build apps. Specialization is still a thing. #cyber #infosec twitter.com/manicode/statu…
Password wordlist sorted by probability originally created for password generation and testing. NIST 800-63 and suggest blocking users from using the top 100,000 common passwords in use today.
"Ask yourself how many vendor security assessments Solarwinds went through, and passed, in the time since they've been compromised." -
Dan is spot on, as usual.
Can you politely suggest a great woman for a keynote at an AppSec/SoftwareSec conference?
This is the most insane, unreasonable and insultingly foolish job posting for a security architect I’ve ever seen. And it’s for less than 160k a year. WTF.
Apple released a fairly decent secure coding guide recently. developer.apple.com/library/ios/do
The ultimate guide to SSL certificates
Step 1) Stop using the term SSL and call it TLS
Step 2) TLS certificates are really X.509 certs
My blood sugar and blood pressure are normal, I’m below 240, yoga 6/days a week, removing meds with my doc, and very strict keto. I’m grateful to be back on a healthy path. 🙏
Today is one of the happiest days in 2019. A lot of really good friends 👫 have supported me during the past many months during some tough times. But now it’s time to let the good times roll again! Thank you to everyone for being there for me.
Rock on and Aloha 🤙🏼
I’m doing a keynote on the history of application security and this year.
I’d love your help!
What are some of the major historical moments in application security over the last 5 years or so? I’d love your advice!
Please RT!
The operations officer and core founder of - the amazing - made it clear from our first conversation that diversity, inclusion, child care on site and care about minimizing alcohol at our security conference was a core value, not an afterthought. Aloha 🤙🏼
Truly an amazing report from on the state of the software supply chain (3rd party library and OSS security). sonatype.com/2019ssc
Incredibly well done (and a bit frightening). This is why I consider 3rd party library security to be the top issue facing dev's today.
I’m in the early planning phases of ManiCon, a secure coding training event and conference for 2023. Secure coding classes are the core of the conference, not an add on. I’m excited. 😁
Between August 2018 and today I have lost 80 lbs through only diet and exercise. I am so grateful for the many people who have supported me through this very physical and emotional process. Look out here I come!
I feel this sense of inner peace for the first time in a long while. I can’t say thank you enough to all of my friends and loved ones who stood by me during dark times. This too shall pass. Life is full of ups and downs for us all I would say. But today all is well. #gratitude
I’ve been asked to deliver 4 different keynotes over the next year and I gotta say it fills me with gratitude. Thank you very much! 🤙🏼
First video of the new lean me after many months of exercise and careful diet. I’m thrilled to be teaching in Portugal for NDC soon as well! :)
Quote
Join @manicode and 85+ other speakers at #NDCPorto 25-29 April. 2 days of workshops followed by a 3-day conference. See the full agenda and get your tickets at ndcporto.com
Replying to
My list:
0. Send me 250 crustables frozen for lunches I’ll miss
1. Give me access to commit directly to main I got this
2. Need admin access to my machine so I can remove corporate root certs etc
3. I’m ready to agile some cool shit!
I'm going to announce a free secure coding online event to the Manicode email list next week.
I only send out 2-3 newsletters a year from the Manicode newsletter and I do not use the list for anything else. You can sign up here. manicode.us19.list-manage.com/subscribe?u=3b
I appreciate your commitment to privacy. Keep on rocking! (And searching!)
Several of my customers and business partners have mentioned to me that their team is migrating away from Burp to ZAP and that capability is starting to eclipse Burp, significantly. Hearing this from several different groups sounded quite significant.
It is my belief that the part of the AppSec industry that builds scanners to find insecure 3rd party libraries should be avoided. They are all selling the wrong tool. That industry will fade and be replaced by tools like dependabot that helps your devs keep their libs up to date.
When teaching I’ve been getting the comment “my manager will not let me spend time on fixing known security bugs” more often and it’s a very difficult situation to handle in class. I wonder why I get hired to teach devs about security in these situations. It’s deeply stressful.😢
After studying XSS defense for years; my vision of secure use of OAuth is heavily tainted. I still suggest keeping OAuth tokens out of browsers, use standard session or a stateless artifact to talk to the backend, and only do OAuth machine-to-machine between servers.
Best t-shirt ever. Getting a lot of smiles wandering around DC.
The amount of research I see folks working on to help justify why NOT to fix security bugs is disturbing. Fix. Your. Bugs. Especially basic technical security bugs.
I walked by a mirror in my hotel room and jumped because I thought someone else was in my room. I have not adjusted the the fact that I’m not 301 lbs anymore. It’s weird.
Gave a remote talk at the Pittsburg OWASP chapter last night. My office was getting hot so I started to undress during the talk to cool down when I realized.... oh my, my camera is on and I’m broadcasting. Someone in the audience did Venmo me a tip. #shirtlessOWASP
OWASP has released an update to the XSS Prevention CheatSheet. This is one of our most popular CheatSheets and we are taking community consultation that the draft is ready for public release. Comparisons are available here:
Large group of FBI agents (25) take a knee with protestors near the national archive.
When I first joined a decade ago the mission was something I truly believed in. I believe in that mission even more so today.
Our mission is to make application security visible so the people and organizations can make informed decisions about application security risk.
I’ve definitely noticed more aggression from fellow passengers and staff. Last flight someone put their extra bag under my seat while I was sitting there. Plopped it back in their lap “my feet go there”.
210 #manistats I finally made it to 210. This is exactly 91 lbs down since I started recording my weight over a year ago. 🌈
I feel the best way to deal with third party library insecurity is to use a great deal less of them.
Been working on ASVS 3.1 (Application Security Verification Standard) which should be released in 2017.
Reading update to "OAuth 2.0 Security Best Current Practice" from the IETF released today.
My three security study goals for 2019:
1) Continue studying OAuth 2 and OIDC. Need to memorize next gen threat model and attend the security OAuth working group meetup in March19.
2) Study security architecture of AWS Lambda.
3) Get more nitty gritty into CSP 3.
I landed in Paris by train the moment France won the world up. This is really insane downtown. My Uber non-English speaking driver got a translator and found me. We’re now listening to loud techno beeping and screaming as we drive through town... Best Ride Ever
Quarantine day 1.
Just arrived on Kauai last night. Quarantine is super rigorous in Hawaii with a strict 14 day rule. I’m currently relaxing on my balcony, enjoying coffee with sunrise, respecting the quarantine rules. I will not leave my apartment until August 25.
A little less shaggy today. Getting ready for the ISSA conference tomorrow!
I started with Java in 1997 building Java 1.0.2 applets. Java has fueled my entire life. This is the greatest professional honor I’ve been given, ever. I will work hard to re-earn this every day. Thank you all! 😅
Quote
We are delighted to welcome new Java Champions
@theNeomatrix369
@saturnism
@juliendubois
@noctarius2k
@ivan_stefanov
@tnurkiewicz
@manicode
@jfarcand
@danielbryantuk
Many many congratulations to you all
I am thrilled that is happening virtually this year! It's free for everyone! locomocosec.com
Thank you to all of our amazing sponsors!
And thank you to the amazing who is our director for this years event. Ron is one of the original founders.
And that’s when you realize you live on a small island and there really is no where to go in case of nuclear war. My first reaction was “OPEN THE GOOD WINE”.
AWESOME. This is just want I wanted. Thanks for finishing it so quickly, that was fast! 😎🤙🏼
I’m trying hard to restrict myself to only 14-16 hrs of Coronavirus news a day.
I’m very excited to be teaching a secure coding workshop in Nepal! I can’t believe I’m here in this amazing country. Aloha! 🤙🏼
I’m very excited to be building Manicode Online with a few allies.
I am getting booked up heavily and cannot make it to all training request.
I’ll have an online secure coding education offering soon! 🤙🏼
I just started dating someone who I’ve been close to for many years. This is a good thing. I’m lucky to have such a loving and kind person in my life. 🥰
One of the best things about is that they regularly do detailed presentations at security conferences. Some fairly amazing tools have come out of their engineering group.
Until you have made a organizational commitment to squash security bugs and reduce creating new ones you’re not really doing application security.