<?xml version="1.0" encoding="UTF-8"?>
 <rdf:RDF xmlns="http://purl.org/rss/1.0/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cc="http://web.resource.org/cc/" xmlns:syn="http://purl.org/rss/1.0/modules/syndication/" xmlns:admin="http://webns.net/mvcb/">
  <channel rdf:about="http://pinboard.in">
    <title>Pinboard (earth2marsh)</title>
    <link>https://pinboard.in/u:earth2marsh/public/</link>
    <description>recent bookmarks from earth2marsh</description>
    <items>
      <rdf:Seq>	<rdf:li rdf:resource="https://spur.us/blog/smart-tv-apps-residential-proxy-sdks"/>
	<rdf:li rdf:resource="https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/"/>
	<rdf:li rdf:resource="https://doublepulsar.com/the-elephant-in-the-biz-outsourcing-of-critical-it-and-cybersecurity-functions-risks-uk-economic-96205e0585bf"/>
	<rdf:li rdf:resource="https://blog.1password.com/security-principles-guiding-1passwords-approach-to-ai/"/>
	<rdf:li rdf:resource="https://chromium.googlesource.com/chromium/src/+/main/docs/security/rule-of-2.md"/>
	<rdf:li rdf:resource="https://redmonk.com/sogrady/2025/08/06/cra-five-alarm-fire/"/>
	<rdf:li rdf:resource="https://docs.gandi.net/en/managing_an_organization/organizations/personal_access_token.html"/>
	<rdf:li rdf:resource="https://www.philvenables.com/post/the-6-fundamental-forces-of-information-security-risk"/>
	<rdf:li rdf:resource="https://www.philvenables.com/post/why-good-security-fails-the-asymmetry-of-infosec-investment"/>
	<rdf:li rdf:resource="https://docs.gitlab.com/ee/user/application_security/api_security/api_discovery/"/>
	<rdf:li rdf:resource="https://snikket.org/"/>
	<rdf:li rdf:resource="https://cloudsek.com/blog/postman-data-leaks-the-hidden-risks-lurking-in-your-workspaces"/>
	<rdf:li rdf:resource="https://www.leeholmes.com/security-risks-of-postman/"/>
	<rdf:li rdf:resource="https://joindeleteme.com/"/>
	<rdf:li rdf:resource="https://easyoptouts.com/"/>
	<rdf:li rdf:resource="https://ente.io/auth/"/>
	<rdf:li rdf:resource="https://www.crowdstrike.com/en-us/cybersecurity-101/cloud-security/api-security/"/>
	<rdf:li rdf:resource="https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/"/>
	<rdf:li rdf:resource="https://blog.pypi.org/posts/2024-07-08-incident-report-leaked-admin-personal-access-token/"/>
	<rdf:li rdf:resource="https://www.doppler.com/"/>
	<rdf:li rdf:resource="https://simonwillison.net/2021/Aug/3/samesite/"/>
	<rdf:li rdf:resource="https://www.theregister.com/2024/06/21/optus_data_breach_faulty_api/"/>
	<rdf:li rdf:resource="https://cacm.acm.org/practice/developer-ecosystems-for-software-safety/"/>
	<rdf:li rdf:resource="https://en.m.wikipedia.org/wiki/Zooko%27s_triangle"/>
	<rdf:li rdf:resource="https://textslashplain.com/2024/06/04/attack-techniques-trojaned-clipboard/"/>
	<rdf:li rdf:resource="https://www.imperva.com/resources/gated/reports/The-State-of-API-Security-in-2024-report.pdf"/>
	<rdf:li rdf:resource="https://www.schneier.com/blog/archives/2023/12/ai-and-trust.html"/>
	<rdf:li rdf:resource="https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/"/>
	<rdf:li rdf:resource="https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/"/>
	<rdf:li rdf:resource="https://sso.tax/"/>
	<rdf:li rdf:resource="https://jakearchibald.com/2021/cors/"/>
	<rdf:li rdf:resource="http://www.lupinia.net/writing/tech/scammed.htm"/>
	<rdf:li rdf:resource="https://up9.com/"/>
	<rdf:li rdf:resource="https://apichangelog.substack.com/p/bq-2022-03"/>
	<rdf:li rdf:resource="https://medium.com/google-cloud/configure-google-cloud-armor-using-openapi-64ba16ac040e"/>
	<rdf:li rdf:resource="https://cyberprotection-magazine.com/taking-charge-of-the-api-security-lifecycle/"/>
	<rdf:li rdf:resource="https://blogs.sap.com/2021/09/18/csrf-token-handling-in-sap-api-management/"/>
	<rdf:li rdf:resource="https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/?s=09"/>
	<rdf:li rdf:resource="https://medium.com/@jryancanty/stop-downloading-google-cloud-service-account-keys-1811d44a97d9"/>
	<rdf:li rdf:resource="https://www.oauth.com/oauth2-servers/pkce/authorization-request/"/>
	<rdf:li rdf:resource="https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps"/>
	<rdf:li rdf:resource="https://www.pingidentity.com/en/company/blog/posts/2020/graphql-access-control-part-1.html"/>
	<rdf:li rdf:resource="https://blog.cloudflare.com/javascript-libraries-are-almost-never-updated/"/>
	<rdf:li rdf:resource="https://twittercommunity.com/t/changes-to-access-token-and-secret-management/130851"/>
	<rdf:li rdf:resource="https://medium.com/@__xuorig__/why-we-dont-see-many-public-graphql-apis-ad972bcb201e"/>
	<rdf:li rdf:resource="https://paulstamatiou.com/getting-started-with-security-keys/"/>
	<rdf:li rdf:resource="https://textslashplain.com/2019/09/30/same-site-cookies-by-default/"/>
	<rdf:li rdf:resource="https://www.npr.org/2015/03/02/390245038/ben-franklins-famous-liberty-safety-quote-lost-its-context-in-21st-century"/>
	<rdf:li rdf:resource="https://developers.google.com/web/updates/2019/02/trusted-types"/>
	<rdf:li rdf:resource="https://neilmadden.blog/2019/01/16/can-you-ever-safely-include-credentials-in-a-url/"/>
	<rdf:li rdf:resource="https://speakerdeck.com/aaronpk/oauth-when-things-go-wrong"/>
	<rdf:li rdf:resource="https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864"/>
	<rdf:li rdf:resource="https://apisecurity.io/"/>
	<rdf:li rdf:resource="https://securitycheckli.st/"/>
	<rdf:li rdf:resource="https://developer.okta.com/blog/2019/01/23/nobody-cares-about-oauth-or-openid-connect"/>
	<rdf:li rdf:resource="https://www.okta.com/blog/2019/01/an-insiders-take-on-api-strategy/"/>
	<rdf:li rdf:resource="https://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses"/>
	<rdf:li rdf:resource="https://dev.to/antogarand/why-facebooks-api-starts-with-a-for-loop-1eob"/>
	<rdf:li rdf:resource="https://www.troyhunt.com/heres-why-your-static-website-needs-https/"/>
	<rdf:li rdf:resource="https://www.troyhunt.com/pwned-passwords-in-practice-real-world-examples-of-blocking-the-worst-passwords/"/>
	<rdf:li rdf:resource="https://www.okta.com/security-blog/2018/05/security-and-the-api-journey/"/>
	<rdf:li rdf:resource="https://medium.com/message/everything-is-broken-81e5f33a24e1"/>
	<rdf:li rdf:resource="https://nordicapis.com/high-grade-api-security-for-banks/"/>
	<rdf:li rdf:resource="https://github.com/pinterest/snappass"/>
	<rdf:li rdf:resource="https://support.google.com/chrome/answer/165139#passphrase"/>
	<rdf:li rdf:resource="https://www.csoonline.com/article/3239303/access-control/redefining-perimeter-network-security-the-future-is-a-hybrid.html"/>
	<rdf:li rdf:resource="https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c"/>
	<rdf:li rdf:resource="https://www.linksys.com/us/support-article?articleNum=246427#Krack"/>
	<rdf:li rdf:resource="https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/"/>
	<rdf:li rdf:resource="http://morfina.io/"/>
      </rdf:Seq>
    </items>
  </channel><item rdf:about="https://spur.us/blog/smart-tv-apps-residential-proxy-sdks">
    <title>Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs</title>
    <dc:date>2026-07-02T00:04:38+00:00</dc:date>
    <link>https://spur.us/blog/smart-tv-apps-residential-proxy-sdks</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Smart TVs are almost ideal proxy hosts. They sit on the same home network as everything else, but they do not feel like computers, so people rarely audit them like computers. There is no battery drain to notice, no cellular bill to spike, no app switcher full of suspicious background activity. A TV can stay plugged in, signed in, and online for years while the user thinks of it as furniture.</blockquote>]]></description>
<dc:subject>security iot privacy television appliances</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:423729a7051a/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:iot"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:privacy"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:television"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:appliances"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/">
    <title>The Smart TV in Your LivingRoom Is a Node in the AIScraping Economy - Include Security Research Blog</title>
    <dc:date>2026-06-07T04:45:16+00:00</dc:date>
    <link>https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Approach 1: DNS block (trivial, effective for network-routed devices):

proxyjs.brdtnet.com
proxyjs.luminatinet.com
proxyjs.bright-sdk.com
clientsdk.bright-sdk.com
clientsdk.brdtnet.com

Blocking proxyjs.* kills the peer tunnel without affecting any customer who legitimately uses Bright Data’s customer-facing proxy service on a different domain.</blockquote>]]></description>
<dc:subject>sdks proxies relays sneaky security television</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:98d20340bfef/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:sdks"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:proxies"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:relays"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:sneaky"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:television"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://doublepulsar.com/the-elephant-in-the-biz-outsourcing-of-critical-it-and-cybersecurity-functions-risks-uk-economic-96205e0585bf">
    <title>The Elephant in The Biz: outsourcing of critical IT and cybersecurity functions risks UK economic security | by Kevin Beaumont | Sep, 2025 | DoublePulsar</title>
    <dc:date>2025-10-05T12:39:25+00:00</dc:date>
    <link>https://doublepulsar.com/the-elephant-in-the-biz-outsourcing-of-critical-it-and-cybersecurity-functions-risks-uk-economic-96205e0585bf</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Essentially, we’ve ended up in a situation where to deliver shareholder value, large organisations are incentivised to outsource core IT and cybersecurity functions to a low cost managed service providers abroad — and then when hit with ransomware, the insurance will cover paying the ransom (some insurers will actually push for payment to criminal groups, to cover their potential losses).

This cycle plays into the ransomware economy, where the same criminal groups can then reinvest the money into purchasing exploits and gaining initial access to other organisations. Because ransomware is such big business, many of the groups have far bigger research and development funds than the organisations they’re attacking. Especially when the organisations they’re attacking have outsourced key areas to low cost providers.

The net effect is ransomware and extortion groups continue to gain access to more organisations, and risk UK economic security. It is only a matter of time before they hit some kind of essential UK service that directly impacts millions of people — by which point millions of people will be asking what is being done about the problem. And the answer is: not enough. When we’re at the stage of having to look at urgent furlough schemes for JLR’s suppliers to rightly save jobs, it isn’t so much a sign as the canary in the coalmine has died, but that the coalmine is also about to collapse on people.</blockquote>]]></description>
<dc:subject>ransomware security it incentives</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:aa9e9bfbccd4/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:ransomware"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:it"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:incentives"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://blog.1password.com/security-principles-guiding-1passwords-approach-to-ai/">
    <title>The Security Principles Guiding 1Password’s Approach to AI | 1Password</title>
    <dc:date>2025-09-19T16:57:55+00:00</dc:date>
    <link>https://blog.1password.com/security-principles-guiding-1passwords-approach-to-ai/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>At 1Password, we strive to make security effortless and universal. When it comes to AI, that means enabling organizations to use AI tools effectively without compromising our core security values of privacy, transparency, and trust.

As we empower our customers to securely adopt AI, we are building around a clear set of principles. Below are the security principles that will guide how we build, adopt, and integrate AI—today and in the future.

</blockquote>]]></description>
<dc:subject>ai llms security principles</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:ef9fd256a17c/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:ai"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:llms"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:principles"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://chromium.googlesource.com/chromium/src/+/main/docs/security/rule-of-2.md">
    <title>Chromium Docs - The Rule Of 2</title>
    <dc:date>2025-08-09T15:41:49+00:00</dc:date>
    <link>https://chromium.googlesource.com/chromium/src/+/main/docs/security/rule-of-2.md</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>The Rule Of 2
When you write code to parse, evaluate, or otherwise handle untrustworthy inputs from the Internet — which is almost everything we do in a web browser! — we like to follow a simple rule to make sure it's safe enough to do so. The Rule Of 2 is: Pick no more than 2 of

untrustworthy inputs;
unsafe implementation language; and
high privilege.
</blockquote>]]></description>
<dc:subject>coding safety security bestpractices guidance code inputs</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:c961aebb22d1/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:coding"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:safety"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:bestpractices"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:guidance"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:code"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:inputs"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://redmonk.com/sogrady/2025/08/06/cra-five-alarm-fire/">
    <title>The Cyber Resilience Act: A Five Alarm Fire – tecosystems</title>
    <dc:date>2025-08-06T13:57:40+00:00</dc:date>
    <link>https://redmonk.com/sogrady/2025/08/06/cra-five-alarm-fire/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Based on the financial downsides here, optimistic observers are concluding that the CRA could be a game changer in open source economics. As companies digest the potential penalties involved, they will be obligated to establish commercial relationships with open source projects they currently rely on at no cost. That means more money going from vendors relying on open source to those producing it, which would be a boon for developers. It also raises the question of what happens to product prices when manufacturers are compelled to pay for software they have to date consumed at no cost, but that’s outside the scope of this exercise.</blockquote>]]></description>
<dc:subject>security resilience opensource licensing Europe regulation</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:1157a1627dbc/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:resilience"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:opensource"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:licensing"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:Europe"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:regulation"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://docs.gandi.net/en/managing_an_organization/organizations/personal_access_token.html">
    <title>Manage API accesses with a Personal Access Token | Managing an Organization - Organizations | Gandi Documentation — Gandi Documentation documentation</title>
    <dc:date>2025-05-21T19:33:37+00:00</dc:date>
    <link>https://docs.gandi.net/en/managing_an_organization/organizations/personal_access_token.html</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>In the contrary of the API keys, which gave a single API access to all the products of all the organizations related to the username, for an undetermined duration, and that can be provided to several persons, a PAT has :

a limited duration,

limited (or full) permissions on all or part of the products (called resources) of an organization,

several “instances” of a token with the same duration and permissions, but named differently, so you know who uses which token.

Personal Access Tokens (PATs) allow you to improve the security of your products, and to manage in detail the access to your products using Gandi Public API.</blockquote>]]></description>
<dc:subject>apis PATs tokens authorization security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:5445a0f68656/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:PATs"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:tokens"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:authorization"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.philvenables.com/post/the-6-fundamental-forces-of-information-security-risk">
    <title>The 6 Fundamental Forces of Information Security Risk</title>
    <dc:date>2025-02-13T06:53:42+00:00</dc:date>
    <link>https://www.philvenables.com/post/the-6-fundamental-forces-of-information-security-risk</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>4. Entropy is King 

Unchecked controls fail over time, untested resilience fades gradually and then suddenly. Constant counterbalance is needed. Everything degrades unless countered with a force to keep it in place. This is why continuous control monitoring and, in effect, “control reliability engineering” is so essential</blockquote>]]></description>
<dc:subject>security risks information</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:021a7cb5a44a/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:risks"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:information"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.philvenables.com/post/why-good-security-fails-the-asymmetry-of-infosec-investment">
    <title>Why Good Security Fails: The Asymmetry of InfoSec Investment </title>
    <dc:date>2025-02-13T06:49:04+00:00</dc:date>
    <link>https://www.philvenables.com/post/why-good-security-fails-the-asymmetry-of-infosec-investment</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>So, why does this happen? Simple, it is because many organizations do not put in processes to counteract this natural tendency. This is especially hard for distributed organizations where security resources are embedded in business units, engineering teams or across a network of suppliers. But it’s also a challenge for the security team’s own resources. This is an example of one of the fundamental Forces of Security: Entropy is King. 


So, what can we do to put in place the counter forces to sustain security?</blockquote>]]></description>
<dc:subject>security culture failure organizations</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:b5a116e29ffe/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:culture"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:failure"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:organizations"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://docs.gitlab.com/ee/user/application_security/api_security/api_discovery/">
    <title>API Discovery | GitLab</title>
    <dc:date>2025-01-09T02:08:54+00:00</dc:date>
    <link>https://docs.gitlab.com/ee/user/application_security/api_security/api_discovery/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>API Discovery
Tier: Ultimate
Offering: GitLab.com, Self-managed, GitLab Dedicated
History 
API Discovery analyzes your application and produces an OpenAPI document describing the web APIs it exposes. This schema document can then be used by the API security testing analyzer or API Fuzzing to perform security scans of the web API.

Supported frameworks
Java Spring-Boot
When does API Discovery run?
API Discovery runs as a standalone job in your pipeline. The resulting OpenAPI document is captured as a job artifact so it can be used by other jobs in later stages.

API Discovery runs in the test stage by default. The test stage was chosen as it typically executes before the stages used by other security features such as API security testing and API fuzzing.</blockquote>]]></description>
<dc:subject>apis discovery opensource pipelines security platformengineering</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:4b1eba46e2d0/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:discovery"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:opensource"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:pipelines"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:platformengineering"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://snikket.org/">
    <title>Snikket Chat | Simple, secure and private messaging</title>
    <dc:date>2024-12-27T15:49:04+00:00</dc:date>
    <link>https://snikket.org/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Chat that is simple, secure, and private
Everything you expect from an easy-to-use messaging platform, but now under your control.</blockquote>]]></description>
<dc:subject>protocol privacy security chat messaging opensource</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:eea55781fef6/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:protocol"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:privacy"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:chat"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:messaging"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:opensource"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://cloudsek.com/blog/postman-data-leaks-the-hidden-risks-lurking-in-your-workspaces">
    <title>Postman Data Leaks: The Hidden Risks Lurking in Your Workspaces | CloudSEK</title>
    <dc:date>2024-12-23T21:41:28+00:00</dc:date>
    <link>https://cloudsek.com/blog/postman-data-leaks-the-hidden-risks-lurking-in-your-workspaces</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Sensitive data leaks in Postman workspaces pose significant risks, exposing API keys, credentials, and tokens that can lead to unauthorized access, data breaches, and reputational harm. A year-long investigation revealed over 30,000 publicly accessible workspaces leaking sensitive information, including business data and customer PII. Improper access controls, accidental sharing, and storing data in plaintext were major contributors to these vulnerabilities. Adopting best practices like using environment variables, limiting permissions, and implementing external secrets management is critical to mitigate these risks and secure collaborative development environments.</blockquote>]]></description>
<dc:subject>postman security secrets</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:8503754bb610/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:postman"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:secrets"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.leeholmes.com/security-risks-of-postman/">
    <title>Lee Holmes | Security Risks of Postman</title>
    <dc:date>2024-12-23T21:39:43+00:00</dc:date>
    <link>https://www.leeholmes.com/security-risks-of-postman/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Here is a rough playbook for how you can eliminate Postman in your company. Your mileage may vary, of course.

Determine your population of Postman users. We were able to get this list through endpoint URL usage data of users connecting to https://identity.getpostman.com.

Instruct these users to:

Log in (or open) Postman, go the History tab.

Review any entries with an “Authorization” header, or other sensitive headers. Rotate any credentials associated with any of these that have been saved.

Review any entries that use URL-based authorization</blockquote>]]></description>
<dc:subject>postman security migration</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:bedb6070b682/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:postman"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:migration"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://joindeleteme.com/">
    <title>Remove Personal Info from Google - DeleteMe</title>
    <dc:date>2024-12-06T00:44:23+00:00</dc:date>
    <link>https://joindeleteme.com/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>DeleteMe makes it quick, easy and safe
to remove your personal data online.</blockquote>]]></description>
<dc:subject>data privacy security optout</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:1532ff41a120/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:data"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:privacy"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:optout"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://easyoptouts.com/">
    <title>EasyOptOuts.com</title>
    <dc:date>2024-12-06T00:43:31+00:00</dc:date>
    <link>https://easyoptouts.com/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Your name, address, and phone number are available for anyone to view on people-search sites. Unless you opt out, your privacy is compromised.

We make it easy and affordable to remove yourself from over 160 websites.</blockquote>]]></description>
<dc:subject>optout privacy data security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:c7a8f7bb137f/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:optout"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:privacy"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:data"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://ente.io/auth/">
    <title>Ente Auth - Open source 2FA authenticator, with E2EE backups</title>
    <dc:date>2024-12-05T22:14:27+00:00</dc:date>
    <link>https://ente.io/auth/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Open source 2FA authenticator, with end-to-end encrypted backups</blockquote>
<blockquote>
Authy has dropped all support for its desktop apps. It is no longer possible to export data from Authy using methods 1 and 2. You will either need a rooted android phone or you will need to reconfigure 2FA for each of your accounts.
</blockquote>]]></description>
<dc:subject>2fa mfa authentication privacy security opensource tools</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:69cc3173070d/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:2fa"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:mfa"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:authentication"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:privacy"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:opensource"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:tools"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.crowdstrike.com/en-us/cybersecurity-101/cloud-security/api-security/">
    <title>API Security: 10 Issues and How To Secure | CrowdStrike</title>
    <dc:date>2024-11-21T23:26:57+00:00</dc:date>
    <link>https://www.crowdstrike.com/en-us/cybersecurity-101/cloud-security/api-security/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Let’s look at 10 of the most prevalent API security issues (according to OWASP) and explore how to prevent them.

1. Broken object-level authorization
This risk occurs when an API does not correctly enforce object-level authorization, allowing attackers to access or modify data they should not have access to. To prevent this issue, use a centralized access control mechanism to manage object-level authorization. This mechanism should be able to enforce access control policies at the object level and handle complex relationships between objects.

2. Broken user authentication
This risk occurs when an API does not properly authenticate users, allowing attackers to impersonate legitimate users and access sensitive data. To mitigate the risks that broken user authentication presents, implement multi-factor authentication and use secure password storage mechanisms. Multi-factor authentication adds an extra layer of security by requiring the possession of multiple devices to log in. Secure password storage mechanisms, such as hashing and salting, make it more difficult for attackers to crack passwords.

3. Broken object property-level authorization
In systems that use large objects, a typical risk is that one object exposes more data than necessary. Even when the system uses object-level authorization, an object may still have properties that include sensitive data. The solution is to use encryption to protect sensitive data and limit the amount of data exposed. Encryption can help protect data in transit and at rest. Filtering object properties before sending them to a client can help reduce the impact of a data breach.

4. Lack of resources and rate limiting
When an API does not properly allocate resources or enforce rate limits, attackers can launch denial-of-service attacks. To prevent these attacks, implement rate limiting and resource allocation mechanisms. Rate limiting can keep attackers from overwhelming the API with requests, and resource allocation mechanisms help ensure that resources are allocated fairly and efficiently.

5. Broken function-level authorization
This risk occurs when an API doesn’t require authorization for each of its endpoints. This can allow attackers to call endpoints that should only be used by an administrator. Using a centralized access control mechanism to manage function-level authorization can help mitigate this risk. The access control mechanism should be able to enforce access control policies at the function level and should be capable of handling complex relationships between functions.

6. Server-side request forgery
When an API accepts a URL from a client to fetch data from a third-party service and doesn’t validate the URL, it allows an attacker to submit malicious URLs that can expose internal services or scan the API for open ports. Employing URL allowlists or filtering internal hostnames and IPs can help prevent this problem.

7. Security misconfiguration
Following safe coding practices and regularly updating software and security configurations are key steps to configuring APIs securely so attackers can’t exploit vulnerabilities. Using secure defaults, disabling unnecessary features, and regularly updating software and security configurations are just a few best practices for hardened security configuration.

8. Lack of protection from automated threats
Automation can allow attackers to exploit regular business flows for financial gain by referring bots to a paid referral program or buying a limited product excessively to resell it later. Though some of these activities may not be illegal, they can still lead to reputation loss or financial losses for the organization. To keep this risk at bay, ensure that purchasing flows include reasonable limitations per person and referral programs are paid out only when a proof of personhood has been supplied. Device fingerprinting and blocking of suspicious IPs like Tor exit nodes are also recommended measures.

9. Improper asset management
When an API does not properly manage assets such as keys and certificates, unauthorized users can gain access to sensitive information. This is another reason it’s critical to employ secure coding practices and regularly update software and security configurations. Asset management can also include using secure defaults and disabling unnecessary features.

10. Unsafe consumption of third-party APIs
APIs often use APIs from third parties to get their work done. In many cases, these third-party APIs are treated as inherently secure. But these APIs can still become an attack vector into a system, allowing malicious users to indirectly send problematic inputs, such as SQL injections or forged URLs. Sanitizing inputs is vital — not just inputs from clients but from all systems that can enter data into your API. Employing allowlists for hostnames and restricting redirects can help ensure the safety of third-party APIs.</blockquote>]]></description>
<dc:subject>apis security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:ae9e19264039/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/">
    <title>Passkeys: A Shattered Dream</title>
    <dc:date>2024-10-23T02:40:37+00:00</dc:date>
    <link>https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.</blockquote>]]></description>
<dc:subject>passkeys security enshittification</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:cd3099ba9bd1/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:passkeys"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:enshittification"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://blog.pypi.org/posts/2024-07-08-incident-report-leaked-admin-personal-access-token/">
    <title>Incident Report: Leaked GitHub Personal Access Token - The Python Package Index Blog</title>
    <dc:date>2024-10-08T03:52:29+00:00</dc:date>
    <link>https://blog.pypi.org/posts/2024-07-08-incident-report-leaked-admin-personal-access-token/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>While developing cabotage-app5 locally, working on the build portion of the codebase, I was consistently running into GitHub API rate limits. These rate limits apply to anonymous access. While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely.</blockquote>]]></description>
<dc:subject>leaks tokens apis security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:a1f48fe6dee7/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:leaks"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:tokens"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.doppler.com/">
    <title>Doppler | Centralized Cloud-Based Secrets Management Platform</title>
    <dc:date>2024-09-30T17:05:28+00:00</dc:date>
    <link>https://www.doppler.com/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Securely manage, orchestrate, and govern secrets at scale with Doppler’s developer-first cloud hosted platform.</blockquote>]]></description>
<dc:subject>configuration security devops secrets</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:c9cfca2b2713/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:configuration"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:devops"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:secrets"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://simonwillison.net/2021/Aug/3/samesite/">
    <title>Exploring the SameSite cookie attribute for preventing CSRF</title>
    <dc:date>2024-08-29T19:07:10+00:00</dc:date>
    <link>https://simonwillison.net/2021/Aug/3/samesite/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>CSRF is an extremely common and nasty vulnerability—especially since it’s a hole by default: if you don’t know what CSRF is, you likely have it in your application.

Traditionally the solution has been to use CSRF tokens—hidden form fields which “prove” that the user came from a form on your own site, and not a form hosted somewhere else. OWASP call this the Double Submit Cookie pattern.

Web frameworks like Django implement CSRF protection for you. I built asgi-csrf to help add CSRF token protection to ASGI applications.</blockquote>]]></description>
<dc:subject>security webdev cookies csrf</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:d1467da0f0f8/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:webdev"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:cookies"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:csrf"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.theregister.com/2024/06/21/optus_data_breach_faulty_api/">
    <title>Coding error in forgotten API blamed for massive data breach • The Register</title>
    <dc:date>2024-08-17T05:41:43+00:00</dc:date>
    <link>https://www.theregister.com/2024/06/21/optus_data_breach_faulty_api/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>The data breach at Australian telco Optus, which saw over nine million customers' personal information exposed, has been blamed on a coding error that broke API access controls, and was left in place for years.

A Wednesday court filing [PDF] includes an account of the incident penned by Australia's Communications and Media Authority (ACMA), which is using its regulatory powers to pursue Optus.

The Authority alleges that Optus stored customer info and made it accessible to authenticated customers at www.optus.com.au and api.optus.com.au – described as the "Main" and "Target" domains. Retrieving that info required use of APIs that the filing describes as "Target APIs."

The Target domain existed to segregate API traffic from static content at the Main domain, and had been internet-facing since 2017. The Target APIs were secured by "various access controls designed to prevent unauthorized access."

But in 2018 a coding error broke one of those access controls, and meant it didn't work on either the Target or Main domain.

Optus spotted that error … in 2021, when it fixed it – but only for the Main domain.

The problem was not detected on the Target domain, and therefore wasn't fixed.

The Target domain, however, remained online and internet-facing. The court filing suggests it "was not decommissioned despite a lack of any need for it."

In September 2022, an attacker "was able to bypass access controls and send requests to the Target APIs." Doing so returned customer information for 9.5 million people – and sent Optus and its Singaporean owner, Singtel, into a world of pain.</blockquote>]]></description>
<dc:subject>apis security breaches examples</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:6512f5b17c31/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:breaches"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:examples"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://cacm.acm.org/practice/developer-ecosystems-for-software-safety/">
    <title>Developer Ecosystems for Software Safety – Communications of the ACM</title>
    <dc:date>2024-06-21T01:10:21+00:00</dc:date>
    <link>https://cacm.acm.org/practice/developer-ecosystems-for-software-safety/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>the rate at which common types of defects are introduced during design, development, and deployment is systemic—it arises from the design and structure of the developer ecosystem, which means the end-to-end collection of systems, tooling, and processes in which developers design, implement, and deploy software. This includes programming languages, software libraries, application frameworks, source repositories, build and deployment tooling, the production platform and its configuration surfaces, and so forth.

In short, the safety and security posture of a software application or service is substantially an emergent property of the developer ecosystem that produced it.</blockquote>
<blockquote>Cloud platforms.  When deployment environments are based on “bare-metal” servers and network devices, engineers are exposed to the full complexity and nonuniformity of their configuration surfaces. In contrast, cloud platforms provide a higher-level abstraction and a consistent vocabulary of configuration points, and they expose common functionality (such as databases) as managed services. This reduces cognitive load caused by differences between configuration surfaces of different types of network devices and the need to manage lower-level aspects of servers that host higher-level services such as databases.</blockquote>
]]></description>
<dc:subject>google quality security devex governance software development</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:07d0b0ca62a6/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:google"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:quality"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:devex"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:governance"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:software"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:development"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://en.m.wikipedia.org/wiki/Zooko%27s_triangle">
    <title>Zooko's triangle - Wikipedia</title>
    <dc:date>2024-06-16T21:06:11+00:00</dc:date>
    <link>https://en.m.wikipedia.org/wiki/Zooko%27s_triangle</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Zooko's triangle is a trilemma of three properties that some people consider desirable for names of participants in a network protocol:[1]

Human-meaningful: Meaningful and memorable (low-entropy) names are provided to the users.
Secure: The amount of damage a malicious entity can inflict on the system should be as low as possible.
Decentralized: Names correctly resolve to their respective entities without the use of a central authority or service.</blockquote>]]></description>
<dc:subject>trilemmas network tradeoffs usability security decentralization</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:0e3a900511ea/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:trilemmas"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:network"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:tradeoffs"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:usability"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:decentralization"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://textslashplain.com/2024/06/04/attack-techniques-trojaned-clipboard/">
    <title>Attack Techniques: Trojaned Clipboard – text/plain</title>
    <dc:date>2024-06-05T20:05:13+00:00</dc:date>
    <link>https://textslashplain.com/2024/06/04/attack-techniques-trojaned-clipboard/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Today in “Attack techniques so stupid, they can’t possibly work” — the trojan clipboard technique. The attacking website convinces the victim user to copy something dangerous to their clipboard, and then paste it into a powerful and trusted context.</blockquote>]]></description>
<dc:subject>security attacks clipboard examples</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:2a04b1602a36/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:attacks"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:clipboard"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:examples"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.imperva.com/resources/gated/reports/The-State-of-API-Security-in-2024-report.pdf">
    <title>The State of API Security in 2024 | Resource Library</title>
    <dc:date>2024-03-28T17:54:44+00:00</dc:date>
    <link>https://www.imperva.com/resources/gated/reports/The-State-of-API-Security-in-2024-report.pdf</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>API calls make up a massive 71% of all web traffic
Widespread API usage is expanding the attack surface for bad actors. These threats make it critical for organizations to understand the risks and complexities of APIs and the importance of API Security.

The Imperva State of API Security Report examines the current API threat landscape and provides key security insights for 2024. Based on real-time attack data targeting APIs, the report provides actionable intelligence gathered by Imperva’s Threat Research Team.</blockquote>
Also available here: https://www.imperva.com/resources/resource-library/reports/the-state-of-api-security-in-2024-report-ty?lang=EN&asset_id=6789&gated=1]]></description>
<dc:subject>apis security reports</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:175b5b8ae6d0/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:reports"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.schneier.com/blog/archives/2023/12/ai-and-trust.html">
    <title>AI and Trust - Schneier on Security</title>
    <dc:date>2023-12-16T05:41:42+00:00</dc:date>
    <link>https://www.schneier.com/blog/archives/2023/12/ai-and-trust.html</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>In this talk, I am going to make several arguments. One, that there are two different kinds of trust—interpersonal trust and social trust—and that we regularly confuse them. Two, that the confusion will increase with artificial intelligence. We will make a fundamental category error. We will think of AIs as friends when they’re really just services. Three, that the corporations controlling AI systems will take advantage of our confusion to take advantage of us. They will not be trustworthy. And four, that it is the role of government to create trust in society. And therefore, it is their role to create an environment for trustworthy AI. And that means regulation. Not regulating AI, but regulating the organizations that control and use AI.</blockquote>
<blockquote>
More specifically, we tend to assume that something’s implementation is the same as its interface. That is, we assume that things are the same on the inside as they are on the surface.
</blockquote>
]]></description>
<dc:subject>ai trust security ethics regulation</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:144b4adb35a6/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:ai"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:trust"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:ethics"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:regulation"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/">
    <title>How AWS uses automated reasoning to help you achieve security at scale | AWS Security Blog</title>
    <dc:date>2023-10-11T04:35:52+00:00</dc:date>
    <link>https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>Zelkova uses automated reasoning to analyze policies and the future consequences of policies. This includes AWS Identity and Access Management (IAM) policies, Amazon Simple Storage Service (S3) policies, and other resource policies. These policies dictate who can (or can’t) do what to which resources. Because Zelkova uses automated reasoning, you no longer need to think about what questions you need to ask about your policies. Using fancy math, as mentioned above, Zelkova will automatically derive the questions and answers you need to be asking about your policies, improving confidence in your security configuration(s).</blockquote>]]></description>
<dc:subject>aws policies reasoning security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:994840107c99/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:aws"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:policies"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:reasoning"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/">
    <title>SolarWinds: The Untold Story of the Boldest Supply-Chain Hack | WIRED</title>
    <dc:date>2023-05-02T18:35:39+00:00</dc:date>
    <link>https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/</link>
    <dc:creator>earth2marsh</dc:creator><dc:subject>technology hacking breaches security software supplychain</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:c8549b756baa/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:technology"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:hacking"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:breaches"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:software"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:supplychain"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://sso.tax/">
    <title>The SSO Wall of Shame | A list of vendors that treat single sign-on as a luxury feature, not a core security requirement.</title>
    <dc:date>2022-06-14T00:28:39+00:00</dc:date>
    <link>https://sso.tax/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["In short: SSO is a core security requirement for any company with more than five employees.

SaaS vendors appear not to have received this message, however. SSO is often only available as part of “Enterprise” pricing, which assumes either a huge number of users (minimum seat count) or is force-bundled with other “Enterprise” features which may have no value to the company using the software.

If companies claim to “take your security seriously”, then SSO should be available as a feature that is either:

part of the core product, or
an optional paid extra for a reasonable delta, or
attached to a price tier, but with a reasonably small gap between the non-SSO tier and SSO tiers."
https://lennysnewsletter.slack.com/archives/C017V1FPCQY/p1655155162937499]]></description>
<dc:subject>authentication enterprise security sso features packaging pricing</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:a4926164446c/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:authentication"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:enterprise"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:sso"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:features"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:packaging"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:pricing"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://jakearchibald.com/2021/cors/">
    <title>How to win at CORS - JakeArchibald.com</title>
    <dc:date>2022-05-31T06:11:29+00:00</dc:date>
    <link>https://jakearchibald.com/2021/cors/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[<blockquote>
CORS (Cross-Origin Resource Sharing) is hard. It's hard because it's part of how browsers fetch stuff, and that's a set of behaviours that started with the very first web browser over thirty years ago. Since then, it's been a constant source of development; adding features, improving defaults, and papering over past mistakes without breaking too much of the web.

Anyway, I figured I'd write down pretty much everything I know about CORS
</blockquote>]]></description>
<dc:subject>browser cors security webdev javascript</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:122572faa8ec/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:browser"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:cors"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:webdev"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:javascript"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="http://www.lupinia.net/writing/tech/scammed.htm">
    <title>Lupinia Studios - I'm a Scam Prevention Expert, and I Got Scammed</title>
    <dc:date>2022-04-04T18:00:05+00:00</dc:date>
    <link>http://www.lupinia.net/writing/tech/scammed.htm</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["ncident, and opened a claim for the fraudulent transaction (frustratingly, there's no immediate reversal; have I mentioned yet that I loathe this bank?). But, while he was working on this, and after he had already blocked my card, more transaction attempts were still coming in. There were at least four of them while we talked, and while "Daniel" still had me on hold and was still reassuring me that the "system was still processing". He hadn't mentioned the incorrect touch-tone information I provided, obviously not knowing it was fake. In total, on top of the $150 that went through (and that I'm disputing), there was another $800 or so that were blocked, thanks to the quick action of the real Wells Fargo rep.

As I was wrapping up the call with the real Wells Fargo, I received an email notification that my card had been removed from Apple Pay (nearly an hour after that had supposedly been done), and "Daniel" said my claim had been completed, so we were all finished. I wasn't finished with him, though.

Admittedly, improvisation is not my strength, but I strung "Daniel" along as best as I could, asking for confirmation numbers of everything we had done, getting clarification on everything he told me, and generally trying to make him repeat himself and waste as much time as possible, without giving him any further information. Because if you're gonna scam me, I'm gonna scam right back; I may not be able to trick money out of a scammer trying to trick me, but I can at least waste a LOT of time. The funniest part was when I asked about that $150 that still hadn't been reversed, and he reassured me that my account was "FDIC insured", which isn't at all how the FDIC works (it's insurance to reimburse account holders if a bank goes out of business and takes their money), but for some reason I couldn't get him to explain FDIC to me.

Finally, when I was out of cards to play, I decided to retroactively call his bluff from earlier, and asked to speak to his manager, to express my gratitude for all his help and patience in getting this"]]></description>
<dc:subject>scams fraud security phishing finance banking</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:4df8412a31c6/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:scams"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:fraud"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:phishing"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:finance"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:banking"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://up9.com/">
    <title>API production readiness assurance</title>
    <dc:date>2022-03-23T17:40:00+00:00</dc:date>
    <link>https://up9.com/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[Rafael's biz
"Ensure APIs perform reliably and prevent API security vulnerabilities

through deep API traffic analysis."]]></description>
<dc:subject>apis analysis analytics security kubernetes</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:360422a0e9d9/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:analysis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:analytics"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:kubernetes"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://apichangelog.substack.com/p/bq-2022-03">
    <title>Are All Your APIs Insecure? - by Bruno Pedro</title>
    <dc:date>2022-03-10T16:42:47+00:00</dc:date>
    <link>https://apichangelog.substack.com/p/bq-2022-03</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[a bit incendiary ]]></description>
<dc:subject>apis security gateways</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:09c3a805a3bc/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:gateways"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://medium.com/google-cloud/configure-google-cloud-armor-using-openapi-64ba16ac040e">
    <title>Configure Google Cloud Armor using OpenAPI | by Christoph Grotz | Google Cloud - Community | Jan, 2022 | Medium</title>
    <dc:date>2022-02-15T05:05:23+00:00</dc:date>
    <link>https://medium.com/google-cloud/configure-google-cloud-armor-using-openapi-64ba16ac040e</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>google security OpenAPI tools apis</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:4b7e5e21e0e0/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:google"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:OpenAPI"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:tools"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://cyberprotection-magazine.com/taking-charge-of-the-api-security-lifecycle/">
    <title>Taking charge of the API security lifecycle - Cyber Protection Magazine</title>
    <dc:date>2021-10-27T21:21:53+00:00</dc:date>
    <link>https://cyberprotection-magazine.com/taking-charge-of-the-api-security-lifecycle/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["Enterprise security leaders face three main challenges:

Knowing what you have and why it exists – One rogue API or flawed function can result in API abuse and data breach. As development teams work on APIs over different platforms, it is much harder to maintain a full inventory of your endpoints. Complete API visibility also requires knowing which APIs expose sensitive data and understanding how APIs interact and how they are consumed.
Controlling vulnerabilities and aligning security priorities – An enterprise API layer can have hundreds and thousands of known vulnerabilities simultaneously. Detecting, managing and prioritizing vulnerabilities across platforms, and generating clear requirements for remediation, are significant challenges for security teams who need to collaborate closely with developers to mitigate risk.
Detection coverage gap around business logic vulnerabilities – Traditional tools analyze traffic metadata to find known threats, but with APIs threats are often caused by authorized users making legitimate calls that attempt to manipulate the logic. Finding such functional attacks can be nearly impossible as it mimics regular behavior, requiring deep monitoring capabilities."]]></description>
<dc:subject>apis security challenges</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:6ef3b2d5479e/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:challenges"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://blogs.sap.com/2021/09/18/csrf-token-handling-in-sap-api-management/">
    <title>CSRF Token handling in SAP API Management | SAP Blogs</title>
    <dc:date>2021-09-30T05:28:30+00:00</dc:date>
    <link>https://blogs.sap.com/2021/09/18/csrf-token-handling-in-sap-api-management/</link>
    <dc:creator>earth2marsh</dc:creator><dc:subject>csrf apis policies security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:7a264d59c05e/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:csrf"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:policies"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/?s=09">
    <title>New password guidelines say everything we thought about passwords is wrong | VentureBeat</title>
    <dc:date>2021-05-28T15:07:39+00:00</dc:date>
    <link>https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/?s=09</link>
    <dc:creator>earth2marsh</dc:creator><dc:subject>security practices bestpractices passwords rotation expiry complexity</dc:subject>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:5492fc6e8a4e/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:practices"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:bestpractices"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:passwords"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:rotation"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:expiry"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:complexity"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://medium.com/@jryancanty/stop-downloading-google-cloud-service-account-keys-1811d44a97d9">
    <title>Stop Downloading Google Cloud Service Account Keys! | by Ryan Canty | Medium</title>
    <dc:date>2020-11-28T20:27:51+00:00</dc:date>
    <link>https://medium.com/@jryancanty/stop-downloading-google-cloud-service-account-keys-1811d44a97d9</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[TL;DR: Generating and distributing service account keys poses severe security risks to your organization. They are long-lived credentials that are not automatically rotated. These keys can be leaked accidentally or maliciously allowing attackers to gain access to your sensitive GCP resources. Additionally, when used actions cannot be attributable back to a human. You don’t actually have to download these long-lived keys. There’s a better way!]]></description>
<dc:subject>google security apis tokens authorization secrets bestpractices</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:bd41bac6c61e/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:google"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:tokens"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:authorization"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:secrets"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:bestpractices"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.oauth.com/oauth2-servers/pkce/authorization-request/">
    <title>Authorization Request - OAuth 2.0 Simplified</title>
    <dc:date>2020-08-21T00:37:09+00:00</dc:date>
    <link>https://www.oauth.com/oauth2-servers/pkce/authorization-request/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[Pronounced "pixie"]]></description>
<dc:subject>security apis oauth pkce</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:a8bee1ad2812/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:oauth"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:pkce"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps">
    <title>Why OAuth API Keys and Secrets Aren't Safe in Mobile Apps | Okta Developer</title>
    <dc:date>2020-08-21T00:36:02+00:00</dc:date>
    <link>https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["How to protect secrets in mobile apps
Hopefully you now have an understanding of why it’s not safe to ship API keys or other secrets in mobile apps. So what do you do instead?

OAuth solves this problem by not shipping any secrets in mobile apps, and instead involving the user in the process of getting an access token into the app. These access tokens are unique per user and every time they log in. The PKCE extension provides a solution for securely doing the OAuth flow on a mobile app even when there is no pre-provisioned secret.

If you need to access an API from a mobile app, hopefully it supports OAuth and PKCE! Thankfully most of the hard work of PKCE is handled by SDKs like AppAuth so you don’t have to write all that code yourself. If you’re working with an API like Okta, then Okta’s own SDKs do PKCE automatically so you don’t have to worry about it at all."]]></description>
<dc:subject>mobile secrets security apis oauth</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:37edd9b8ffb3/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:mobile"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:secrets"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:oauth"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.pingidentity.com/en/company/blog/posts/2020/graphql-access-control-part-1.html">
    <title>Access Control for GraphQL, Part 1</title>
    <dc:date>2020-04-09T16:18:07+00:00</dc:date>
    <link>https://www.pingidentity.com/en/company/blog/posts/2020/graphql-access-control-part-1.html</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>apis graphql security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:7ac703823516/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:graphql"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://blog.cloudflare.com/javascript-libraries-are-almost-never-updated/">
    <title>JavaScript Libraries Are Almost Never Updated Once Installed</title>
    <dc:date>2020-03-11T01:31:57+00:00</dc:date>
    <link>https://blog.cloudflare.com/javascript-libraries-are-almost-never-updated/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["One conclusion is whatever libraries you publish will exist on websites forever. The underlying web platform consequently must support aged conventions indefinitely if it is to continue supporting the full breadth of the web."]]></description>
<dc:subject>javascript security cloudflare updates development</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:943dfe2028cb/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:javascript"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:cloudflare"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:updates"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:development"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://twittercommunity.com/t/changes-to-access-token-and-secret-management/130851">
    <title>Changes to access token and secret management - Announcements - Twitter Developers</title>
    <dc:date>2020-01-24T17:47:51+00:00</dc:date>
    <link>https://twittercommunity.com/t/changes-to-access-token-and-secret-management/130851</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["Over the coming months, we will be making changes to the way that Access Tokens and Access Token Secrets are presented and managed within the applications Dashboard on developer.twitter.com 199

As a reminder - when you create (register) an app on developer.twitter.com 102, an individual and unique application identity is generated, represented by a private Consumer Key and Consumer Secret pair that is used as part of the OAuth flow.

It is also possible to generate an Access Token and Access Token Secret inside the Dashboard, which is associated with your app. These two additional private items are used to identify and authenticate your personal developer account to the application, without needing to go through the full Sign-in with Twitter flow. Remember that if you need to authenticate other users to your application, you will need to implement the Sign-in with Twitter process in order to receive Access Tokens and Access Token Secrets so that your application can act on behalf of those additional user accounts.

In order to make API integrations more secure, we will no longer show the Access Token and Access Token Secret on the Dashboard beyond the first time that these values are generated, effective January 21, 2020."]]></description>
<dc:subject>twitter apis secrets keys change security communication example reference</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:6bc7fe50309b/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:twitter"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:secrets"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:keys"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:change"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:communication"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:example"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:reference"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://medium.com/@__xuorig__/why-we-dont-see-many-public-graphql-apis-ad972bcb201e">
    <title>Why We Don’t See Many Public GraphQL APIs - Marc-André Giroux - Medium</title>
    <dc:date>2019-10-22T00:10:10+00:00</dc:date>
    <link>https://medium.com/@__xuorig__/why-we-dont-see-many-public-graphql-apis-ad972bcb201e</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["There are things that are a bit harder in terms of securing your API.
A GraphQL rate limiter needs to understand the content of requests a lot more compared to a typical HTTP API, this usually leads to a complexity or time based approach to rate limits.
Authorization in GraphQL is not really harder to implement than in another API. However it can be hard to make sure there are no loop holes at runtime, for example, accessing a type through a field you did not think of."]]></description>
<dc:subject>asc2019 graphql security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:e89cf484380c/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:asc2019"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:graphql"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://paulstamatiou.com/getting-started-with-security-keys/">
    <title>Getting started with security keys — PaulStamatiou.com</title>
    <dc:date>2019-10-22T00:03:04+00:00</dc:date>
    <link>https://paulstamatiou.com/getting-started-with-security-keys/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>2fa bestpractices howto security keys</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:93329ee707fa/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:2fa"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:bestpractices"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:howto"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:keys"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://textslashplain.com/2019/09/30/same-site-cookies-by-default/">
    <title>Same-Site Cookies By Default | text/plain</title>
    <dc:date>2019-10-02T00:07:19+00:00</dc:date>
    <link>https://textslashplain.com/2019/09/30/same-site-cookies-by-default/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>cookies security web privacy</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:750afba08e8f/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:cookies"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:web"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:privacy"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.npr.org/2015/03/02/390245038/ben-franklins-famous-liberty-safety-quote-lost-its-context-in-21st-century">
    <title>Ben Franklin's Famous 'Liberty, Safety' Quote Lost Its Context In 21st Century : NPR</title>
    <dc:date>2019-06-11T16:42:28+00:00</dc:date>
    <link>https://www.npr.org/2015/03/02/390245038/ben-franklins-famous-liberty-safety-quote-lost-its-context-in-21st-century</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["WITTES: He was writing about a tax dispute between the Pennsylvania General Assembly and the family of the Penns, the proprietary family of the Pennsylvania colony who ruled it from afar. And the legislature was trying to tax the Penn family lands to pay for frontier defense during the French and Indian War. And the Penn family kept instructing the governor to veto. Franklin felt that this was a great affront to the ability of the legislature to govern. And so he actually meant purchase a little temporary safety very literally. The Penn family was trying to give a lump sum of money in exchange for the General Assembly's acknowledging that it did not have the authority to tax it.

SIEGEL: So far from being a pro-privacy quotation, if anything, it's a pro-taxation and pro-defense spending quotation.

WITTES: It is a quotation that defends the authority of a legislature to govern in the interests of collective security. It means, in context, not quite the opposite of what it's almost always quoted as saying but much closer to the opposite than to the thing that people think it means."]]></description>
<dc:subject>quotes context history liberty security ben_franklin taxation</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:36e1f956e401/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:quotes"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:context"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:history"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:liberty"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:ben_franklin"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:taxation"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://developers.google.com/web/updates/2019/02/trusted-types">
    <title>Trusted Types help prevent Cross-Site Scripting  |  Web  |  Google Developers</title>
    <dc:date>2019-03-05T17:26:46+00:00</dc:date>
    <link>https://developers.google.com/web/updates/2019/02/trusted-types</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["We've created a new experimental API that aims to prevent DOM-Based Cross Site Scripting in modern web applications."]]></description>
<dc:subject>browser security javascript xss apis google</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:110ae9c4707c/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:browser"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:javascript"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:xss"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:google"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://neilmadden.blog/2019/01/16/can-you-ever-safely-include-credentials-in-a-url/">
    <title>Can you ever (safely) include credentials in a URL? – Intelligent Security</title>
    <dc:date>2019-03-05T17:13:15+00:00</dc:date>
    <link>https://neilmadden.blog/2019/01/16/can-you-ever-safely-include-credentials-in-a-url/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["It was soon realised that using a URL like http://www.google.com:search@example.com was a really easy way to create convincing-looking phishing links.
If the target of the URL is a login endpoint, then the attacker can attempt to get you to click on the link to perform a Login CSRF attack. In this case the honest user ends up with a session cookie for an account under the control of the attacker.
For all these reasons, this specific form of URL was deprecated back in 2005, and now support within browsers is patchy: Safari for instance will just silently ignore any username:password component when following such a link. Other browsers will tolerate them in some cases, but this varies considerably by browser and often by version to version. Some versions of Chrome refuse to follow such links and instead display a large red phishing warning page."]]></description>
<dc:subject>security apis resources urls deprecation patterns</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:5e99f0a51fe0/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:resources"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:urls"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:deprecation"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:patterns"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://speakerdeck.com/aaronpk/oauth-when-things-go-wrong">
    <title>OAuth: When Things Go Wrong - Speaker Deck</title>
    <dc:date>2019-03-01T18:59:00+00:00</dc:date>
    <link>https://speakerdeck.com/aaronpk/oauth-when-things-go-wrong</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[nice overview]]></description>
<dc:subject>oauth security presentation okta apis</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:da3b384db0b8/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:oauth"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:presentation"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:okta"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864">
    <title>When To Use Which (OAuth2) Grants and (OIDC) Flows – Robert Broeckelmann – Medium</title>
    <dc:date>2019-02-19T18:29:47+00:00</dc:date>
    <link>https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["The OAuth2 family of specs define several extension grants (that we explore here) that we will explore when to use in a future post.

We explored relatively generic use cases in my earlier blog posts; it may have left you wondering when each of these mechanisms should be used. When I was first exposed to these concepts several years ago, I struggled with that as well.

So, in this blog post, we are going to explore exactly when each of these should be used — including some instances of where these could be used, but maybe cause more problems then they solve. I covered some of this information in my earlier posts, but that wasn’t the primary focus and the discussion is incomplete.

Another note, worth mentioning, before diving into the details is that most Identity Providers (OAuth2 Authorization Servers and OIDC OpenID Providers) now offer libraries and SDKs that allow this functionality to be used without being aware of all the low-level details. Regardless of whether such a library is available for your IdP, the supported features of your IdP will dictate more than anything else what OAuth2 and OIDC features are used — choose wisely with an understanding of your expected use cases.

"]]></description>
<dc:subject>authentication authorization oauth security oidc saml2 saml</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:7b4965db792d/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:authentication"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:authorization"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:oauth"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:oidc"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:saml2"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:saml"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://apisecurity.io/">
    <title>API Security news, community, tools, standards, newsletter</title>
    <dc:date>2019-02-12T17:24:21+00:00</dc:date>
    <link>https://apisecurity.io/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["APISecurity.io is a community website for all things related to API security. Our daily news and weekly newsletter cover the latest breaches, vulnerabilities, standards, best practices, regulations, and technology.

"]]></description>
<dc:subject>security apis openapi</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:aea1e8311581/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:openapi"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://securitycheckli.st/">
    <title>Security Checklist</title>
    <dc:date>2019-02-02T15:57:46+00:00</dc:date>
    <link>https://securitycheckli.st/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[decent checklist]]></description>
<dc:subject>checklist internet security privacy</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:26083d2131f4/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:checklist"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:internet"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:privacy"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://developer.okta.com/blog/2019/01/23/nobody-cares-about-oauth-or-openid-connect">
    <title>Nobody Cares About OAuth or OpenID Connect | Okta Developer</title>
    <dc:date>2019-01-26T18:20:09+00:00</dc:date>
    <link>https://developer.okta.com/blog/2019/01/23/nobody-cares-about-oauth-or-openid-connect</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>authentication oauth openid security okta</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:8ecfa4c5b33e/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:authentication"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:oauth"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:openid"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:okta"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.okta.com/blog/2019/01/an-insiders-take-on-api-strategy/">
    <title>An Insider’s Take on API Strategy | Okta</title>
    <dc:date>2019-01-14T21:52:10+00:00</dc:date>
    <link>https://www.okta.com/blog/2019/01/an-insiders-take-on-api-strategy/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["First, the good news:

98% of respondents said they had an API strategy in place
95% are planning to invest in APIs in the near future
28% said their strategies were already “successfully planned and implemented”
An additional 44% said their strategies were “likely to succeed”
But there’s some bad news too:

Only 36% said Security teams perform audits of their APIs
Only 4% said Product Managers approve the launching of their APIs
Only 8% of respondents said Engineering, IT, Security, and Product Management were all involved in API security
"]]></description>
<dc:subject>survey apis security okta</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:52073f650313/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:survey"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:okta"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses">
    <title>javascript - Why does Google prepend while(1); to their JSON responses? - Stack Overflow</title>
    <dc:date>2018-11-13T23:32:59+00:00</dc:date>
    <link>https://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["Why does Google prepend while(1); to their (private) JSON responses?

For example, here's a response while turning a calendar on and off in Google Calendar:

while(1);[['u',[['smsSentFlag','false'],['hideInvitations','false'],
  ['remindOnRespondedEventsOnly','true'],
  ['hideInvitations_remindOnRespondedEventsOnly','false_true'],
  ['Calendar ID stripped for privacy','false'],['smsVerifiedFlag','true']]]]
I would assume this is to prevent people from doing an eval() on it, but all you'd really have to do is replace the while and then you'd be set. I would assume the eval prevention is to make sure people write safe JSON parsing code.

I've seen this used in a couple of other places, too, but a lot more so with Google (Mail, Calendar, Contacts, etc.) Strangely enough, Google Docs starts with &&&START&&& instead, and Google Contacts seems to start with while(1); &&&START&&&."]]></description>
<dc:subject>javascript json security apis</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:4f9329ab8eba/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:javascript"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:json"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://dev.to/antogarand/why-facebooks-api-starts-with-a-for-loop-1eob">
    <title>Why Facebook's api starts with a for loop - DEV Community 👩‍💻👨‍💻</title>
    <dc:date>2018-11-13T23:32:14+00:00</dc:date>
    <link>https://dev.to/antogarand/why-facebooks-api-starts-with-a-for-loop-1eob</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["If you ever inspected your requests to big company's API's in the browser, you might have noticed some weird javascript before the JSON itself:

Facebook 

Gmail 

Why would they waste few bytes to invalidate this JSON?

To protect your data
Without those important bytes, it could be possible for any website to access this data.

This vulnerability is called JSON hijacking, and allows websites to extract the JSON data from those API's."]]></description>
<dc:subject>json javascript security webdev vulnerability apis facebook</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:4d4a6cdcde2e/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:json"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:javascript"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:webdev"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:vulnerability"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:facebook"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.troyhunt.com/heres-why-your-static-website-needs-https/">
    <title>Troy Hunt: Here's Why Your Static Website Needs HTTPS</title>
    <dc:date>2018-08-14T16:21:01+00:00</dc:date>
    <link>https://www.troyhunt.com/heres-why-your-static-website-needs-https/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[Via Matt R.]]></description>
<dc:subject>security https spoofing static sites</dc:subject>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:1a3423c4a057/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:https"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:spoofing"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:static"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:sites"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.troyhunt.com/pwned-passwords-in-practice-real-world-examples-of-blocking-the-worst-passwords/">
    <title>Troy Hunt: Pwned Passwords in Practice: Real World Examples of Blocking the Worst Passwords</title>
    <dc:date>2018-05-31T15:26:27+00:00</dc:date>
    <link>https://www.troyhunt.com/pwned-passwords-in-practice-real-world-examples-of-blocking-the-worst-passwords/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>passwords security caching apis</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:2d53b4e152cd/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:passwords"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:caching"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.okta.com/security-blog/2018/05/security-and-the-api-journey/">
    <title>Security and the API Journey | Okta</title>
    <dc:date>2018-05-29T19:50:39+00:00</dc:date>
    <link>https://www.okta.com/security-blog/2018/05/security-and-the-api-journey/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["The dirty secret is that our security requirements never changed.

When we built our API, we believed it would be used as we planned by the people we chose for the use cases we identified.

In reality, the interfaces we design will have strengths and weaknesses we can’t predict. Some of those weaknesses will become vulnerabilities while others cause performance issues. The worst will do both. And unfortunately, the wider our API is used and the more use cases it addresses, the more likely malicious users will discover and exploit those problems."]]></description>
<dc:subject>apis design security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:1312787f0a5a/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:design"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://medium.com/message/everything-is-broken-81e5f33a24e1">
    <title>Everything Is Broken – The Message – Medium</title>
    <dc:date>2018-05-09T20:32:26+00:00</dc:date>
    <link>https://medium.com/message/everything-is-broken-81e5f33a24e1</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>internet privacy security software</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:ddfea8896626/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:internet"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:privacy"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:software"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://nordicapis.com/high-grade-api-security-for-banks/">
    <title>High-Grade API Security For Banks | Nordic APIs |</title>
    <dc:date>2018-02-27T17:25:33+00:00</dc:date>
    <link>https://nordicapis.com/high-grade-api-security-for-banks/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>banks oauth security financial apis design</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:5e29b42a006d/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:banks"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:oauth"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:financial"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:design"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://github.com/pinterest/snappass">
    <title>pinterest/snappass: It's like SnapChat... for passwords.</title>
    <dc:date>2018-01-17T18:27:22+00:00</dc:date>
    <link>https://github.com/pinterest/snappass</link>
    <dc:creator>earth2marsh</dc:creator><dc:subject>passwords opensource security</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:3fcf5f7af5f7/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:passwords"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:opensource"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://support.google.com/chrome/answer/165139#passphrase">
    <title>Get your bookmarks, passwords &amp; more on all your devices - Computer - Google Chrome Help</title>
    <dc:date>2017-12-19T06:31:12+00:00</dc:date>
    <link>https://support.google.com/chrome/answer/165139#passphrase</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[With a passphrase, you can use Google's cloud to store and sync your Chrome data without letting Google read it.

Passphrases are optional. Your synced data is always protected by encryption when it's in transit.]]></description>
<dc:subject>security google chrome android passwords passphrase</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:ef10178c5ab9/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:google"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:chrome"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:android"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:passwords"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:passphrase"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.csoonline.com/article/3239303/access-control/redefining-perimeter-network-security-the-future-is-a-hybrid.html">
    <title>Redefining perimeter network security: The future is a hybrid | CSO Online</title>
    <dc:date>2017-12-04T18:26:42+00:00</dc:date>
    <link>https://www.csoonline.com/article/3239303/access-control/redefining-perimeter-network-security-the-future-is-a-hybrid.html</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA["As information pushes further into the cloud, the role of perimeter security is changing. It will become part of a multifaceted solution for network security."
via Keith Casey]]></description>
<dc:subject>apis security enterprise trends</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:24dd0a3557a9/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:enterprise"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:trends"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c">
    <title>How I hacked hundreds of companies through their helpdesk</title>
    <dc:date>2017-10-30T21:40:54+00:00</dc:date>
    <link>https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[clever hack using noreply ]]></description>
<dc:subject>email hacking security noreply antipatterns</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:f25464df2b31/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:email"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:hacking"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:noreply"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:antipatterns"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.linksys.com/us/support-article?articleNum=246427#Krack">
    <title>Linksys Official Support - Linksys Security Advisories | Linksys Site USA</title>
    <dc:date>2017-10-23T21:44:59+00:00</dc:date>
    <link>https://www.linksys.com/us/support-article?articleNum=246427#Krack</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>security belkin wemo wifi</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:b7fd3590006c/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:belkin"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:wemo"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:wifi"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/">
    <title>Static WebPage - ASUS Product Security Advisory</title>
    <dc:date>2017-10-23T21:42:33+00:00</dc:date>
    <link>https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>asus security wifi</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:7af77fd00c43/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:asus"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:wifi"/>
</rdf:Bag></taxo:topics>
</item>
<item rdf:about="http://morfina.io/">
    <title>Morfina - Keep your APIs safe</title>
    <dc:date>2017-10-03T16:46:26+00:00</dc:date>
    <link>http://morfina.io/</link>
    <dc:creator>earth2marsh</dc:creator><description><![CDATA[""]]></description>
<dc:subject>apis encryption security startup gateway</dc:subject>
<dc:source>https://pinboard.in/</dc:source>
<dc:identifier>https://pinboard.in/u:earth2marsh/b:cd648fa60153/</dc:identifier>
<taxo:topics><rdf:Bag>	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:apis"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:encryption"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:security"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:startup"/>
	<rdf:li rdf:resource="https://pinboard.in/u:earth2marsh/t:gateway"/>
</rdf:Bag></taxo:topics>
</item>
</rdf:RDF>