Security Boulevard

The Trivy Compromise: The Fallacy of Secrets Management and the Case for Workload Identity

The Trivy incident exposed a credential architecture failure, not just a supply chain one. Here’s the case for workload ...
Hackaday

Using Gmail With OAUTH2 In Linux And On An ESP8266

One of the tasks I dread is configuring a web server to send email correctly via Gmail. The simplest way of sending emails is SMTP, and there are a number of scripts out there that provide a simple ...
Security Boulevard

Is All OAuth The Same For MCP?

Is the "S" in MCP missing? Explore the current state of Model Context Protocol security, from stdio vs. HTTP transport risks ...
Ars Technica

OpenIDConnect/Oauth2 and multiple audiences

* or one access token with multiple audiences? The scenario I'm thinking of is when apis are developed in separate product organisations, all being registered in the same identity service, but with ...
Ars Technica

Compromising Twitter’s OAuth security system

Twitter officially disabled Basic authentication this week, the final step in the company’s transition to mandatory OAuth authentication. Sadly, Twitter’s extremely poor implementation of the OAuth ...