HeroDevs

Few have witnessed engineers in their natural habitat. At Open Source Summit North America, engineers emerge from the terminal to engage in a rare ritual: networking. Some claim to be “invisible to the naked eye.” Others just say they’re on PTO (while still checking Slack). Host Wendy Hurst discovered a new form of communication among engineers — silent, efficient, and deeply caffeinated. ☕ Their survival depends on loud music, setting boundaries, and pretending every release was intentional. Watch Engineers in the Wild: Episode 3 ➡️ https://lnkd.in/eMA5z2jP #ossna #OpenSourceSummitNorthAmerica #TechEvents #engineers

📛 The worst CVE for the internet as a whole. 📛 That’s how this vulnerability is being described — and it’s not an exaggeration. Hayden Barnes joined The Modern .NET Show to break down CVE-2025-55315, why it earned a 9.9 severity rating, how it impacts nearly every .NET app in the wild, and what teams need to do right now to protect themselves. If you run anything on .NET Core 3.x–7, this episode is mandatory listening. 🎦 The episode: https://loom.ly/iHiPThI #CVE202555315 #dotnet #AppSec #CyberSecurity #InfoSec #SoftwareSecurity #DevSecOps #EngineeringLeadership #HeroDevs

🗣️ Be honest — is this you? You’ve probably heard the whispers: “We should upgrade… but we can’t touch that app. It just has to keep running.” And suddenly your most critical system is depending on abandoned open source and a hope. Hayden Barnes joined The Modern .NET Show to talk about why this happens, how .NET NES fills the gap, and why paying maintainers is the only sustainable path forward. 🗣️ Listen to the episode now: https://loom.ly/TYhBEnw #CVE202555315 #dotnet #AppSec #CyberSecurity #InfoSec #SoftwareSecurity #DevSecOps #EngineeringLeadership #HeroDevs

Migration season report: Some engineers have migrated. Some have plans to migrate. Some are still evaluating options. All have gone mysteriously silent. 🦥 Where do you go when you migrate? #TechHumor #EngineerMigration #OpenSource #TechConference

🦾 Which team are you on: “.NET moves too fast” or “our migration backlog is the real problem”? Andrew Lock just made the point nobody in .NET wants to say out loud: The release cadence isn’t the issue. The cost of major-version upgrades is. He breaks it down clearly: • A new .NET version drops every November • Only the latest patch of any major version is supported • Once you hit EOL, you lose your safety net entirely • Miss a monthly patch? You’re already unsupported 🎬 His real take: Teams don’t migrate because it’s fun — they migrate because they have no other way to stay secure. But his bigger argument is the part that’s shaking people up: Other ecosystems solved this ages ago. They pay for post-EOL support. Java does it. Spring does it. Linux distros do it. Even Windows 10 does it. So Andrew put that idea to the test with a real situation: CVE-2025-55315 — a 9.9 severity vuln that left .NET 6 exposed. He tested the official .NET 6 runtime → still vulnerable. Then swapped in HeroDevs NES for .NET 6 → vulnerability closed. No migration. No rewrite. No rebuild. Just a drop-in runtime replacement. His conclusion is pretty simple: If major version upgrades are painful for your organization, don’t force them. Patch the version you’re already running. Read his full blog here: https://loom.ly/ad6u-1g #microsoft #cve #cybersecurity #opensource

Engineers. They live among us. Quiet. Logical. Slightly caffeinated. 🔎 In the premiere of Engineers in the Wild, host Wendy Hurst ventures into the open plains of Open Source Summit North America to study the elusive engineer in their natural habitat — conference centers, terminal windows, and poorly ventilated stand-ups. Through direct observation, we uncover: → The warning calls engineers make before disaster → How communication evolves under caffeine and chaos → And the ultimate truth: communication isn’t about clarity — it’s about plausible deniability and maybe a well-timed meme Watch Engineers in the Wild: Episode 2 ➡️ https://lnkd.in/e2Mr4tXW #ossna #OpenSourceSummitNorthAmerica #TechEvents #engineers

A lot of .NET teams blame Microsoft for “moving too fast.” This post explains why that’s not really the problem. 👇 Andrew Lock breaks down how support windows work, why upgrades can be brutal for large orgs, and what actually happens when a 9.9 CVE hits an out-of-support runtime. If you own applications you can’t rewrite on a 2–3 year cadence, this is worth reading. Full article 👉 https://bit.ly/3LJGusd #microsoft #cybersecurity #CISO #devops #CVE

Your software supply chain has gotten more visible — but that’s not enough. Is the following the story at your company? You’ve got SBOMs for everything. Your SCA tools light up dashboards like a Christmas tree. You know every dependency, every CVE, every outdated package. But then you hit the wall: A critical component goes end-of-life. It’s flagged. It’s vulnerable. And there’s no patch upstream. You can’t upgrade without breaking things. You can’t leave it unpatched without breaking compliance. That’s the lifecycle gap. And it’s the blind spot in even the most mature security programs. HeroDevs’ Never-Ending Support closes that gap — delivering SLA-backed patches, compliance documentation, and drop-in updates for EOL frameworks like AngularJS, Node, Lodash, and Spring. Visibility is progress. Support is protection. Sustainability is the real finish line. #OpenSourceSecurity #SupplyChainSecurity #DevSecOps #SBOM #EOL #Compliance #HeroDevs #NeverEndingSupport

We came. We patched. We caused absolute chaos. ng-conf 2025 was one for the books — Patchmasters live, karaoke battles, and nonstop mayhem with the HeroDevs crew. Watch the recap → https://lnkd.in/gTU8xW9G #ngconf #Angular #WebDevelopment #Frontend #HeroDevs #NeverEndingSupport #Patchmasters #TechEvents

🚨 CVE-2025-55315: What Decision-Makers Need to Know CVE-2025-55315 is one of those “parser-level bug becomes an application-level nightmare” moments. A 9.9-rated HTTP request smuggling + security feature bypass in ASP.NET Core that can turn into auth bypass, SSRF, and a full cascade of downstream impact. Microsoft patched .NET 8, 9, and 10. They did not patch .NET 6. And yes—.NET 6 is vulnerable. Most scanners won’t flag it. If you’re running .NET 6 in production, you’ve now got three choices: 1️⃣ Migrate to a supported, patched runtime 2️⃣ Apply temporary compensating controls 3️⃣ Get post-EOL security support so you’re not sitting exposed (like NES) Migration is ideal—but not always realistic on tight timelines, complex stacks, or audit windows. For teams with external-facing or compliance-sensitive workloads, gap coverage matters. A few high-impact steps while you triage: • Validate vulnerability with the public repro tool • Harden your ingress layer against malformed chunked requests • Audit middleware where parsing quirks flip authN/authZ behavior • Boost telemetry for smuggling indicators • Lock down internal APIs to limit blast radius The real guidance: patch supported runtimes first, prioritize exposed workloads, and don’t assume EOL = safe. For orgs that can’t migrate fast enough, post-EOL support closes the critical gap while your team moves at a sane, controlled pace. If you need help determining whether to migrate or secure in place—we’ve been deep in this one. Happy to talk through it. #CyberSecurity #DotNet #ASPNETCore #CVE202555315 #AppSec #InfoSec #DevSecOps #SecurityEngineering #SoftwareSecurity #CTO #CISO #EngineeringLeadership #CloudSecurity #EnterpriseSecurity #RiskManagement #ThreatDetection #SecureByDesign #Modernization #TechLeadership #HeroDevs