do any of you guys know what OWASP is? open source foundation that is mostly funded by jews, has offices all over the world, is it legit?>meet with a guy who said he was a 'leader' member>has cyber-sec qualifications up the wazoo>says he is trying to open an office in our thing to get things done on his own%40 of 4chan traffic coming from israel you guys gotta know something about this.
>>106841937Their product was a top-ten checklist of things not do do.#1 was “don’t let internet randos type in SQL queries and execute them against your customer’s databases”I stopped reading that obvious shit after that.
>>106841937Yeah, my niece works for them. As far as she knows, it's a customer support thing, like answering Red Hat's customers' questions.
>>106841937facts pulled out of your ass
For any non retards, OWASP is a parent organization with chapters and global membership. Nonprofit aimed at improving web security globally. Probably not funded by the jews. (As much as owasp would love the money)They have people launch projects under their name and the OWASP Top Ten and OWASP Application Security Verification Standards are two of their most impactful and well known.They’re good stuff.
>>106841984it's quite difficult to find in depth information from company's/individuals.Your best bet is reading the docs yourself, and even then, the source code will always win
Used their scanning tools when working on DoD projects (heh, yeah of course we use Israeli tools, they’re our (((greatest ally)))). DoD required it and SonarQube as part of process to prove certainty in builds. It’s relatively easy to use. But it’s just a cybersec tool. Lots of false positives with the damn thing. I remember it telling me that we were vulnerable to a Kafka SASL vuln, but I had fully disable SASL all together, as well as plaintext and every other stupid setting that shouldn’t be on in the first place for prod networks. Lots of false positives. Many conversations with [redacted] to prove they should ignore the vuln warning on our build after proving we weren’t vulnerable.
>>106841984> I stopped reading that obvious shit after that.> tl;dr: That's the fucking point. Owasp is the bare minimum.SQLi shouldn't work in the internet.Sadly it does.Because corpos didn't invest in software since at least covid, regulated industries since around the '08 stock market crash, and banks since the dotcom boom.A nonzero percent of users click on phishing.I needed to manage several cyber incidents caused by phishing.Fail2ban, adblocking, custom DNS servers, a network-level honeypot, etc. fucking basic stuff are not implemented network wide in the vast majority of corpo networks I have worked on.Corpo cyber means that the CTO/CSO gets invited to golf, where some drinking buddy from his college sells him very expensive shit with a photoshopped Gartner leader quadrant, and then Comms/PR/IR can post that we are secure because we run Gartner top right quadrant software, pay $x mln/year on cyber and we have yearly training for employees that amounts to "This is a phishing. Please, please don't click on phishing. Thank you."I have been fired once because I needed to take the blame off my boss who clicked on fucking phishing, however he was a Party member and I wasn't.
>>106847199this sums up the state of infosec in 2025.
>>106841984I did AppSec for about five years. It's shocking how many greenfield programs have SQL injection vulns. In almost every modern development environment, it's easier to do things the right way than to create SQL injection but developers still do it. You can guess what demographic is the most guilty of this because they cut and paste from ancient sources they don't understand.
>>106845204not sure if anything's changed, but with kafka your options used to be basic auth, SASL, or unsecured. yikes, anon.
>>106841984OWASP is the basics.If you go to any cybersecurity tards youtube channel who has le-epic-new-takes, they shill some incredibly dumb insecure concepts like JWT. Because old knowledge doesn't sell, you need to regularly come up with new things. If you would know the basics that OWASP tells you, you would never use JWT for sessions. Yet here we are and they all shill it.During PHP times we learned that not even the provided methods to escape for SQL are enough. You should use prepared statements and split query from data completely.Now look at any common modern ORM, and even if they use prepared statements, they started again to do queries with strings and input that they themselves escape at some places.You might think that it i not needed to tell you basic things like not executing user input. But lots of knowledge learned >20 years ago is already lost exactly because of this mindset.
>>106848344Okay, why the fuck is a signed jwt insecure especially with GDPR/CCPA where you can't store client-state sessions? Jwts just work. Especially since jwts need to be validated on the server side.> Replay attackUse a nonce/validate client ip. Also use short validity like 15-20 min max lol.> Credential fishingUse tls to encrypt the header as well as the value> Jwt is plaintextSee above + don't send PII in a claim> StuffingValidate iss+aud, server-side components authenticate to one another, preferably using an access token created by the refresh token of the user.
If you want a zero-trust actionable insight,they publish the handbook, documentation documentation and tooling that can be employed to perform information security audits over HTTPS applications.
