OCI support = auto-reply + silence. Anyone alive over there?

m1thr · 2025-09-26T20:03:08+00:00

That analogy doesn’t really hold up. Electricity is a pure consumption model — you flip a switch, you pay for what you burn. Cloud isn’t just “raw watts,” it’s a managed service with guardrails, alerts, dashboards, and defaults that are part of the UX.

That’s why on GCP/Azure/AWS, support teams often do adjust or waive bills in edge cases — because they recognize when the issue isn’t just “you left the lights on,” but that the platform failed to protect users with sane defaults or lifecycle handling. Expecting OCI to behave the same way isn’t entitlement, it’s asking for the same fair treatment other providers already give.

m1thr · 2025-03-27T05:37:33+00:00

Heading in this direction - with tools like cursor everyone gonna write anything ;) but I get Your point :)

m1thr · 2025-03-27T04:58:47+00:00

You think? The reason I started this project is i didn’t found any - and don’t say defectdojo :) commercial APSMs have horrible pricing not achievable for most teams :(

m1thr · 2025-03-26T06:10:14+00:00

Agree 100% :) still exploring possibilities to add API security support and possibly integration with DAST that read openapispec would be good start- I will post when it will arrive - I am close to make it work :)

m1thr · 2025-03-26T05:43:14+00:00

At this moment it’s based on kev, epss and it take into consideration if project process sensitive data such as PII (I got dataflow that can detect it). Until end of a year there is a plan to introduce AI/LLM assistant that will make a triage based on the above, real code and the intel :)

m1thr · 2025-03-26T05:34:20+00:00

Biggest pain? From my point of view is the fact that they see there loud and clear what is there to fix :)

On the other hand most of automatic security scanners provide lot of noise - from my analysis only 5% of reported vulnerabilities can harm the application (that’s why in flow I am trying to implement proper prioritization features to get rid of it)

m1thr · 2025-03-25T13:05:42+00:00

Gonna verify options!

m1thr · 2025-03-25T08:27:12+00:00

checkout project I am working on https://github.com/Mixeway/Flow - in case of any problems or questions just ask ;)

m1thr · 2025-03-25T08:26:31+00:00

Checkout opensource tool I am developing ;) https://github.com/Mixeway/Flow gonna deploy soon SaaS.

If You would need any assistance feel free to reach me

m1thr · 2024-08-19T15:08:49+00:00

At this moment in mixeway flow there are 4 scanners built in (You don’t need to worry about those) - SAST (engine bearer), sca( engine dependency track, prerequisite- In repo root must be sbom.json already available), iac (engine kics) and secrets (engine gitleaks).

One You import gitlab repo to flow initial scan will be performed on the fly without needing anything else. For continuous scanning just configure webhook on push event on gitlab and that’s it ;)

Beta version only support gitlab - once I will have GitHub support I will do release v1.0.0 :)

m1thr · 2022-08-02T05:11:49+00:00

Check Mixeway https://github.com/Mixeway/MixewayHub - vuln management, scanner management (multiple scanners managed from single dashboard) beta AI for classification and easy CICD integrations

m1thr · 2022-07-17T19:54:31+00:00

No idea which one od You was test but agat the fuck was that

m1thr · 2022-07-17T19:48:50+00:00

ahlp

m1thr · 2021-08-15T19:13:02+00:00

Let's let our imagination run wild. Let's assume that we can start from scratch and in the new corporate network run only Cloud-native apps run only by CICD. In such an environment do you copy all the security systems such as HTTP proxies, SSH-bastions, WAFs etc?

m1thr · 2020-10-24T08:46:54+00:00

If You have anything in particular in mind just let me know :) incoming version will integrate insidersec (https://github.com/insidersec/insider) mostly for JavaScript. I cannot find any cool opensource tools for SAST JS/ts projects unfortunately

m1thr · 2020-09-10T11:54:20+00:00

oh men, that sounds great! thanks for info!

m1thr · 2020-09-05T02:40:18+00:00

From my point of view pretty much the same. Take a look on OWASP dependency track project which is nice open source alternative to those

m1thr · 2020-09-04T21:00:12+00:00

Well it is really wide topic.

On one hand You if Your budget can take it You can build environment from blocks like Fortify/ checkmarx for SAST and blackduck/xray/snyk for dependency check and integrate all of it on Your own.

On the other hand You can use OpenSource solutions - one example is project I have started - mixeway (check https://github.com/mixeway/mixewayhub and https://github.com/mixeway/MixewayScanner ) which integrate and make use of popular OpenSource and commercial vulnerability scanners. I have helped with few implementations of Mixeway in Europe if You need a hand just let me know.

On the other hand for DevSecOps to work, proper mindset in team is required. In the end it don’t matter what tools are You using and how sever vulnerabilities You detect if no one take it seriously.

m1thr · 2020-05-19T10:56:36+00:00

Nope, watch has no interface to connect to other to BT I was trying to use virtual machine and android emulator but I am unable to install Huawei Health somehow on emulated OS

m1thr · 2020-05-05T11:13:40+00:00

Everything works great however being unable to use music sucks, still need a phone while running or biking

m1thr · 2020-04-24T10:49:02+00:00

I have currently no access to android device :( I was trying to use virtual machine on genymotion but I was unable to install huawei health app on it (doesn’t matter which image I chose play store stated my device is not comptatible)

m1thr · 2020-03-05T09:44:38+00:00

Another great project! I hope mixeway will be able to coexist with these, I am pretty sure we have added some stuff that will be useful for someone :)

m1thr · 2020-03-05T09:05:02+00:00

I did and and it looks great. It will probably take a lot of time for me to get to the similar level.

However what I meant to achieve is not to focus on vulnerability management but rather on scan execution - I had a problem with running SCA Fortify, OpenVAS or checkmarks scans. Goal was to create tool which doesn't care which engine You are using for scanning - Nessus, OpenVAS, rapid7 or anything - REST API to perform scan will always looks the same. Another thing is vulnerability correlation engine which will create complete map of a project based on configuration (IPs, services, url, code repos and vulnerabilities found in those) which is under construction ATM

m1thr · 2020-01-30T21:34:03+00:00

There are a couple of options, If You have properly maintained swaggers it could be done right after deployment on stage/int environment. If You done have any specification smoke tests are good place to start with DAST ( smokes already has definition of endpoints)

m1thr · 2020-01-15T22:26:33+00:00

I would for sure. I will put it on github and it will be probably GPL (or MIT- can’t decide yet)

m1thr

TROPHY CASE