HeroDevs

ReDoS attacks don’t rely on scale. They rely on behavior. A single regular expression can behave like a pinball stuck in a loop, backtracking endlessly when given the right input. The result isn’t a flood of traffic, but a quiet drain on CPU that slows or stalls an application entirely. These issues often live in plain sight: 🕹️ Input validation 🕹️ Search filters 🕹️ Parsing logic 🕹️ Regex patterns written once and rarely revisited Performance failures don’t always look like attacks. Sometimes they look like “normal” code doing too much work. Understanding how regex engines fail is part of building resilient systems. #ReDoS #OSSecurity #ApplicationSecurity #SoftwareSecurity #CyberSecurity

A low CVE count doesn’t mean low risk. 🔍 CVE-2026-22610 is a reminder that “quiet” frameworks aren’t inherently secure. This vulnerability lived deep inside Angular’s template compiler, untouched for years, not because it was safe, but because it wasn’t being closely examined. Security failures don’t always announce themselves. They accumulate in assumptions, legacy code, and places no one is actively scrutinizing. Silence isn’t safety. Continuous review is. #CyberSecurity #WebSecurity #OpenSourceSecurity #Angular #XSS #CVE #SoftwareSecurity

N is for Node.js. Because JavaScript refused to stay in the browser. Back in 2009, someone looked at JS and said, “What if this ran everything?” Suddenly: • One language on the front end • The same language on the back end • Servers built on event loops and vibes • npm connecting absolutely everything to everything else Node.js powers startups, enterprises, and at least three apps on your phone right now. But here’s the part people ignore: Running unsupported Node.js is like driving with the check engine light on and turning the radio up. It works. Until it really doesn’t. Security patches stop. Dependencies rot. Attackers notice. That’s why extended support exists — to keep critical Node.js apps secure after upstream moves on, without forcing rewrites on timelines set by fear. Video 🔗 https://lnkd.in/eNRfpQ9G #ABCsOfOSS #NodeJS #OpenSource #SoftwareEngineering

🚨 Security Alert: CVE-2026-22610🚨 An XSS vulnerability has been disclosed in Angular’s Template Compiler due to incomplete sanitization of SVG <script> sources. Successful exploitation could allow arbitrary JavaScript execution in affected applications. The issue impacts multiple Angular versions and is resolved in patched releases. Coverage is already available in NES for Angular for teams running unsupported or legacy versions. #Angular #ApplicationSecurity #OpenSource

December didn’t wind down — it locked things in. 🧨 Rust, Spring Boot, Django, and PHP hit end-of-life cutoffs. 🧪 React and SSR vulnerabilities jumped from disclosure to exploitation. 📉 Nissan, University of Phoenix, and public infrastructure felt breach fallout. 🧭 Tooling pushed further into autonomy, context engineering, and self-driving systems. Full December breakdown below 👇 #CyberSecurity #SoftwareEngineering #OpenSource #EndOfLife #CVE #SupplyChainSecurity

Java has long been seen as a safe, stable ecosystem. Log4Shell shattered that assumption. What it exposed wasn’t just a single vulnerability, but a deeper problem in how we treat software supply chains: → Blind trust in transitive dependencies → Aging libraries powering critical systems → The assumption that “someone else” is maintaining the risk Stability isn’t about how old a platform is. It’s about how actively it’s maintained, audited, and understood. If you build on Java, the post-Log4Shell world demands a different mindset.🧠 #Java #SoftwareSupplyChain #OpenSource

Security in the .NET ecosystem works best when it’s coordinated. HeroDevs has joined the .NET Security Group, collaborating with Microsoft, Red Hat, Canonical, and other industry leaders to strengthen how vulnerabilities are disclosed, patched, and communicated across the ecosystem. As part of this group, HeroDevs receives early access to vulnerability information and coordinated patch timelines. That means faster, more reliable security fixes for teams running .NET in production, including environments where upgrading immediately isn’t always possible. This isn’t about reacting to incidents after they happen. It’s about reducing exposure windows, improving transparency, and raising the baseline for .NET security as a whole. Proud to contribute alongside partners who take ecosystem security seriously and to continue helping organizations stay protected without forcing unplanned migrations. #cybersecurity #opensource #net

M is for Maintainers. The people quietly keeping your favorite open source projects from falling apart at 2 a.m. in GitHub issues. They review code. Squash bugs. Block attackers. Plan features. Answer the same question for the hundredth time. And most of them do it for free, after their actual day jobs. Remember Log4j? A vulnerability that shook the entire internet. That critical library was maintained by a handful of volunteers. Software used by millions. Maintained by people who couldn’t expense their coffee. Burnout isn’t hypothetical. It’s structural. Without maintainers: Your dependencies decay Security gaps go unpatched “npm install” stops being boring, which is very bad Open source doesn’t run on goodwill alone. If you want to help: Fund maintainers via GitHub Sponsors or Open Collective File bug reports with real details Submit pull requests with tests Read the README before opening an issue This was M in the ABCs of OSS. Next up: N is for Node.js, because JavaScript needed to cause chaos outside the browser too. Go thank a maintainer. Video: https://lnkd.in/g8FFfxhn #abcsofoss #opensource #opensourcemaintainers #cybersecurity

We’re excited to share a major milestone for HeroDevs — we’ve officially joined the .NET Security Group alongside Microsoft, Red Hat, and Canonical. This collaboration strengthens the entire .NET ecosystem by enabling early access to CVE details and coordinated patch delivery, helping reduce the window of vulnerability for users everywhere. For organizations running end-of-life .NET versions, this means: • Faster, synchronized security updates • Stronger protection without rushed migrations • Continued compliance and reduced operational risk • Secure legacy support through NES for .NET We’re proud to contribute actively to the future of .NET security and help our customers keep critical systems secure on their own timelines. 👉 Read more about what this means for the ecosystem and your apps: https://lnkd.in/gSfs5nHS #HeroDevs #DotNet #Cybersecurity #OpenSource #LegacySupport

I am so proud to announce that one of my best friends is the new CEO of HeroDevs. Starting January 1, 2026 Aaron Mitchell has taken the reins of the business, and I have stepped aside to take a few years of down time for personal health reasons. The decision to let someone else call the plays is not one I took or take lightly. From the very first day it bought the domain names and registered the EIN, until this day, the memories of the hard work are seared in my mind. Building a product that people want to buy is hard. Building a team that can deliver the product that people want to buy is hard. Selling and marketing the product that people want to buy is hard. Creating a business that supports many of the largest enterprises and governments in the world is hard. I am so incredibly proud of HeroDevs. From the people/team members who have built it, to the customers who depend on us, to the OSS community and others who believed in us enough to support us. HeroDevs is on a mission, and Mitchell is the right person to guide the business through these next years of growth and security. And while I will never be too far away, it is my honor to now play a supporting role in the next chapters of HeroDevs. Be on notice: you should expect great things from this team!