Maya Kaczorowski Profile picture
I love puzzles almost as much as ice cream. All opinions my own. she/her @MayaKaczorowski@infosec.exchange
Dec 26, 2020 53 tweets 12 min read
Some observations on the SolarWinds supply chain attack, now that I'm all caught up!
Just a rundown of what I learned - citations included, all opinions my own 😄 /1 (If you're looking for an overview of the situation, check out this 101: , a more detailed article: krebsonsecurity.com/2020/12/solarw… or the get all the deets in the original FireEye blog: fireeye.com/blog/threat-re….) /2
Dec 8, 2020 8 tweets 2 min read
What's relevant to security? You should read the ✨awesome 30-page security report✨ but here's what caught my eye:

65-94% of active repos rely on open source software. The variance is by ecosystem, but basically, your code is more someone else's than your own. /1 Even though you might have a small number of direct dependencies, you likely have a HUGE number of transitive (indirect) dependencies.

A JavaScript repo has a median 683 transitive dependencies! /2
Jun 12, 2020 18 tweets 3 min read
TL;DR: Security folks - consider using allow/denylist instead of white/blacklist, and just allow/deny when a verb or in the UI.

Read on for more observations... I initially failed to explain why you should consider replacing white/blacklist.

(1) It's implicitly biased language - based on the colour, you know what's "good" and "bad". Though the etymology is not racist, it promotes implicit bias.
Dec 17, 2019 15 tweets 3 min read
So, earlier today, Google published a whitepaper on 🌟BeyondProd🌟, about how Google does cloud-native security. Here’s a summary thread /1 As much as you’ve been ask “what is cloud-native?”, I’ve been asked “how do I secure it?”. Google deploys billions of containers a week, and does so securely /2