My Writing Tech Stack

All writers have their own workflows for writing: Many people use Word, Google Docs, or Libre Office - George R.R. Martin famously uses WordStar, a DOS-based text-processing system from the mid-80s. As long as your personal productivity is juiced and you’re comfortable, you can be as idiosyncratic as you want. Somewhere a hardcore cypherpunk is writing the next cryptographic epic in vim. In that spirit, I’ve evolved my own writing process over time as I’ve looked for a workflow that minimized application overhead, allowed me to translate documents between formats, provided robust version tracking, integrated well with other tools, and worked offline.
Read more

Pentest Proving Grounds

One of the most helpful tools in learning the fundamentals of penetration testing is the ability to test your analysis against deliberately-vulnerable applications - sites and/or apps with consciously introduced flaws, catalogued for easy reference. Beyond a great introductory exercise, testing against deliberately vulnerable apps can also be a great way to calibrate new scanners or automated reconnaisance methods. And in addition to the actual vulnerable endpoints within the applications themselves, many of them also feature their own guided tutorials explaining how to detect - and often mitigate - the vulnerabilities they contain.
Read more

Pre-order Hands-On Bug Hunting for Penetration Testers

Update: The book has since been released. See how to purchase it at handsonbughunting.com or use the Amazon link included in the article below. This October I’ll be releasing my first book with Packt publishing, Hands-On Bug Hunting for Penetration Testers. The book covers: Preparing for pentesting engagements Building an automated pentesting workflow Detecting and reporting OWASP’s Top 10 most common bugs Finding the best bug bounty programs Focusing on testing the right parts of a web application Formatting vulnerability reports to maximize your payouts Going further If you have some experience with penetration testing, it’ll be a good introduction to public bug bounty programs, and if you’re just getting into security, it’s a great series of walkthroughs for getting up to speed - even if you have to search for the meaning of a term or two (or three).
Read more

The Top 5 Burp Suite Extensions

If you’re a freelance security researcher, chances are you’ve heard of — or use — Burp Suite, a program commonly considered the gold standard for penetration testing software. But if you’re only using the stock version, as great as it is, you’re missing out! Both the free and paid versions of Burp support helpful extensions that add extra functionality to the main client — whether it’s a separate (and free) scanner, an IP randomizer, or a plugin for validating XSS vulnerabilities.
Read more

A Brief Illustration of Functional Programming

Functional Programming is a powerful programming paradigm that tries to reduce bugs and make it easier to reason about an application by avoiding state changes and the mutation of global values, generally. In software coded using functional programming patterns, all functions can be understood by the arguments passed to them as parameters. There is no reliance on the instance variables of the class (like in Object-Oriented Programming (OOP) patterns) or some other state-dependent variable modified through assignment in runtime by the source code (like in Imperative Programming).
Read more

1-Minute Markdown

What’s Markdown? Markdown is punctuation for the web. It enables authors to easily write documents that feature common online staples like links, images, as well as italicized, bold, and other types of rich text, using a simple, lightweight set of symbols that can easily be converted to HTML, doc, pdf, or rtf files. Since markdown files are just plain text, they’re an ultra-portable way to write web-compatible content without the mess of a WYSWIG editor or proprietary file types.
Read more

An Event Loop Allegory

Two jugglers walked around a small track, practicing their craft. The first one, Sync, wasn’t really what you’d call a juggler, so much as an apprentice juggler or (less charitably) a juggler-wannabe - a straight up ball tossin’ poseur. Sync could only keep one ball in the air at a time. In fact, he only owned one ball. As he traced the circle of the track with his steps, his bouncy red ball would draw a series of parabolas in the air, tracing a gentle up-and-down curve following his path.
Read more