Share this page!

Alyssa Miller 👑 Duchess of Hackington Profile picture
Twitter logo
12 Dec, 6 tweets, 2 min read
Hey #infosec peeps, many of us are tired, frustrated, and exasperated by #Log4Shell.

That said, how about we not blast developers en-masse or even within OSS or even within the Log4j project. Let's remember we have culpability here as well.

1/
We did nothing with a warning that was given to us in 2016 at BlackHat. Not one detection rule or scanner policy was created.

Despite extensive OSS security research done by orgs and academia, we failed to find this vuln in probably the single most popular Java package.

2/
How many of us are scrambling now because basic security controls (WAF's, Outbound connectivity lockdowns, etc.) that could have limited/prevented exploit of this vulnerability don't exist in our environments?

3/
And before you come at me with "Well they didn't give me funding, they didn't give me people, they don't care, etc." check inward first.

Did you position those initiatives as business enabling/enhancing? Or did you talk about risk/threat mitigation only?

4/
Did you create a roadmap that showed how individual initiatives linked progressively? Did you get sponsorship from individual business lines where you could sell actual value of an initiative in terms of cost savings or better yet additional revenue generation?

5/
I could go on but hopefully you get the point. We all have our roles we play in these things. So put away your venom. Appreciate the world of the devs, especially OSS maintainers, and let's fix our house first before we burn down someone elses? OK?

/FIN

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Alyssa Miller 👑 Duchess of Hackington

Alyssa Miller 👑 Duchess of Hackington Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AlyssaM_InfoSec

Alyssa Miller 👑 Duchess of Hackington Profile picture
13 Dec
I certainly believe while we have moved past the tip of the iceberg, we're nowhere done with #log4j and it's issues. EVERYONE is now looking at this package and finding new variants and even new vulns. Don't expect to sleep anytime soon my dear #infosec fam.

1/
That said, remember there are likely malicious actors out there looking for the next thing already. With log4j burnt and orgs rapidly applying mitigations and fixes, what next? Where do we find the next widely used package with significant vulnerabilities like this?

2/
With that in mind, please drop the adversarial bullshit. I've seen devs abdicating all responsibility for the maintainers. I've seen security folks hating on devs. The mistakes made that led to this vuln. are laughably easy (to us as #infosec professionals).

3/
Read 8 tweets
Alyssa Miller 👑 Duchess of Hackington Profile picture
2 Dec
Thursday morning, back home after a few days of board meetings and I have some thoughts to share on being effective in board presentations. Tech and security leaders still seem to struggle in these settings so here goes:

As always, it's a 🧵

1/
1. Research your board members. Find out in advance who you'll be presenting to and look up their background. Talk to your peers who've chatted with the board before, see what intel you can get from them on the dynamics of those discussions. Prep accordingly.

2/
2. Read the room. Important with any presentation but particularly so in the board room. If they're looking at their phones, you lost them. It maybe that you got to technical. Change things up, change your tone, elevate the message and grab their attention again.

3/
Read 8 tweets
Alyssa Miller 👑 Duchess of Hackington Profile picture
1 Dec
The number of potentially qualified people that I see self-eliminating from open #infosecjobs saddens me. The thing is when you're looking at job descriptions, there are two ways you can look at them.

In typical Alyssa fashion, a 🧵 follows:

1/
Some people will read through the requirements from an implicit mindset of identifying the reasons not to apply. They look for any requirements that suggest they're not qualified and when they find too many of them (for some that means even one), they choose not to apply.

2/
The other method, and the mindset I wish more job seekers would take, is to look at a job description with the focus of finding the reasons to apply. What requirements are things you're good at or could be good at. What responsibilities are areas of interest for you.

3/
Read 6 tweets
Alyssa Miller 👑 Duchess of Hackington Profile picture
21 Nov
FORTY SEVEN

Forty-seven trans people have been violently killed so far in 2021. While this number represents an increasing trend, let's talk about what that number doesn't tell us.

#TDOR #tdor2021

1/
* These are violent crimes, meaning someone else took their lives. This number does not reflect those that took their own lives as a result of unmanageable pressures of discrimination, abandonment, homelessness, forced conversion therapy, etc.

2/
* This number only includes those situations where Law Enforcement documents the victim as transgender. It does not include those killed where police and families hid the gender identity of the victim. This is a common occurrence and skews the numbers heavily.

3/
Read 12 tweets
Alyssa Miller 👑 Duchess of Hackington Profile picture
6 Nov
Let's talk job offer negotiation, a 🧵.

If you've heard my talks on this, you know I'm a huge advocate for knowing your worth, getting paid, and asking for what you need.

Recruiters and hiring managers expect it, they're not going to rescind an offer if you ask for more 💰

1/
However, you also have to know what can and cannot be negotiated and remember it's a negotiation not a demand letter.

Salary, bonus, time-off, flexible work/wfh, signing bonuses, title

These are things that can typically be negotiated to varying degrees.

2/
Health/Dental coverage, retirement plans, other corporate benefits and all their associated costs and provisions

These are things that are pretty universal across the org, only get setup once per year, and most often cannot be negotiated.

3/
Read 8 tweets
Alyssa Miller 👑 Duchess of Hackington Profile picture
6 Nov
Hey #infosec n00bs!!

One of the worst habits we have in security is speaking in absolutes. Saying things like "Unhackable", "Breachproof", "Fully Secure", "No Risk". They're simply untrue.

But this also includes when we talk about skillsets. There are no absolutes.

1/
So when someone says, "You must know x, y, z" or "You have to do a, b, c" to get a certain job (or any job) in security, you can simply toss out those absolutes in with all the other fallacious absolutisms that security people throw around. Simply ignore them.

2/
The reality is we need people of all different skillsets, all different backgrounds, and with all different perspectives in order to be successful. Security is about problem solving and problem solving is strongest when different viewpoints collaborate.

3/
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @AlyssaM_InfoSec has new unrolls!

Check out other threads from @AlyssaM_InfoSec!

Read all threads by @AlyssaM_InfoSec

:(