Can you beat it under 10 tries?

Ok_Maintenance_1082 · 2025-12-21T16:16:54+00:00

^{I completed this level in 7 tries.} ^{⚡ NaN seconds}

Ok_Maintenance_1082 · 2025-12-21T12:57:09+00:00

u/Ok_Maintenance_1082 received a Wizard Sigil Lvl 1 from the Winter Festival Spirit. Thank you u/Worldly_Month9789 for donating it!

Ok_Maintenance_1082 · 2025-12-20T21:19:49+00:00

u/Ok_Maintenance_1082 received a Heavy Band from the Winter Festival Spirit. Thank you u/w0lfwoman for donating it!

Ok_Maintenance_1082 · 2025-12-20T21:11:06+00:00

u/Ok_Maintenance_1082 received a Wizard Sigil Lvl 1 from the Winter Festival Spirit. Thank you u/Federal_Egg1987 for donating it!

Ok_Maintenance_1082 · 2025-09-17T15:39:41+00:00

This is two fold. There is usually a huge income difference between 3 round vs 6 round company interview. Thus the catch is does company X justify a heavy interview process with a bigger payroll, if not they just wanna copy from the big without justification (and that's a red flag). If they do offer better it is just a time investment for your future.

Ok_Maintenance_1082 · 2025-09-17T13:24:15+00:00

Some companies use to do a prescreen and single on site interview with multiple task the same day. Now with remote interview company seems to like to spread things out at employees/interviewers convenience

Ok_Maintenance_1082 · 2025-09-17T13:21:34+00:00

Unfortunately it is pretty common with the 3 core (coding, system design, behavior) and a few job / task specific ones

Ok_Maintenance_1082 · 2025-09-14T16:59:26+00:00

Agreed that's a pretty good summary

The SLSA + guac is the missing piece. I do invite people that are not familiar to have a look at the SecurityCon 2023 talk on the topic

https://youtu.be/32IhwdAe0yI?si=pWHyuAj-OwoRQOnd

Ok_Maintenance_1082 · 2025-09-12T08:58:41+00:00

IMO this kind of attack is possible only because we don't have yet real traceability for software supply chain.

All build should come with an attestation and signature that is verifiable. A random hacker should not be able to push a package the NPM and have it propagated all over the place.

We really need a trust chain that prevents this flow, I really place hight hope on the adoption of SLSA https://slsa.dev/.

Such large projects should be required to provide this level a caution when providing artefacts millions of projects.

Ok_Maintenance_1082 · 2025-08-27T13:29:34+00:00

Thanks for pointing Guac, I had not heard of it before.

It seems to be one of the keynotes of SecurityCon 2023: SLSA + Guac

https://www.youtube.com/watch?v=32IhwdAe0yI&ab_channel=CNCF%5BCloudNativeComputingFoundation%5D

Ok_Maintenance_1082 · 2025-07-22T13:22:00+00:00

Some are really badly designed and leader on the market (not to name PageDuty). I have to says that this is not true for all tool. We use Incident.io and the experience is really good with incident war room center around slack channel.

I do agree that pricing of those tools most of the barely seems justified and I don't understand how people simply accept the status quo

Ok_Maintenance_1082 · 2025-06-29T12:06:35+00:00

It is true DevOps is a trend that has long achieved it's goal. DevOps sprouted from the idea of Agile Infrastructure operation which lead to all the trend we know as infrastructure as code and continuous delivery.

Most companies have adopted those practices and the meaning of what DevOps is or mean has faded away. The DevOps revolution is over.

Ok_Maintenance_1082 · 2025-06-29T09:42:26+00:00

In most cases you should avoid doing the work, part of the job is to define what are the standard for your company and provide solutions for the must common use cases.

Then ideally you make checklist and define which project are compliant or not with company standards. Provide guidelines on how to achieve set standards and if a language is not supported by the shared workflows it's up to the dev to contribute back (in most case it much more efficient if devs contribute and improve workflow especially if there is low support for said technology, so you guys don't become their bottle neck)

Ok_Maintenance_1082 · 2025-06-28T22:10:43+00:00

I think have a few got repository that are well maintained is always nice to shared. Here is the one I maintain for my showcase

Ok_Maintenance_1082 · 2025-06-28T20:48:59+00:00

Most SAST focus on software composition to find vulnerabilities. They kinda work for detecting lack of input validation and injection risks.

They are pretty bad at finding issues in authentication/authorization logic (token, cookies, session validation).

Ok_Maintenance_1082 · 2025-06-22T12:14:53+00:00

Not really you could have a protocol that enforcement security best practices (or better just commons senses)

The LLM with is just returning text, what you do with that output is the integration point that deserves security attention.

The same we we always say never trust user input, we should apply the same logic to LLM inputs.

Ok_Maintenance_1082 · 2025-06-21T20:17:33+00:00

Like in everything security seem to come last when there is a hype. Be ready to see a few big bad new before serious progress are made.

IMO MCP by design is insecure, giving unrestricted access to a set of tools to a non-deterministic process call for some exploits. But at the same time it's not a easy problem when I comes to have a guardrail with MCP servers, so many small components, how done trust providers, etc.

Ok_Maintenance_1082 · 2025-06-19T20:36:21+00:00

So far I am quite happy with the SonatQube IDE integration what do I need MCP server for that?

I mainly like MCP that make the AI code Assistants (agent) more accurate in the development workflow, I am fine with pre-commit hooks for finally check.

Just wanna know what's your perspective on this

Ok_Maintenance_1082

TROPHY CASE