Confused about me or my site? Start Here!

Code Quality vs Code Security

Today, I was reviewing some source code for security weaknesses. I stumbled across code that made me chuckle. Something along these lines. public String XOR(String method, String input, String key) { if (method == "Encrypt") { return XOR_Encrypt(input, key); } else if (method == "Decrypt") { return XOR_Decrypt(input, key); } else { return input; } } As software engineers, we have all contributed in our own way to the legacy. [Read More]

SameSite Cookies! Coming to break your website Feb2020.

Hey friends! Today i wanted to talk about the SameSite cookie attribute, and how the browser flip from Off to On by default is well. .. kind of going to screw up the internet internet in Australia in Feb 2020. What is SameSite SameSite is a cookie security attribute that was introduced to address cross-site request forgery. A cookie is a piece of data sent from a website and stored in the web browser. [Read More]

Branding Matters

About 12 hours or so ago, Alastair Macgibbon (Australian Spook Directorate) and John Paitaridis (Optus) announced a new company. Twelve Australian Cybersecurity companies will be joined into one CoolFriends group. I think this news is fantastic. I have spoken to many of their employees at conferences in the past. They are talented, enthusiastic, and driven InfoSec professionals. Who knows, maybe some of the traditional industry players (Big4 Consultancies) might have some competition now. [Read More]

Reflecting on Facebook Interview

I’ve kind of dropped off the face of the internet for the last month or so. The reason is that I was preparing for an on-site interview with a big technology company in the USA. That company was Facebook. I was approached by a FB recruiter on LinkedIn and even though i felt that I had no chance with the company, I went ahead with the process anyway. See, I felt that I could make a big difference to billions of people worldwide by working there. [Read More]

Subresource Integrity - Gecko Deep Dive

Recently I’ve been doing code reviews of applications and have been recommending they take advantage of the security benefits that Subresource Integrity provides. This article will go into some detail about what it is and by analysing the Gecko source code some subtle nuances we can learn about it. What and why? I think an example would help illustrate the problem. When you navigate to a webpage, you initially perform a TCP Handshake on whichever Origin you attempt to navigate to. [Read More]

Easy as C S P!

One of my avid readers the other day sent me a screenshot of my website run through an automated tool. Well then, I suck and I guess I’ll have to close up my AppSec blog now! .. But really, I think it’s good to talk about what’s going on here. D Grade A cool dude by the name of Scott Helme released securityheaders.com which will submit a HTTP request to the domain you specified, receive a response, and then analyse the headers that were in the response. [Read More]

AppSec 101 - Where Do I Begin?

I thought I’d write a series of blog posts covering the core aspects of Application Security, and I’m not talking about vulnerabilities. I’m going to start with well.. the start! Setting the Stage Generally, when organisations are first starting to think about or begin to implement an AppSec strategy, the following scenario happens in one way or another. Mr CIO walks into work, sits down with his double shot espresso from his local barista and writes up the following email to the organisations CISO. [Read More]

curly wurly

If you’ve lived in Australia or Britain you’ve probably come across this beauty. Chewy, tasty, and featuring an awesome lattice shape it’s a pretty awesome chocolate bar friends! 3.5 stars. But this blog’s about AppSec not rating choccies so let’s get back on track. While chewing on one of these goodies I thought, hey, why not write about curl, a program that I’ve found absolutely essential for getting my automated DevSecOps pipelines up and running. [Read More]

Blogging Platform Choices

I was laying on my lounge for New Years Eve 2018 (boring i know hey?). It wasn’t that bad, I was watching my favourite MTG Streamer playing Sorin’s Vengeance + Twincast, a beautiful… if not infuriating combination of magic cards. I had realised I had gone through 2018 without terribly many technical achievements in work and life. Sure, I had learned a huge amount from my amazing colleagues. But it seemed like for that time period, I’d just gained an extra notch on my LinkedIn profile. [Read More]