Readit News logoReadit News
alp1n3_eth commented on Show HN: OWASP Scanner for Vibe Coded Apps   circuit.sh... · Posted by u/h_jain
alp1n3_eth · 10 months ago
What are you using on the backend to actually scan it? Is it just ZAP / Burp Scanner? Or are you scanning the code itself, and just using a Semgrep / Snyk approach?

The landing page being free-tier Framer is a little sketch, the main contact should also probably be a form or an email address instead of a non-US phone number.

Is AI used throughout the entire process or just mainly focused on providing remedation recommendations based on the output of other tooling (scanners, JS analysis, secret scanning, etc.)?

Interesting project! Looking forward to see how it works and evolves.

alp1n3_eth commented on Supabase raises $200M Series D at $2B valuation   finance.yahoo.com/news/ex... · Posted by u/baristaGeek
candiddevmike · 10 months ago
Reading the tea leaves, Series D means they opted for more funding vs IPO. They claim to have 2 million users, but they're open core so how many are paying? Maybe their books aren't looking that great. Wall street doesn't understand database vendors outside of "big data", so they're probably hoping for acquisition. Not sure who would buy them though, as PostgreSQL vendors are kind of a dime-a-dozen these days...
alp1n3_eth · 10 months ago
A lot of people don't self-host it, even though it is open core. This is due to their docs being garbage and tons of differences between the offerings, so you can't even rely on the main docs if you're self-hosting.

It's easier to just become familiar with a DB UI tool like Beekeeper or DataGrip and spin up your own things. I'm also not a huge fan of being "locked-in" to so many things (including their auth). I think most projects would be better off keeping these parts separated, even if they are using third-party services to handle them, as it would be way less overhead to migrate out.

alp1n3_eth commented on Notion's Lies Sunsetting Skiff Mail    · Posted by u/notioned
alp1n3_eth · 10 months ago
Yep! I was sad to see Skiff shutting down, as I loved their UI and there isn't a lot of tough competition that can match ProtonMail.

I had already left Notion as the app kept getting slower / bogged down and they added tons of useless clutter, and refused to support any form of E2E/local encryption.

Posted by u/alp1n3_eth 10 months ago
Mitre support for the CVE program is due to expire tomorrowtwitter.com/0xTib3rius/st...
alp1n3_eth commented on Ask HN: Slopsquat CVE?    · Posted by u/ChuckMcM
alp1n3_eth · 10 months ago
I'd say it doesn't exactly meet the minimum standard for a CVE, as it's more of a technique vs. an actual vulnerability in an application/library. If there was a repo that had a vulnerable component that was currently infected through the manner described, that specific instance would probably qualify as a CVE.

Since this is a technique / overarching issue, it leans more towards being a CWE. Maybe something like:

- CWE-506: Embedded Malicious Code or - CWE-829: Inclusion of Functionality from Untrusted Control Sphere or - CWE-1395: Dependency on Vulnerable Third-Party Component

From Snyk's docs they also explain it: https://github.com/snyk/user-docs/blob/main/docs/manage-risk...

"In almost all cases, malicious packages are not assigned a CVE ID."

alp1n3_eth commented on "Slow Pay, Low Pay or No Pay": Blue Cross Approved Surgeries Then Refused to Pay   propublica.org/article/bl... · Posted by u/ceejayoz
SpicyLemonZest · 10 months ago
This isn’t a question of lived experience. It’s simply not the case that the FDA approves all treatments or that an FDA approved treatment is necessarily justified in some particular case.

I do agree that a lot of people seem to believe that’s how it works. There’s some objectively correct treatment, the doctors uncover what it is, and I have an unconditional right to get that treatment no matter what it costs. But no healthcare system does or could work that way. You have to consider tradeoffs and control costs somewhere.

You can build a system that makes it seem that way to the patients; that’s why I like Kaiser. In my opinion it’s more user friendly that way. But the tradeoff is that cost controls are imposed directly on what doctors are willing to prescribe. There’s many stories of Kaiser doctors refusing to prescribe expensive treatments that other doctors would, because as a matter of policy they believe some lesser treatment would be sufficient.

alp1n3_eth · 10 months ago
"Have fun suffering and hopefully you don't die as we go through 8 medications that will most likely fail, but there's a slim chance they'll work!"
alp1n3_eth commented on The Story Behind “100 Go Mistakes and How to Avoid Them”   thecoder.cafe/p/100-go-mi... · Posted by u/Kerrick
relistan · 10 months ago
O’Reilly author here. Seems the author stumbled over pitching them the book. You can almost certainly start with an email. Our initial contact with O’Reilly was only an email. We filled out a small form later with the details of the proposal, but it was not laborious. I can also attest that their tooling is great. From any git commit I can generate a full version of the book in any of its supported formats. I wrote all of my part of the book in vim.
alp1n3_eth · 10 months ago
Is there a good example repository to see how it's done?
alp1n3_eth commented on Ask HN: Looking to Break into Cybersecurity – Where Do I Start?    · Posted by u/OulaX
alp1n3_eth · 10 months ago
You're a frontend web developer, so I'm assuming you're going to want to work in the areas of either:

1) application security engineering 2) application penetration testing 3) devsecops 4) vulnerability management

It really is a big difference from each person on how they "break into" it. You've got great foundational qualifications, and probably just need to layer on extra "security" ones, if you don't already have them. If you're looking to start a company / start freelancing -- I've got no clue about that though.

If you're just dipping your toes further into the web app security side, OWASP has great labs, resources, etc. They have the WSTG (more for pentesters) and ASVS (more for devs), and of course their cheat sheets as well.

PortSwigger has great resources to read through on vulnerabilities and labs that will cover a ton of different vulnerabilities. HackTheBox also offers certification pathways: CBBH and CWEE, CBBH is more beginner/intermediate and involves a blackbox approach, where CWEE is more whitebox (from what it looks like).

Just because systems have gaps, doesn't mean the orgs actually want help with those gaps, esp. unsolicited. You could always take a look at bug bounty as well (through HackerOne or BugCrowd), but it can be pretty brutal for a beginner as it can involve a ton of recon or "going deep" to reach untouched areas of an app.

Posted by u/alp1n3_eth 10 months ago
React Router and the Remix'ed path: CVE-2025-31137zhero-web-sec.github.io/r...
alp1n3_eth commented on Ask HN: What do you use to monitor website security (vulns, uptime, etc.)?    · Posted by u/lukejkwarren
alp1n3_eth · 10 months ago
Externally / Blackbox options would be Nessus, Nuclei, OWASP ZAP (as you mentioned), and Burp Suite. The two latter only work well when used in combination with manual methods though, as they won't pick up business logic, auth bypass, MFLAC/IDOR, etc. on their own.

A lot of scanning templates / rulesets won't be 100% accurate or up-to-date, and will easily miss a lot of big things, so having it pentested by an actual person is always important.

From the source code side of things, Semgrep / CodeQL, Veracode / Snyk, Burp Enterprise (CI/CD), etc. are good options. But again, most places shouldn't get just scans, there should be a manual component involving a security professional who knows what they're doing.

XBOW is making some pretty cool strides in the meantime from a blackbox perspective though.

a

u/alp1n3_eth

KarmaCake day156November 24, 2024View Original