TrustInSoft’s Post

Patterns: The core technique was stolen OAuth/refresh tokens from the Salesloft Drift integration, which let attackers bypass MFA and directly query/export Salesforce objects (Accounts, Contacts, Cases, etc.). Google Cloud+2 KYND+2 The FBI flagged extortion attempts by “ShinyHunters” following some thefts, sometimes weeks/months after initial access. Cybersecurity Dive A raft of lawsuits (at least 14 by late September) names Salesforce, with plaintiffs including TransUnion, Allianz Life, Farmers, Workday, Pandora—though both Salesforce and Google maintain the platform itself wasn’t exploited; rather, compromised third-party tokens + social engineering were key. SFGATE

Most companies rely on SMS for two-factor authentication. But what happens when the “standard” solution isn’t the most secure — or sustainable? We recently made a big change: we replaced SMS authentication with email. The result? ⚙️ Fewer login issues ⚙️ Stronger security ⚙️ Lower costs It wasn’t a simple decision, but it’s one that’s made authentication simpler, faster, and safer for our global users. Watch Carlos Muñoz, one of our senior software engineers, break down why we made the switch — and read the full story on the Buffer Blog. Link in the comments 🔗

Another fact, If your password generation maxes out at 32 characters, you're building for the past. Our API enables generation up to 256 characters. Why? Because our target customers are the large organizations that can't afford to be cracked. We build the infrastructure for the highest possible entropy, even if their current system can only handle 64 chars. We don't build to current standards; we build to future-proof perfection. That's the SecurePassPro difference.

Software verification tests your recovery capability (before it’s too late) — by confirming your code, configurations, and environments actually work when systems fail. It’s how you find the gaps that would break your recovery plan: ⚠️ Build scripts that reference internal servers ⚠️ Missing dependencies ⚠️ Outdated configs ⚠️ Documentation that doesn’t match production Verification catches those before they catch you. Because real resilience isn’t what you say — it’s what you can show. ➡️ See how software verification transforms your recovery plan into certified resilience. #SoftwareVerification #SoftwareResilience #BusinessContinuity #CyberResilience #Codekeeper

Ever wondered how one can utilize bitwise operations to solve a problem? In my latest Lessons from Leetcode article, I break down the binary system-driven solution to the "Find the Difference" problem. Check out my article here: https://lnkd.in/eEvXeccV

Stop OS Command Injection — Don’t Let Unsafe Shell Calls Cost You the Server . OS Command Injection happens when apps build shell commands using untrusted input. The result? Attackers can run unintended commands on your servers — leading to data theft, persistence, and lateral movement. Fixes are practical: stop shelling out when possible, use safe process APIs (pass program + args), whitelist inputs, run services with least privilege, and sandbox any required execution. Add logging for process creation and alerts for unusual behavior. Small engineering changes here prevent catastrophic compromises. If your app still builds shell strings with user data — make that a sprint priority. Hashtags: #AppSec #DevSecOps #SecurityTesting #RCEPrevention #OWASP

This is a great podcast I came across again from David Crawford, CISSP, PMP, Chris Lavergne and Pete Tseronis from CGI about securing firmware. They really understand the nature of the problem and what is necessary to properly identify, mitigate and/or remediate the risks associated with firmware. What else comes through in this podcast is that many of the techniques required to gain visibility into firmware were for many years relegated to ONLY firmware. Unpacking binaries, identifying components, finding secrets, looking for configuration files you can take advantage of, etc. What has become obvious in recent years is that these same techniques can be and are being applied to all compiled code. There is an illusion that we have had all this visibility into the software that we procure, install and update; when in reality we as an industry basically have been blind to these issues since the first day someone put source code through a compiler. Ironically, firmware is not the final frontier of software assurance, it was the catalyst to expose the issues across the entire software supply chain. Stumbling along with surface level visibility used to be the only option, now it is a choice. https://lnkd.in/gafstAWq

Returning to a topic that isn’t discussed enough. Since October is Cybersecurity Awareness Month - might be time to consider the threats in your environments that aren’t all that obvious. Basic blocking and tackling and good system hygiene matters as much today as any other time. But you can’t fix, upgrade, remediate or mitigate risks and exposures you don’t know you have.

🚀 Day 2 of Socket Launch Week: Socket now brings all the core security checks together, static analysis, secrets detection, container scanning, and CVE vulnerability scanning into one simple platform. Modern software teams juggle separate tools for static analysis, secrets detection, container scanning, and dependency checks, each with its own setup, configs, and reports. That fragmentation creates noise, slows developers down, and blinds security teams to the bigger picture. Socket Basics unifies all of these in a single platform that provides a comprehensive view of your application’s risk without the tool fatigue. Stay tuned, more big updates are coming tomorrow. Read the blog in the comments below!

Timing issues in real-time systems don’t always leave a clear trail. A system can pass functional tests but fail in the field due to missed deadlines, interrupt conflicts, or priority inversions that don’t appear in logs. NightTrace makes those hidden behaviors visible. Its synchronized event timeline shows how applications, the OS, and hardware interrupts interact under actual runtime conditions. Developers can spot delays, trace blocked threads, and correlate events down to the microsecond, all with minimal system impact. For defense-grade, time-critical environments, that level of visibility is the difference between guessing and knowing. https://bit.ly/42qs3i4