Friday, March 6, 2026 — Meeting Recap

JavaScript Library Authentication Vulnerability

The meeting began with casual conversation before transitioning to a discussion about a critical authentication bypass vulnerability in a widely-used JavaScript library. Stryker and Neil explained the technical details and potential impacts, emphasizing the need for organizations to patch affected systems and conduct thorough vulnerability assessments. The group discussed strategies for addressing vulnerabilities in third-party software, including vendor communication, SLAs, and emergency mapping triages. The conversation ended with a reminder for attendees to check their systems and suppliers for the Java authentication issue.

SBOMs: Security and Transparency

The meeting focused on discussions about SBOMs (Software Bill of Materials) and their importance in software security. Stryker initiated the conversation, highlighting the need for accountability in tech stacks and the potential of SBOMs to serve as a forcing function for transparency. Jay and Neil provided insights into the challenges and misconceptions surrounding SBOMs, emphasizing their role in vendor vetting and risk management. The group also discussed the evolution of SBOM requirements following the SolarWinds compromise, noting the tension between regulatory demands and practical implementation. The conversation concluded with a reflection on the utility of SBOMs and the need for further clarity on their value and application.

SBOMs: Challenges and Best Practices

The group discussed the limitations and practicality of using Software Bill of Materials (SBOMs) in security practices. Umang expressed skepticism about the effectiveness of SBOMs and SCA tools, while Stryker emphasized the importance of actively monitoring libraries and using threat feeds. Pavel highlighted the need for per-release SBOMs and the importance of having a continuous posture. Jay and Shawn advised Dave on asking vendors for their software development and operational lifecycle (SDOL) documents, emphasizing the importance of due diligence when selecting SaaS providers. The conversation also touched on the challenges of securing critical systems and the potential for automated SBOM sourcing from vendors.

Security Practices and Threats

The meeting covered several security-related topics, including supply chain security, code escrow practices, and Wikipedia's recent security incident. Stryker shared his experience verifying the security of his platform and the importance of double-checking suppliers. Dane discussed SBIM practices in the medical device industry and recommended adopting standard tools for generating and shipping security artifacts. Matt described Wikipedia's security breach caused by a malicious user script, which led to the platform going read-only. The group also discussed the challenges of identifying threat actors in open communities, with Neil emphasizing the value of openness and collaboration in security efforts.

Threat Actors and Community Safety

The group discussed the nature of threat actors and community safety, with Stryker sharing experiences from administering the Lonely Hackers Club on Telegram. They explored different types of threat actors, including accidental insiders, and emphasized the importance of community guidelines and moderation. Rev expressed concerns about presenting at conferences due to potential AI misuse of recordings, but the group generally dismissed these fears. The conversation concluded with Stryker sharing a humorous anecdote about his initial concerns at DEF CON, highlighting the often exaggerated fears of new cybersecurity professionals.

Public Speaking Security Best Practices

The group discussed security concerns around public speaking engagements and online presence. Stryker advised attendees to be cautious about sharing personal information at conferences, suggesting they could request not to be recorded and consider the potential risks versus benefits of speaking publicly. Jay shared his experience of receiving targeted phishing attempts as a public figure in security, while Neil highlighted how Microsoft employees overreacted to attending DEF CON. The discussion concluded with Matt reflecting on how security professionals used to openly share information on IRC, contrasting with current professional boundaries, and Neil sharing an opportunity to host a presentation on online harassment research at Cloud Security Office Hours.

Conference Preparation and Professional Conduct

The group discussed their plans for an upcoming conference, with Stryker expressing excitement about a presentation on March 20th and hoping it would be recorded. They also talked about strategies for handling social situations at conferences, including staying sober and dealing with pressure to drink. The conversation touched on personal experiences with drinking and how it can affect professional situations in the cybersecurity industry.

Social Engineering and Intuition

The team discussed social engineering and intuition, with Matt sharing his ability to quickly assess people's trustworthiness based on instinct. Neil advised being protective and watchful at social events, particularly with younger team members. Stryker offered to share social engineering resources with Matt, and they discussed the importance of gathering internal threat intelligence to stay informed about company changes. The conversation concluded with Matt mentioning his father's background in security and his own early exposure to surveillance and counter-surveillance techniques.