Two Hundred Fifty Users in Three Weeks

At three-weeks, the ongoing experiement in writing a newsletter for junior devs and open strategizing is in full swing. Quick recap: Three weeks ago a friend and I launched jobletter a job newsletter targeted early career devs looking for quality listings and career information. Writing about this experience provides an opportunity to chronicle our efforts. If it grows this will be a fun account of why, if not, then we learned a lot, and these posts will teach us more.
Read more

How We Reached a 67% Open Rate and a 26% CTR

Three weeks ago we launched jobletter. Since then, we’ve been promoting the site, collecting feedback from friends, and experimenting with with a more open approach to writing about our process. All that culminated in us reaching a milestone this past Friday - our first email. Over the past week we’d worked with a freelancer to deliver an email template, as well as winnow down the jobs we’d been collecting. We wanted a good mix of industries, company sizes and technology stacks - emphasizing location-independent postings like businesses hiring in multiple locations, or startups open to hiring remote junior workers (harder to find, but they exist).
Read more

One Hundred Users in Two Weeks

Recently my business partner and I launched a new service, jobletter.io with a simple premise: We deliver Junior Developer jobs to your inbox. Breaking into development to get those all-important first two years of production experience is long, exhausting work, filled with pouring through a lot of “Software Developer - 5+ years req” posts and keyword salads where your prospective employer’s stack includes Every Goddamn Thing™. It makes the idea of a short list of quality, curated, 0 years of experience-and-up jobs, delivered to you, pretty appealing.
Read more

Jobletter - Junior Developer jobs in your inbox

A few days ago, David Broadlick and I launched Jobletter into beta, as a way for developers at the beginning of their careers to get a concentrated dose of high-quality jobs targeting their skillset and experience level. Right now we’re still building out some of our customization features: We’d like to add location and specific skill targeting, more customized sending schedules, and more content options, but we’re excited to start sharing a service very much borne out of our own experiences.
Read more

Building a Python 3.6 Seed App with Docker, Tox, and Pylint

Seed apps are great. They can be the test-bed for new devops features, mini onboarding exercises, or just “batteries-included” starter kits for greenfield applications. Especially in the web application (and Python) world, almost everything comes with extra considerations - testing, linting, containerization - wouldn’t it be great if we could make a Python seed that came with all of that baked in? What a beautiful, productive world that would be (skip straight to the github repo to go there now).
Read more

Burp Extensions - Setting up XSS Validator

Hunting for XSS XSS / Cross-site scripting (which is just another form of Code Injection) can be a severe vulnerability. It’s also very common. That potent combination - profitability and ubiquity - marks it as a worthy target for penetration testers interested in public bounties.But because of a high rate of false-positives (and inevitably imperfect detection logic) the process of ferreting out XSS comes with a lot of noise. The XSS Validator from Nvisium is designed to solve this problem.
Read more

Bug Hunting for Penetration Testers Available Now

Hands-On Bug Hunting for Penetration Testers is now available. The book covers how to detect, validate, and write submission reports for XSS, SQLi and NoSQLi, XXE, CSRF, and more vulnerabilities, including sections on detecting hidden content, crowdsourcing code injection snippets and other malicious inputs, writing quality submission reports, and more. It uses Burp Suite as a principal tool and proxy, with Python (3.6.5) and Bash scripts thrown in to augment, extend, and automate different testing functions.
Read more

Creating my Blog and Book Sites on the Free Stack

When I was setting out to revamp my personal blog and create a new site for my book, I had a couple of considerations in mind. I wanted both sites to be highly-available (I don’t get much traffic, but also don’t want a hug of death), simple (with as few moving parts as possible), and easy-to-update and generally extend. All of that led me to a static workflow. Settling on (but not for) Static I love static sites.
Read more

My Writing Tech Stack

All writers have their own workflows for writing: Many people use Word, Google Docs, or Libre Office - George R.R. Martin famously uses WordStar, a DOS-based text-processing system from the mid-80s. As long as your personal productivity is juiced and you’re comfortable, you can be as idiosyncratic as you want. Somewhere a hardcore cypherpunk is writing the next cryptographic epic in vim. In that spirit, I’ve evolved my own writing process over time as I’ve looked for a workflow that minimized application overhead, allowed me to translate documents between formats, provided robust version tracking, integrated well with other tools, and worked offline.
Read more

Pentest Proving Grounds

One of the most helpful tools in learning the fundamentals of penetration testing is the ability to test your analysis against deliberately-vulnerable applications - sites and/or apps with consciously introduced flaws, catalogued for easy reference. Beyond a great introductory exercise, testing against deliberately vulnerable apps can also be a great way to calibrate new scanners or automated reconnaisance methods. And in addition to the actual vulnerable endpoints within the applications themselves, many of them also feature their own guided tutorials explaining how to detect - and often mitigate - the vulnerabilities they contain.
Read more