I'm my own worst critic. It's tiring. Very tiring...
No matter how much I try to convince myself that "good enough" is okay, I still don't act like it most of times.
I guess it's a long-time learning process.
Recognizable?
John Opdenakker
Infosec blogger & tooter | Cycling | Running | Enjoy life | Toots might contain traces of bad humor, sarcasm or irony | Takes your security seriously! Inquiries? -> contact me, more info at https://johnopdenakker.com/contact
Dear network, I'm currently building out my side gig. If you are looking for some information security expertise or you know a company who does, please let me know.
I provide consultancy services, offering strategic and practical security advise tailored to your needs. Alternatively, we can target specific areas of your security posture, for example enhancing password and authentication security.
I've experience with creating and managing an ISO 27001 ISMS (including audits and certification) and all its corresponding clauses and controls. I lead a security champion and awareness program and and I am involved in appsec security programs and the corresponding security activities.
In any case, don't hesitate to reach out,we'll find out if there's a match!
Contact me via DM or johnopdenakker.com/contact/
Reposts appreciated!
@gogognomenl Hi, yes been giving priority to other things in life. Also social media had become pretty much like 'shouting in the void' instead of having fun ocnversations. I miss the good old - pre Musk- Twitter times.
@khae Hi man, good to hear from you! I think there's no single go-to social medium like in the good old Twitter days. Unfortunately.
@simondassow beep bop
@simondassow hi there 👋
People still alive and kickin on this platform? Just let me know :blobsunglasses:
@alex02 Yes and you cover that not only with tooling,agreed. Good tooling might help but appsec training is really necessary. And a lot of other security activities with proper quality gates as well of course!
A sad state of affairs if you ask me. There's a lot of work to be done and job security for those in the application security field and information security in general.
And like in the article, poor tooling is often a reason that things don't improve like they should. Developer alert fatigue is real.
A lot of tools are really crappy. And often, instead of looking which tool can be best integrated to support developers in secure coding, it's the other way round. Security tools become the goal instead of the means.
https://decrypt.lol/posts/2024/11/21/increase-in-leaked-secrets-reported-by-gitguardian-in-2023/
Nowadays mostly active on Bluesky. Feel free to follow me there: https://bsky.app/profile/j-opdenakker.bsky.social
This is interesting.
NIST released three self-guided online introductory courses on the NIST Special Publication (SP) 800-53 security and privacy control catalog, the SP 800-53A control assessment procedures, and SP 800-53B control baselines.
https://csrc.nist.gov/News/2024/online-intro-courses-for-nist-sp-800-53
Yesterday I had an interview at IKEA.
The manager greeted me and said
"come in, make a seat."
Use a password manager 😎. It’s a productivity tool!
Facebook account takeover via "Send code via Facebook notification" password reset option.
6-digit code sent to user valid for way too long (≈ 2h) and no brute force protection in place in the request pushing the notification.
https://infosecwriteups.com/0-click-account-takeover-on-facebook-e4120651e23e
Password complexity policies and implementations episode 583.
In this example both UX and security (ok ok, admittedly a 72 character long password is quite secure ;)) are impacted.
But the point is you shouldn’t enforce such ‘low’ length limits. You might want to build in some length restriction though, as a DoS protection but that shouldn’t block people with a password manager that want to use 100 character long passwords.
Not going to rant again why but I suggest people to read publications like NIST 800-63B that specify guidelines about digital identity.
You actually need a lot less constraints than often are implemented in a lot of services, which also results in a better user experience.
My daughter called me an old man this morning.
We both laughed and laughed. Then I changed the WiFi password.
For people that want to learn about passkeys this FAQ by Bitwarden is a good resource. Explains the concept in a simple way!
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst