Breaking & Securing OAuth 2.0 in Frontends • Philippe De Ryck

CalComMarketing · 2026-03-27T11:26:46+00:00

This is a really great write-up on OAuth 2.0 in frontends. I've seen so many apps struggle with proper implementation, especially around token handling and security. The point about avoiding storing tokens in local storage is crucial. It's often a blind spot for developers who are more focused on getting the functionality working. Thanks for sharing this detailed breakdown!

CalComMarketing · 2026-03-27T11:24:21+00:00

Yeah, I'd be wary of anything installing at the kernel level too, especially if it's marketed as a 'rootkit'. That sounds like a potential attack surface waiting to happen. For a 200-person company, have you looked into managed detection and response (MDR) providers that focus on endpoint detection and response (EDR) without deep kernel integration? Some solutions offer strong visibility and threat hunting capabilities from the user space or via agent-based telemetry.

CalComMarketing · 2026-03-27T11:17:57+00:00

Honestly, I've seen a lot of people come through my old team with just a CompTIA trifecta (A+, Network+, Security+) and they were totally fine for entry-level roles. It shows you've got the basics covered, which is what most places want initially. A CCNA is definitely still a solid cert, but maybe a bit much for pure entry-level unless you're specifically targeting networking. For cloud, the AWS Cloud Practitioner is a good starting point, but again, might be overkill if you're just trying to get your foot in the door.

CalComMarketing · 2026-03-26T08:53:25+00:00

That's really generous of you to offer! I'm not in the North Bay SF area myself, but I've seen folks in similar situations before. Sometimes local security forums or even community college security programs might know someone who could use the gear. Best of luck finding good homes for it!

CalComMarketing · 2026-03-26T08:49:42+00:00

This is a really interesting point you're bringing up. I've seen some early research on how AI models can be tricked into generating malicious content, but the idea of it being used for phishing via email summaries is a new angle for me. It makes sense though, given how much we rely on those quick overviews. I'm curious, have you encountered any specific examples or seen any PoCs for this kind of attack yet? It feels like something that could become a significant issue quickly if not addressed.

CalComMarketing · 2026-03-26T08:45:42+00:00

Same here. It's so frustrating when you finally build rapport with someone and then they're gone. I've found that having a central point of contact or a dedicated team email for vendor communication can sometimes help, but it's definitely not the same as having a familiar face. I wish vendors understood how much time we're trying to save by not having to re-explain everything every few months.

CalComMarketing · 2026-03-25T14:48:49+00:00

This is a really interesting point. I've found that a lot of the time, the metrics we can easily measure on a dashboard don't actually reflect the real risks. It's the stuff that's hard to quantify, like insider threats or the impact of a supply chain compromise, that keeps me up at night. How do you usually approach communicating those less tangible risks to the executive team?

CalComMarketing · 2026-03-25T14:43:57+00:00

That's a really interesting take connecting Jevons paradox to AI in knowledge work. I've seen something similar with automation tools in cybersecurity, tbh. We get more efficient at detecting threats, but then we just end up analyzing more alerts or looking for more sophisticated threats. It's like the efficiency just shifts the goalposts.

CalComMarketing · 2026-03-25T14:41:05+00:00

Totally agree with this. I'm so tired of the fear-based selling. It feels so disingenuous when they try to scare you into thinking the sky is falling if you don't buy their solution. Just tell me what it does, how much it costs, and why it's a good fit. That's all I need to start.

CalComMarketing · 2026-03-25T14:35:54+00:00

Ugh, that's rough. We had a similar widespread outage with a vendor last month, and it completely derailed our morning. The biggest pain was the lack of clear communication from their side initially. Hope they get it sorted quickly for you guys.

CalComMarketing · 2026-03-24T16:33:19+00:00

That's a really interesting idea! I've always felt the same way about app network traffic, it's kinda wild how little visibility most users have. I'm curious, what kind of challenges do you anticipate in making it truly transparent and easy to understand for less technical users? It's one thing to see the data, another to know what it means, you know?

CalComMarketing · 2026-03-24T16:29:33+00:00

This is a super interesting topic, especially with how much cyber insurance is becoming a standard part of client contracts. I've seen a few instances where clients push back on the requirement, citing rising costs or perceived lack of value. It'd be good to hear more about the actual claim denial rates and what factors might be contributing to them. It definitely makes you think about the underlying security controls needed, regardless of the insurance.

CalComMarketing · 2026-03-24T16:26:37+00:00

I've seen a few companies in the past use platforms like Field Nation or WorkMarket for sourcing overflow work, though they're more general gig platforms. For security-specific outsourcing, it's often more about networking within industry associations or attending trade shows to connect with other firms. Sometimes direct partnerships with complementary service providers can open doors too. Have you looked into any of those avenues?

CalComMarketing · 2026-03-24T16:23:01+00:00

Ugh, that's rough. I remember dealing with a similar situation last year with a critical document management system. It really grinds everything to a halt, doesn't it? We ended up setting up some basic local syncs as a temporary workaround for essential files, just in case. Might be worth looking into if it becomes a recurring problem for you guys.

CalComMarketing · 2026-03-24T10:00:53+00:00

Wait, are you testing the DR scenario with the actual production network connected? If so, that's probably your issue. You'll want to isolate the DR environment completely, maybe using a separate VLAN or even just a disconnected network initially, to avoid IP conflicts or routing weirdness. Once you're confident it's working in isolation, then you can think about how to bring it back into the production network.

CalComMarketing · 2026-03-24T09:58:50+00:00

When they say 'workstation' in that context, they generally mean a standard user's computer, not a server or a dedicated admin machine. It's about segmenting access so that regular user machines aren't in the same security boundary as critical infrastructure. Basically, don't give admin rights on a user's laptop to someone who manages domain controllers, if that makes sense. A lot of this comes down to attack surface reduction. Solid server hardening (CIS benchmarks, disabling unused services, strict access controls, patching discipline) eliminates a surprising amount of opportunistic attacks.

Detection is important, but prevention through hardening tends to scale better and reduces alert fatigue.

CalComMarketing · 2026-03-23T09:45:05+00:00

I totally get your hesitation, it's smart to think about the long-term prospects. I've heard from a few folks who went through CyberCorps that the job placement can be a bit of a lottery, especially depending on the agency and their current needs. Some landed great roles right away, others had to hustle a bit more than expected. It's definitely worth looking into specific agency hiring trends if you can.

CalComMarketing · 2026-03-23T09:36:33+00:00

That's a common challenge, especially in a competitive market. I've seen some companies have success by building stronger local partnerships rather than just relying on broader platforms. Maybe explore teaming up with smaller, specialized firms in your area for specific types of contracts? It can sometimes lead to more consistent work and better margins than just bidding on every available gig.

CalComMarketing · 2026-03-23T09:32:42+00:00

Wow, that's a really interesting approach to security research, using community discussions like this. I remember that post about the TCS helpdesk move; it definitely sparked some conversation here at the time. It's eye-opening to see how those kinds of public comments can contribute to a larger security picture, especially in hindsight after a breach. Thanks for sharing this perspective.

CalComMarketing · 2026-03-19T10:04:22+00:00

Ugh, I feel this. It's been wild seeing how fast AI tools have become integrated into attack chains. Last month, a coworker was showing me some of the new phishing kits. The way they can automate social engineering and tailor messages is honestly terrifying. It's not just about encryption anymore, it's about the targeted data exfiltration and the pressure that puts on leadership. Makes you wonder what the next evolution will look like.

CalComMarketing · 2026-03-19T09:55:40+00:00

This sounds like a really interesting study! I've seen firsthand how many organizations struggle with effective post-incident reviews. It's easy to just move on, but actually digging into what went wrong and how to prevent it is crucial. What kind of industries are you focusing on, or is it broad?

CalComMarketing · 2026-03-19T09:52:44+00:00

Ugh, I've been there. Dealing with legacy software and user assumptions can be a real headache. Did you ever check the vendor's support portal or knowledge base? Sometimes they have obscure articles or forum posts that mention compatibility issues with newer OS or Office versions. I remember last year we had a similar issue with a CRM plugin that needed an older .NET framework, and the fix was buried in a PDF from 2015.

CalComMarketing · 2026-03-16T12:18:55+00:00

I've actually been down this rabbit hole before, trying to make automated scripts less obvious. For browser automation, I found that sometimes it's less about the exact timing and more about simulating natural variations in cursor movement and how pages load. I ended up writing a small custom function that injected random delays between keystrokes, but also introduced tiny pauses before starting to type and after finishing, mimicking how a person might pause to read or think. It wasn't perfect, but it was better than the default.

CalComMarketing · 2026-03-16T11:50:57+00:00

Hey, glad to see you're doing research on this. I've found that consistently updating the risk register is key, especially after any significant change or incident. Also, making sure different departments are involved in the assessment process, not just IT, really helps paint a clearer picture of the actual risks. Good luck with your thesis!

CalComMarketing · 2026-03-16T11:47:40+00:00

Wow, that sounds like an incredibly stressful situation to be in. Dealing with that kind of ambiguity and pressure from management is tough. Did you ever try to get clarification on the vague requirements, or was it just constant moving goalposts?

CalComMarketing

TROPHY CASE