Profile avatar
joshcgrossman.com
Friendly AppSec Ghost 👻 https://appsecg.host
105 posts 1,163 followers 431 following
Regular Contributor
Active Commenter
Posts 26 Comments 24

The biggest AppSec conference in Israel is just around the corner, and we're excited to welcome you! Mark your calendars and stay tuned—registration details will be available soon. 📅 Date: June 5, 2025 📍 Location: Tel Aviv Expo – Pavilion 10 🎟 Registration link coming soon

submitted 2 days ago • 0 comments

Hi @mvsamuel.bsky.social, did you ever finish this story? Looks like it finishes half-way through... dev.to/mikesamuel/2...

submitted 9 days ago • 0 comments

If you want to find the finest vulnerabilities, look for the feature that was considered a critical delivery from a business perspective and was therefore rushed out super fast...

submitted 17 days ago • 0 comments

💡Want to speak at Israel’s top application security event? Now’s your chance! OWASP AppSec Israel 2025 is looking for speakers to present cutting-edge research, real-world case studies, and innovative insights into Application Security. 1/6

submitted 18 days ago • 1 comment

What fresh hell is this!!! And where is my Right-Ctrl!!!

submitted 18 days ago • 2 comments

Inspired by @sethlaw.bsky.social on the @absoluteappsec.bsky.social podcast... Eliminate entire classes of vulnerabilities in your app by learning which findings from your SAST are always nonsense and ignoring them...

submitted 24 days ago • 0 comments

I wrote a blog for AppSec practitioners about how you gather information about what is going on in the development organization. Some of it is more relevant when contracting but a lot of it is relevant to internal people as well.

submitted 25 days ago • 1 comment

Attention 3rd party library risk experts! On a scale of 1 to 10, how high would you rate the risk for: "library is hosted on SourceForge" Is the library considered "end of life"? Never mind that, is the platform which hosts it considered "end of life"....?!?!?

submitted 26 days ago • 0 comments

Hi folks, we are considering replacing the current tick boxes which indicate the level of a requirement with a simple number. In the short term we will change markdown files but leave the output formats the same. Can anyone think of a good reason why we should not do this?

submitted 28 days ago • 1 comment

Idle thought. @Semgrep OSS/CE is licensed LGPL which means you can pretty much use it however you like BUT if you change the code, you have to open source the changes with LGPL. 1/3

submitted 30 days ago • 1 comment

Apparently moving blogging platform on the same day as publishing a popular blog post was not a smart move by me...

submitted 31 days ago • 1 comment

If you were looking for a comprehensive update and clarification on what has happened with @Semgrep and @opengrep so far, I wrote up a post about it. There are some nuances that got lost in this story but overall I think this is a positive thing for the Semgrep engine.

submitted 31 days ago • 1 comment

What I should have done this morning: Published my 6 page blog post about what's going on with @Opengrep and @Semgrep What I actually did this morning: Migrated my website, blog and all historic posts over to Jekyll 🤦‍♂️ I'll get there, I promise.

submitted 31 days ago • 2 comments

What I should have done this evening: Worked on the @asvs.owasp.org What I actually did this evening: Wrote a 6 page blog post about whats going on with @opengrep and @semgrep 🤦‍♂️ Look out for that tomorrow...

submitted 32 days ago • 1 comment

Seems like there's a bit of confusion around the recent @Semgrep licence change and the @opengrep fork and I think there are two key points to highlight. 1/10

submitted 36 days ago • 1 comment

Last night a developer merged code which included a new API endpoint without the standard authorization decorator. This morning, that exception popped up on my custom static scanning report which meant I could investigate. This afternoon, the fix was merged 😎

submitted 44 days ago • 0 comments

I'm going to be talking about the @OWASP_ASVS at @jit_io 's DevSecNext conference TONIGHT. Catch me in the back room upstairs at 18:15!

submitted 45 days ago • 0 comments

As an AppSec architect, you want to be sure that software is being built securely and be available to provide support and guidance. But how do you keep your finger on the pulse of what development is actually happening? Check out my blogpost about this😀 www.bouncesecurity.c...

submitted 52 days ago • 0 comments

I have a Windows VM that I rarely use and having booted it and done 45+ minutes of updates I think I now remember why... 1/2

submitted 52 days ago • 1 comment

As an AppSec architect, you want to be sure that software is being built securely and be available to provide support and guidance. But how do you keep your finger on the pulse of what development is actually happening? Check out my blogpost about this😀 www.bouncesecurity.c...

submitted 52 days ago • 0 comments

Lately, every BSides seems to have a talk on reframing security teams as a “Department of Yes” We don’t hear nearly as much about the value of a well-considered, strategically deployed “No” I've pulled together guidance on giving a better, more constructive No: ramimac.me/saying-no

submitted 60 days ago • 0 comments

Are Identity Providers (IdPs) boosting productivity or a security risk? 🤨 IdPs can boost your organisation’s productivity, but what happens if an attacker compromises it? Join Maor Abutbul at #NullconGoa2025 as he sheds light on Keycloak & Authentik 👉 nullcon.net/goa-2025/spe...

submitted 62 days ago • 0 comments

Using ChatGPT for any non-trivial coding is like an exercise in cross examination: "Write a Node program to do [x] using on a Mac." … [invalid code] … "Oh you wanted to use a post-2019 library?" … "Oh you meant for Macbooks sold in the past 6 years, eg Mx/ARM?" … "Oh with actual required args?"

submitted 75 days ago • 1 comment

A younger me, as a pentester and bug hunter, had exactly the bias described in this article 🤫 Luckily, I later worked with and for "the other side" and it changed my mind 🤯 I hope young people reading it will avoid taking years to understand the complexities of fixing bugs in a timely manner 🤞

submitted 76 days ago • 2 comments

Best city and con and I cannot wait for this.

submitted 79 days ago • 1 comment

Photos have been released from @owasp.org Global AppSec San Francisco! www.flickr.com/photo...

submitted 79 days ago • 3 comments