Feed cleverhans-blog [copy] http://www.cleverhans.io/feed.xml has loading error: cURL error 22: The requested URL returned error: 404
Feed Security (b)log [copy] http://securityblogru.livejournal.com/data/rss has loading error: cURL error 22: The requested URL returned error: 403 Forbidden
Continuous Vulnerability Scanning with OWASP secureCodeBox (god2025)
The OWASP secureCodeBox project aims to provide a unified way to run and automate open-source scanning tools like nmap, nuclei, zap, ssh-audit, and sslyze to continuously scan the code and infrastructure of entire organizations. This allows setting up automated scans that will regularly scan internal networks and internet-facing systems for vulnerabilities. The SCB also allows defining rules to automatically start more in-depth scans based on previous findings, e.g., to start a specialized SSH scan if a port scan discovers an open SSH port. Scan results can be uniformly handled with prebuilt hooks, e.g. to send out...
News from the Juice Shop ecosystem (god2025)
OWASP Juice Shop went through some significant renovation and enhancements over the last year in order to keep current with the underlying Node.js and Angular frameworks. MultiJuicer was entirely rewritten in GoLang and is now faster and more reliable than ever before. All Juice Shop side-projects have been migrated to TypeScript and brought to a common stack for testing and code linting. But the team did not only clean up and refactor behind the scenes. There are also lots of exciting new features and enhancements available, such as: Several new hacking challenges, e.g. a YAML memory...
How we hacked Y Combinator companies' AI agents (god2025)
We hacked 7 of the16 publicly-accessible YC X25 AI agents. This allowed us to leak user data, execute code remotely, and take over databases. All within 30 minutes each. In this session, we'll walk through the common mistakes these companies made and how you can mitigate these security concerns before your agents put your business at risk.
Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/
about this event: https://c3voc.de
Video:god2025-56489-eng-How_we_hacked_Y_Combinator_companies_AI_agents_hd.mp4
A CISO's Adventures in AI Wonderland (god2025)
As a CISO (or any other security expert) in the area of AI, you can find yourself in increasingly challenging and sometimes bizarre AI-related situations not unlike Alice's adventures in Wonderland. Depending on whom you speak to, people either have high (inflated?) expectations about the (magic?) benefits of AI for security efforts, or try to explain why "AI security Armageddon" is looming... and that is just the security part of the story. All other areas in your organization are heavily using or experimenting with AI (e.g., vibe coding, automation, decision making, etc.), challenging (or ignoring)...
MCP security hot potato: how to stay secure integrating external tools to your LLM (god2025)
Model Context Protocol (MCP) is the latest hot topic in cybersecurity. Business wants it (AI is the new mantra), developers are excited (new toys, new code), and security teams are left to make it safe—often with already packed schedules. Let's treat it like just another Tuesday. Like many shiny new technologies (remember the early days of cloud?), MCP is being built with a “features first, security later” mindset. As a fresh piece of tech, it blends novel vulnerabilities with familiar, well-known ones. If you're an early adopter, it's important to accept that MCP and...
Keynote: Code Dark Age (god2025)
Generative AI is supposed to make our lives easier. But what if it's really just coding us straight into a new Dark Age? We hand over our systems to AI agents, only to watch them invent backdoors nobody asked for. Developers are left with the glamorous job of bug janitors, while attackers get new exploits. It's hard not to feel like we are front-row spectators to the collapse of digital civilization. This talk shows how these risks are multiplying, and how the public debate around security often misses the point, making it even harder...
How the EU created Electronic Invoices without considering Security (god2025)
Companies within the European Union are increasingly required to be able to issue and process electronic invoices according to EU standards. For example, since January 2025, companies in Germany have been required to support electronic invoices in B2B contexts. While it is desirable to standardize invoice data formats, the EU standards have severe problems. They are overly and needlessly complicated, and security was not given much consideration. An unfortunate design choice to use a problematic "standard" (XSLT 2/3) only supported by a single implementation with inherent security problems makes security vulnerabilities in electronic invoicing software...
The Surprising Complexity of Finding Known Vulnerabilities (god2025)
With the increasing reliance on third-party software components, ensuring their security against known vulnerabilities has become a daily challenge for individuals and organizations. Despite the availability of a variety of tools and databases, we found all of them fall short when applied to real-world scenarios - raising questions about their effectiveness, generalizability, and practical utility. Starting from our perspective as penetration testers, we identified three main problems with...
Welcome (god2025)
Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/
about this event: https://c3voc.de
Video:god2025-56471-eng-Welcome_hd.mp4
LangSec for AppSec folks (god2025)
Die von LangSec beschrieben grundlegenden Sicherheitsprinzipien erklären die Hauptursachen vieler Sicherheitslücken und wie man diese beheben kann. LangSec sieht die anhaltende Schwachstellen-Epidemie in Software als eine Folge der ad-hock Entwicklung von Code, der Ein- und Ausgaben verarbeitet. Gemäß LangSec besteht der Schlüssel zur Entwicklung vertrauenswürdiger Software, die mit potenziell bösartigen Eingaben korrekt umgeht, darin alle gültigen oder erwarteten Eingaben und Ausgaben als formale Sprache zu behandeln. Dementsprechend müssen die Routinen zur Verarbeitung von Eingaben und Ausgaben als Parser beziehungsweise Unparser für diese Sprache behandelt werden und auch dementsprechend entwickelt werden. In diesem Vortrag möchte...