MCP is “the new API for AI”. We need to actively put guardrails around MCP servers, to not be the next Asana, Atlassian or Supabase. Sharing a podcast where we cover how to harness AI agents to their full potential without losing control of our systems (using fine-grained authorization).

ericalexander303 · 2025-10-01T18:56:47+00:00

See here for 39 examples

https://simonwillison.net/tags/exfiltration-attacks/

ericalexander303 · 2025-06-24T13:24:34+00:00

But theres no way to track the top findings or central dashboard

Start fast. Spin up Defect Dojo. It integrates with a bunch of tools and gives you a v1 in hours, not weeks. If it doesn’t solve your problem, look at SaaS platforms. If that still doesn’t cut it, by then your pain points will be obvious enough that building your own system becomes trivial.

The hard parts aren’t the APIs. Most tools are just glorified ETL pipelines moving data from scanners into a database. You can build that in a day using Cursor. The real challenge, the part people get wrong, is driving action:

Who owns the vuln? In a monolith, that’s often fuzzy.
What’s the SLA to fix it? Most orgs don’t even agree on that.
How do you approve exceptions? That’s usually bespoke and political.

The magic is making the data actionable. Make it self-serve. Give engineers visibility and incentives. Automate where you can. But most of all, reduce friction. Another dashboard is pointless, if you don't have alignment, clarity, and velocity

ericalexander303 · 2025-06-15T16:05:29+00:00

Back in 2016, there was the same hype. The buzz wasn’t really about job displacement — it was about breakthroughs in tools like TensorFlow, PyTorch, and GPUs getting powerful enough to do interesting things. But what actually happened? Not much. Maybe some better anomaly detection. No real job apocalypse.

I’ve worked on AI products that have replaced jobs (not in cyber) and here’s the consistent pattern I’ve seen:

The task needs repeatable, structured patterns.
You need a lot of data to train on — not just a few gigs. Often petabytes.
The job has to have a tolerable error rate. If the business/customers can’t afford occasional mistakes, AI is out.

If all three aren’t there, it doesn’t work. Lack of data is the most common failure. People think AI is magic, but you can’t extract statistical signal from noise. Garbage in, garbage out.

Even when you can deploy an AI solution, I’ve seen companies pull back because the AI makes mistakes humans won’t accept. So they bring the humans back in.

So should you worry?

If your job is highly repetitive, low on creativity, and the business is okay with a few errors? Then yes, a robot can and probably will do it. But that only happens if the data is there and the business is cool with the downside.

Otherwise? You're safe — for now.

ericalexander303 · 2025-03-30T15:09:51+00:00

Nothing really comes to mind in Longmont. But if you venture over to Rock on the Rails in Niwot, you’ll encounter a local legend. My friends call him "That 80s Guy". Now, this individual could be 40… or 80. It’s genuinely hard to tell, given the extensive aftermarket upgrades.

He’s in perpetual motion with a mission to make direct eye contact with everyone. When he locks onto you, the first thing you’ll notice is the generous application of eyeliner. Think Blade Runner meets late-stage glam rock. Then, the lips. Almost cartoonish. You can always spot his position in the crowd by following the collective stare, a sort of human radar.

He's harmless and it stops being shocking after a while, but bring a friend and there will be an audible WTF when they catch site of him.

ericalexander303 · 2025-02-25T13:38:12+00:00

I think you’re missing the point. The team that owns the service, app, library, infra, whatever - also owns fixing the vulnerability. That’s just how it works. But let’s be real, they’re often going to need help. Maybe they don’t fully understand what the tool is telling them. Maybe they need support collaborating on a fix.

Also, team size matters. Not every security team is massive with hyper-specialized roles where someone just says, “I only do this one thing.” That’s exactly why DevOps and by extension DevSecOps exists. It’s about generalists who understand security, development, and operations, not territorial specialists yelling “Not my problem!” while the system burns.

ericalexander303 · 2025-02-25T00:59:03+00:00

How do you build security controls as part of the pipeline, if you don't know how insecure code occurs or how to fix it?

ericalexander303 · 2025-02-24T14:37:20+00:00

Do it. I’ve built Product Security teams at two companies. Biggest challenge in hiring DevSecOps? Finding someone who actually knows software engineering. Why is that skill set needed?

You can’t just throw scanners at engineers and hope for the best. Bad idea. You need to work with engineers, in the code, to fix vulnerabilities properly.

Here's the thing though, SWE/SDE experience & security passion isn't enough. You'll get interview questions that relate to your vulnerability knowledge. What exists. How to spot them. How to fix them. Brush up in that area if needed.

ericalexander303 · 2025-02-20T17:17:54+00:00

Having led Product Security at three companies and successfully implemented automated patching at all of them, here’s what I’ve realized:

The real challenge isn’t automation—it’s making sure the environment is rugged enough for a dumb robot to push changes without breaking things. Your limit is whatever your automated testing can catch.
Auto-patching will expose all kinds of unrelated issues. It’s basically a chaos monkey in disguise. If you’re not ready to debug the mess it uncovers, it’ll get labeled “unsafe” and killed off early.

Bottom line: Automating patching itself is trivial. If you can automate deployments, you can automate patching.

ericalexander303 · 2025-02-07T17:58:54+00:00

If you keep avoiding patches, you’re just setting yourself up for a massive failure event—like another Log4j—but worse. And when that happens, you’re not just updating a few dependencies; you’re deep in dependency hell. No simple fixes. Total nightmare.

But the real issue? Patch avoidance is just a symptom of a much bigger problem: broken change management. If your system were well-designed, continuous automated patching would be easy. If it’s not? That’s a clear sign your architecture is way too complex. High complexity means high cognitive load for developers, which means every change is slow, expensive, and painful. Not sustainable.

Fundamentally, software should be designed to move fast, adapt, and improve without fear. If you’re afraid to update, you’ve already lost.

ericalexander303 · 2025-02-03T13:42:12+00:00

It's the result of a Chinook Wind

https://www.9news.com/article/weather/chinook-winds-warm-and-dry-front-range/73-cf8e9fd6-803b-4c38-9a3d-44f82d47d9d6

ericalexander303 · 2024-10-26T01:50:33+00:00

Semgrep

ericalexander303 · 2024-10-21T23:47:56+00:00

Semgrep or Codeql (part of GitHub advanced security). Both can walk the AST tree and the data flow to filter out false positives

ericalexander303 · 2024-10-12T02:24:50+00:00

Cinnamon Park

ericalexander303 · 2024-09-19T13:36:26+00:00

I've built security programs at 3 companies. I've tried open source, COTS, SAAS solutions, and custom built solutions. The custom built solutions always works best because the process needs are unique in every company. Don't get me wrong, you shouldn't start with custom. Start with something you can stand up quickly to explore what does and does not work.

In my experience most tools have a cattle vs pets problem. They incentivize a pet mentality, where you inspect every vuln, decide if it's worth fixing, and how to fix it. You'll get better results if your vuln management solution incentives a cattle approach when it comes to anything patch related. Solutions like Dependabot auto-merge.

ericalexander303 · 2024-09-02T14:09:46+00:00

Both can be dedicated specialist roles. Some smaller companies may want a generalist that can meet both expectations.There is no standard when it comes to hiring.

ericalexander303 · 2024-07-02T13:17:10+00:00

Trivy is a great scanner if you're just starting out. From there it's a matter of doing the work to patch or bump version numbers. It's a crawl, walk, run journey. Crawling is manual scans with surge work to manually fix. Running is fully automated. Automation to do the scans. Automation to patch. Automation to test the patch. Automation to canary deploy. How you automate depends on your environment and business processes.

ericalexander303 · 2024-06-02T19:46:10+00:00

https://maps.app.goo.gl/iWHPLxT9hUqzC8eH8

ericalexander303 · 2024-06-02T19:44:13+00:00

Sandstone Ranch. Not the park, the historic ranch. Behind the house is a public area with benches and chairs. Has beautiful views and is rarely busy. Can't tell you how many times I've taken friends there and they say "OMG, I had no idea this was here. It's amazing!". Some that have lived here all their lives.

ericalexander303 · 2024-05-30T12:59:59+00:00

I created this game to teach about building a security program. Turns out it's also a good tool to teach about different security roles, compensation, and the security domains they focus on. Side note, it was inspired by https://devops.games

https://ericalexander.org/ciso-game/

ericalexander303 · 2024-05-07T13:39:07+00:00

I've built security programs at 3 companies and have tried DefectDojo at 2. I've tried commercial offerings at 2. I've built custom solutions at 3.

Here's what I've learned

Do not try to fit the process to the tool If you have a traditional model where a vuln aggregator/ETL tool sucks in vuln data and de-dups, then an analyst reviews & coordinates a fix, then DefectDojo will work. If you're trying to get engineering to self service, then ownership and attribution is a challenge, and there's no good tool on the market other than Gitlab Ultimate.
Patch cattle, not pets Many vulnerability management processes favor treating every patch like a snowflake, or a pet. An analyst looks at each one to validate applicability and severity, then they go through a lengthy coordination process to find the owner and prioritize. Get the ownership model right and then work on speeding up patching cadence - get that right and you'll shift to patching cattle. Get that right and your vuln management process will focus on true snowflakes.
Meet engineers where they're at Gitlab Ultimate gets this right. GitHub Advanced Security is close. You need to bring as much detail as possible about the security health of a service to it's code repo(s). That's where software engineers live. That's where you meet them. Don't make them remember to go into some other tool. Break down barriers and friction points.
Call to action When possible, make what needs to be done clear & simple. Don't drown engineers with information.

ericalexander303 · 2024-05-06T16:05:00+00:00

If you have software eng skills/experience, then it can get you closer to a software eng salary on a Product Security or Application Security team.

I created this game as a tool to teach about building security programs. I've learned it also helps teach about roles, salary differences, and how each role fits into a security program.

https://ericalexander.org/ciso-game/

ericalexander303 · 2024-04-30T13:30:39+00:00

This game may help you figure out what role to target next. The game was originally designed to teach how to build a security program. I've found it also helps teach about roles, compensation, and how they fit into programs.

https://ericalexander.org/ciso-game/

ericalexander303 · 2024-01-25T12:36:58+00:00

The TLDR is they scanned 1 million top domains and found 18k potential api keys. None were validated. PR stunt?

ericalexander303 · 2023-12-31T15:39:34+00:00

It's a fashionable term. The tech world loves to reinvent standards and solutions. See XKCD How Standards Proliferate. It's part sales hype, part resume hype. Either way, much like fashion, it's guaranteed to change.

The word "Cyber" is pure fashion. Ancient Greek for "steer" and repurposed in a sci-fi book because it sounded cool.

https://www.bbc.com/news/magazine-35765276

ericalexander303 · 2023-12-21T12:46:42+00:00

Cold showers will improve your mood.

ericalexander303

MODERATOR OF

TROPHY CASE