Nearly a year ago, I wrote about an emerging trend I observed with some of the bounty researchers I was interacting with. This screed can be considered an extension of that article.
In a post from 2015,, I write about some of the “Security 101” issues I considered to be fundamental.
Since 2015, I’ve been exposed to several environments where I have seen the same basic security fails.
I’m so far behind the times, it’s sad. Burp Suite gained the ability to perform static analysis on JavaScript libraries back in 2014. Some sites and authors have already blogged about what their approach is for implementing this.
The Problem Secure file sharing using AWS S3:
I upload a file to an S3 bucket with restricted permissions The client downloads the file and processes it The client uploads the results to the S3 bucket I download the processed file and the transaction is complete I thought setting the permissions on the bucket would be enough.
I’m managing a bug bounty program that has shown tremendous benefit so far. Several findings have been extremely clever, and I’ve been fortunate enough to have good interactions with the vulnerability researchers.
iOS Secure Boot Chain Each step of the startup process contains components that are cryptographically signed by Apple to ensure integrity and that proceed only after verifying the chain of trust.
A developer at work asked a general question to the group: “I’m thinking about using either LastPass or 1Password, anything I should know?” As the team’s newest “Security Guy”, I answered with this brief response:
Since my last post, I’ve left my position with the consultancy. I’m now working for a medium-sized corporation in a senior application security role. One of my many tasks is to contribute to the development of an Application Security program.
This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path.