Don’t Underestimate Grep Based Code Scanning
Static analysis tools (SAST) are perhaps the most common tool for an AppSec team in the endless effort to move security to the left. They can be integrated into development pipelines in order to offer...
View ArticleThoughts on the Capital One Security Breach
Whenever one reads about a security breach like what happened to Capital One, security experts are eager to find out the anatomy of the attack. Little by little, details have emerged. Initially...
View ArticleSome Useful AppSec Resources
While no doubt OWASP has earned the prestige of being the #1 AppSec resource, there are many other good information sources across the web that I have collected over the years that have been very...
View ArticleUnderstanding Certificate Pinning
Certificate pinning (“cert pinning” for short) is a technique used for mobile applications to add an extra layer of protection to secure communications. Some people additionally use the technique to...
View ArticleClik here to view.
Fighting Bots with the Client-Puzzle Protocol
In 1999, Ari Juels and John Brainard came up with an elegant protection against denial of service attacks, known as the client-puzzle protocol. Their idea was patented (US patent 7197639), which might...
View ArticleClik here to view.
No, Java is not a Secure Programming Language
If you ask Google, you will be brought to a fantasy land of fairies, unicorns, and Java being the quintessential example of a secure programming language. Whoever are writing these web pages clearly...
View ArticleClik here to view.
Why We Shouldn’t Commit Secrets into Source Code Repositories
Committing secrets into source code repositories is one of the most frequent problems I see in application security code review, and has been so for at least 5 years. I’m speaking as one who has...
View ArticleClik here to view.
If you copied any of these popular StackOverflow encryption code snippets,...
Security code reviews is a task that I do on a daily basis, and have been doing for the last thirteen and a half years. In this time, I have reviewed several hundred code bases, and have come across...
View ArticleHow I Avoided Management for 25 Years
A recent post that showed up in reddit’s /r/programming, What Happens To Developers Who Never Go Into Management?, got my mind buzzing on all the ways I had to re-invent myself to avoid going into...
View ArticleClik here to view.
A Curious Connection Between Cubing and Cryptography
This blog connects two of my favourite pastimes. It shows that solving the world’s most popular puzzle, the Rubik’s cube, has a perhaps surprsing relationship to the science of cracking secret codes,...
View Article
