About
10+ years in engineering and security before founding Latio Tech to help security…
Courses by James
-
Application Security Posture Management: Security from the Supply Chain to Cloud Runtime1h 56m
Application Security Posture Management: Security from the Supply Chain to Cloud Runtime
By: James Berthoty
-
Microservices Security Workshop: From Build to Production2h 21m
Microservices Security Workshop: From Build to Production
By: James Berthoty
Activity
21K followers
-
James Berthoty shared thisWe didn't plan this with the Axios attack, but we just published a complete guide to preventing open source malware. It covers third party packages, containers, Github actions, AI models, IaC modules, and IDE extensions. We also open sourced a Claude Code Plugin to fix it all for you. There are a lot of types of malware out there, and unfortunately preventing them creates maintenance headaches. In this guide, we wanted to give short term and long term guidance to teams on how they can prevent being victims of the next exploit. We also included attack examples, a maturity matrix, and tool suggestions. I tested the Claude plugin in some of my own repos, and locked them down in minutes. Let us know what you think! The full guide that includes a link to the plugin is available here: https://lnkd.in/gs8CkarV
-
James Berthoty shared thisThis year's RSA was full of genuinely memorable moments with all of Latio's partners. Thanks to everyone who said hi, and it was great to catch-up in person. We're more convinced than ever about the category vision we're launching next week. We'll see you next at Black Hat!
-
James Berthoty shared thisThis Trivy and Aqua breach will be the wakeup call for open source malware the industry has needed for a long time. Your CI/CD systems are some of the most highly privileged assets in your environment, and the technical complexity of attacking them has become much more achievable. Your organization absolutely needs to have a plan for end to end prevention and detection - delay your open source package updates, pin your actions, disable pre and post install scripts, monitor your GitHub access tokens, and collect the telemetry of your build pipelines. Dan Lorenc has a great post on what GitHub can do to make this stuff better that I agree with wholeheartedly, but these changes will not happen as fast as these issues will be exploited. Every credential popped during these attack waves increases the attack surface for the next one. Wiz blog for up to date info: https://lnkd.in/eEXd9G8H Latio blog on the detection engineering challenge with these attacks, and links to the several other great vendor blogs from the emerging open source incident response crew: https://lnkd.in/eX7rxUUH
-
James Berthoty shared thisMark is putting out some great technical content, highly recommended!James Berthoty shared thisHacked by TeamPCP: Supply chain attack via lobster-based worm Video overview of the entire chain of compromises that lead to the Trivy incident, and subsequent NPM package worm. Funniest campaign I've seen in a long time, and a LOT to learn from TeamPCP! - Targets Trivy and NPM - Kubernetes and Iran - Expert Github Actions insight - Prompt injection attempts - Insane trolling - BUMPING great tunes - Best hacker campaign in a long time **You're safe now, king 👑.** 🛡️🦞 https://lnkd.in/e5YgrP-WHacked by TeamPCP: Supply chain attack via lobster-based worm targets security tool and NPMHacked by TeamPCP: Supply chain attack via lobster-based worm targets security tool and NPM
-
James Berthoty shared thisHow can teams know if they were impacted by the latest Trivy malware? There are already a lot of great technical resources breaking down the latest attack on the Trivy repository, the TL;DR of which is compromised Github actions and a latest version before they were taken down. I wanted to put together a post dissecting what it takes to actually figure out if you were impacted or not, as many teams underestimate the blast radius of open source malware. Additionally, while we cover all of the preemptive steps we can take to make malware less likely, there are some key log sources that teams need to have in order to complete investigations when the investigation gets real. Here's the full post: https://lnkd.in/eX7rxUUH
-
James Berthoty posted thisToday two companies announce funding that point to the future directions of AppSec: Raven.io (20M Seed) and Corridor (25M Series A). Raven is taking a preventative approach to ADR, which is growing in importance due to AI vulnerability discovery and exploitability. Patching CVEs won't be enough for application protection in an age when attackers can scan for new exploits as fast as they used to look for historical ones. Corridor is securing AI code generation by learning an organization's environment before generating and enforcing secure coding guardrails - making "secure by default" more the reality that we wanted it to be. I'm excited for two companies to enter these emerging markets, if you're interested to understand more about these categories, check out the appsec report: https://lnkd.in/eS7b2R9G
-
James Berthoty posted this5 things I’m expecting and excited to see at BSides and RSA this year: 1. The evolution of application security companies tackling AI code generation workflows. Companies are racing to rebuild their platforms to support AI use cases, and it’s a genuinely exciting time to be in application security as everyone makes big bets on future architectures. 2. How AI SOC has expanded their use cases and capabilities to tackle broader use cases than SOAR. Many companies are going the MDR direction, while other platforms are becoming more agentic assistants - these tools continue to improve at delivering automation. 3. AI SAST taking the main stage at innovation sandbox. I’ve been a long time believer in AI Native SAST capabilities, and it’s great to see the next generation of code security scanners get proper recognition. 4. How cloud security companies are broadening their offerings to include stronger runtime protection, alongside more third party vulnerability ingestion for better prioritization. Cloud Security is finally evolving beyond CNAPP! 5. The marketing campaign that gets us all talking about it this year 🐶 🛋️ 🐐 Can’t wait to see everyone there!
-
James Berthoty shared thisToday Zach Rice, the original creator of the popular open source secrets scanner gitleaks, spun up betterleaks with the aim of being the best open source secrets scanner available. Gitleaks was always my go-to open source secrets scanner, and it's great to see its creator back at building an amazing community tool - simple, quick and effective, just like it's predecessor! Amazing open source tools are the backbone of application security, and it's always great to see meaningful investment in the core scanners that are out there. Here's the repo - https://lnkd.in/e_GeB-pF
-
James Berthoty shared thisIn our Application Security report, we covered how the market is at a transitional moment. We argued that by combining SCA, Container, IaC, and SAST, Snyk became the earliest platform to give a clear vision of what a consolidated application security platform could look like going into 2020. Then came the investment of Snyk Cloud, which rolled into IaC, showing an understanding of the importance of code-to-cloud capabilities for practitioners. Giving emerging platforms a starting point to reference. Today, this entire model is once again changing. Companies are focusing more on how to govern their AI coding agents, and less on specific scanning capabilities. This time however, I'd argue almost every company is aware of the paradigm shift that's occurring, and are racing towards it. Even companies like Snyk who invented the modern paradigm are moving quickly to deploy AI governance solutions. This shift is forcing a focus on AI code governance - security, quality, and secrets - rather than traditional scanning. This is also why the tension exists in the market between security vendors and AI tool providers because everyone is building as they go with no clear reference point. Just as there was a transition from waterfall to agile, which introduced new risks, opportunities, and scanning paradigms, there’s a current transition from agile to AI code generation, which introduces a new paradigm for the AppSec market. There's a new "shift-left" happening and we're working at Latio to define it
James Berthoty replied to a comment
19h
Feross is there a page that enumerates which features of the CLI require a login vs. what doesn't?
James Berthoty replied to a comment
21h
Feross Socket is mentioned several times in the appendix, but since most of Socket's tools are freemium I leaned into recommending completely free or open source offerings wherever possible in the shortlist itself - hence the Safechain recommendation. The Snyk Advisor recommendation was for reviewing the general health of open source packages, and I think there are better tools than it but they're behind vendor logins - I wasn't aware Socket's was open so I just added it. Feel free to just let me know if you think anything else is relevant and I'm happy to add it.
-
James Berthoty liked thisJames Berthoty liked thisWe cannot share all the details yet, but it has been a lot of sleepless nights after claude code leak Anthropic just leaked Claude Code’s entire source code - > FALSE But Claude code 80% of the source code was leaked, enough to give our autonomous agent the ability to reconstruct the missing part, identify 100 hypotheses, validate 8 chain paths with potential exploit, and create 4 exploit validations now with the disclose program, all in less than a few hours for disclosure 59.8MB source map in npm, and 5K lines of code with 128K in total after rebuild. This was a massive, complex endeavor, all thanks to the new graph navigation, which gave us true, real positivity and a thorough, solid assessment of the beautiful security controls in the code. Claude code is a beautiful piece of software, and someone made a mistake with a release, because appsec is more than just code more to come... Gadi Evron, Omar Sáenz Herrera Anton Chuvakin Ashish Rajan 🤴🏾🧔🏾♂️ Anshuman Bhartiya Francois Raynaud Francis Gorman Francis Gorman Sergej Epp Neil Barlow Samuele Giampieri Sam Stepanyan Dinis Cruz Dustin Lehr check it out... #appsec #aspm #agentic #claudecode #leak
-
James Berthoty reacted on thisJames Berthoty reacted on thisExcited to announce our newest product: Snake Oil™ Military-grade. Cloud-native. Purpose-Built. Critics are calling it “the next-gen scent of quarter.” I’m calling it “damn, my pants are still wet.” I won’t tell you what it costs, but I can tell you it will make you 86% more magnetic than benchmarks. Get yours today: https://lnkd.in/e5n5hcNT (Results may vary.) An Aikido Security x Snake Oil Essence Co. collab.
-
James Berthoty reacted on thisJames Berthoty reacted on thisWe spend billions securing assets. We have built almost nothing to secure people. I just got back from RSAC 2026, the world's largest cybersecurity conference. Thousands of booths. Brilliant people. Extraordinary technology. Not one of them was built for a young woman navigating a dangerous situation with a phone in her hand and nowhere to turn. I went to RSAC with a specific question: Is there a path between my background in critical infrastructure and national security, and what I actually care most about, which is the safety of young women? What I found surprised me. And confirmed everything I suspected. The gap is real. The need is urgent. I wrote about all of it, including something personal I haven't shared publicly before. Full piece in the comments. I'd love to know what you think.
-
James Berthoty reacted on thisJames Berthoty reacted on thisAfter an incredible chapter, I’m officially wrapping up my time at Anvilogic today. It’s hard to put into words how much these last two years have meant to me. I got to work alongside some of the most thoughtful, sharp, and genuinely kind people I’ve ever met. So much of who I am professionally today exists because of this team. Thank you for shaping this journey with me. Truly. Karthik Kannan, Mackenzie Kyle, Ben Beebe, Chas Larios, Jeanette Stepanchuk, Desiree Bailey, MBA, Kevin Gonzalez, Michael Hart, Scott Rodgers, Michael Monte, Joe Trier I’m endlessly grateful to have learned alongside you all. And to this community more broadly....especially those I connected with at BSides...it really clicked for me how special this space is. The people, the energy, the willingness to build together… it’s unmatched. I’ll be launching something soon....that’s rooted in the same spirit of curiosity, community, and real conversations that all of you helped cultivate. Stay tuned 🎙️
-
James Berthoty reacted on thisJames Berthoty reacted on thisThe modern software supply chain is really damn complex. That's the primary thought I had when reading through this excellent "Complete Guide to Preventing Open Source Malware" from my friend James Berthoty. When Tony Turner and I wrote "Software Transparency" a few years ago for Wiley the ecosystem was already problematic, on the heels of events such as Log4j and Solarwinds. Now, we have a constant cadence of open source compromises and exploitation, coupled with a complete revolution going on with the introduction of AI-generated code, LLMs, agentic coding tools, and much more on top of the already porous attack surface. James looks to walk through all of it here, from GH Actions, IaC, IDE & Tools, Containers, Packages and everything in between. Just be prepared, as the list of "should" and "could" do best practices is long and growing more by the day as the space continues to grow in complexity, and attackers take more interest in it due to the expansive reach and high ROI of this attack vector. https://lnkd.in/ewAzhXhs
Experience & Education
-
Latio Tech
View James’s full experience
See their title, tenure and more.
or
Licenses & Certifications
Projects
-
Cloud Security List
A quick and trustworthy resource for the top vendors across cloud security, product security, and devsecops domains.
-
Latio Tech
Cloud Security consulting built around trustworthy security reviews, architecture planning, and tool assessments/implementations
-
YouTube Content
All things cloud and product security!
Languages
-
French
Professional working proficiency
-
Greek, Ancient (to 1453)
Professional working proficiency
-
Hebrew
Limited working proficiency
Recommendations received
4 people have recommended James
Join now to viewOther similar profiles
Explore more posts
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content