Neil Madden@neilmadden@infosec.exchange
My NDC Security talk about Tink from Oslo is now online: https://www.youtube.com/watch?v=peumD3MY8So
Neil Madden@neilmadden@infosec.exchange
Author: API Security in Action (Manning), CVE-2022-21449. I'm on smoko so leave me alone.
- Notes
- 1531
- Following
- 0
- Followers
- 0
- Book
- https://www.manning.com/books/api-security-in-action
- Blog
- https://neilmadden.blog/
- Github
- https://github.com/NeilMadden
- Newsletter
- https://buttondown.email/illuminatedsecurity
- Consulting
- https://illuminated-security.com/
Neil Madden@neilmadden@infosec.exchange
Neil Madden@neilmadden@infosec.exchange
New ECB Penguin just dropped. #crypto #cryptography
(I made this: CC BY 4.0, based on https://www.printables.com/model/683071-this-is-fine-meme (CC PD))
Neil Madden@neilmadden@infosec.exchange
Welcome to my new followers. I have taken possession of your souls, for which I am eternally grateful.
By way of #introduction, here are a few things that I am sometimes known for:
I wrote the book API Security in Action published by Manning. It covers a lot about modern application security, JWTs, OAuth, Kubernetes, and is secretly a tutorial on cryptography in disguise.
I discovered the βPsychic Signaturesβ critical vulnerability in Javaβs implementation of ECDSA signature verification (CVE-2022-21449).
My blog has made its way onto Hacker News a few times.
Iβm fairly active in the #OAuth working group at the IETF. I used to be the Security Architect for ForgeRock (now part of Ping Identity).
In my past I have mostly been a software engineer. I also have a PhD in computer science, for what itβs worth, but only my bank calls me Dr and my daughter thinks Iβm lying about that.
These days I run a company, Illuminated Security, that provides AppSec and Applied Cryptography consultancy, review, bespoke development, and training. Iβm always happy to answer emails (eventually!) on most topics.
Neil Madden@neilmadden@infosec.exchange
For reasons, Iβm probably going to be looking for a new job around July/August time. If you know of any UK-based hybrid/remote opportunities I may be a good fit for, let me know. Either permanent or contract/consulting. (LinkedIn seems really crap for finding a job now). A little to sell myself:
Author of API Security in Action
Former Security Architect for Forgerock (IAM)
Long-time OAuth and JOSE working group member at IETF
Applied cryptography, HSMs, JWTs, macaroons etc
Consulting site: https://illuminated-security.com/
LinkedIn: https://uk.linkedin.com/in/neil-madden
#FediHire
Neil Madden@neilmadden@infosec.exchange
My NDC Security talk about Tink from Oslo is now online: https://www.youtube.com/watch?v=peumD3MY8So
Neil Madden@neilmadden@infosec.exchange
I feel like a lot of security issues with LLMs come from treating them as agents in their own right, rather than as a different form of UI.
Any actions that the LLM performs should be under the permissions of the user interacting with it, not permissions granted to the LLM itself.
Also only feed public info into it. Putting confidential data into an LLM is like putting secrets in the HTML source of your webpage.
Of course, like any UI technology, LLMs have specific vulnerabilities. But a lot of things become common sense when you adopt the right perspective.
Neil Madden@neilmadden@infosec.exchange
New ECB Penguin just dropped. #crypto #cryptography
(I made this: CC BY 4.0, based on https://www.printables.com/model/683071-this-is-fine-meme (CC PD))
Neil Madden@neilmadden@infosec.exchange
Welcome to my new followers. I have taken possession of your souls, for which I am eternally grateful.
By way of #introduction, here are a few things that I am sometimes known for:
I wrote the book API Security in Action published by Manning. It covers a lot about modern application security, JWTs, OAuth, Kubernetes, and is secretly a tutorial on cryptography in disguise.
I discovered the βPsychic Signaturesβ critical vulnerability in Javaβs implementation of ECDSA signature verification (CVE-2022-21449).
My blog has made its way onto Hacker News a few times.
Iβm fairly active in the #OAuth working group at the IETF. I used to be the Security Architect for ForgeRock (now part of Ping Identity).
In my past I have mostly been a software engineer. I also have a PhD in computer science, for what itβs worth, but only my bank calls me Dr and my daughter thinks Iβm lying about that.
These days I run a company, Illuminated Security, that provides AppSec and Applied Cryptography consultancy, review, bespoke development, and training. Iβm always happy to answer emails (eventually!) on most topics.