appsec
Protecting developers from supply chain attacks
Developers have quietly become one of the most valuable targets in the modern threat landscape. Not because of who they are as …
$ ./thesecurityvault --init
The Security Vault
Because Security Matters - Deep dives for security defenders
$ tail -n 6 /var/log/vault/research.log
Blog Posts
appsec
Building MirageVM: A JavaScript Virtual Machine for Code Obfuscation
Modern web applications face a persistent challenge: automated attacks that bypass traditional security measures. Captcha farms …
appsec
Bots to the Rescue: How I Built an AI Security Wingman
Security operations teams spend a fair amount of time on repetitive administrative tasks. Answering recurring process questions, …
appsec
Path Traversal & LFI can be worst than you think
LFI and Path traversal are not a new thing, but what most people don’t understand is the full impact of the vulnerability. …
appsec
We are making authentication systems wrong
For a long time I’ve been struggling with the way authentication systems work, as they don’t protect your password as …
appsec
What is and how to prevent Mass Assignment Vulnerabilities
First time I heard about mass assignment vulnerabilities was a long time ago, when I started learning Ruby & Rails. In fact I …
$ ls -la ~/projects
Projects
// tools and resources I've built
OrgSec Guide
A comprehensive checklist and guide for organizations looking to implement a robust cybersecurity program.
XXExploiter
Tool to help exploit XXE vulnerabilities. Generates XML payloads and automatically starts a server to serve DTDs or perform data exfiltration.
MirageVM
JavaScript virtual machine for code obfuscation. Protects sensitive client-side logic with custom bytecode through a low-level language that supports all JavaScript features. (Private project)
Living of the Code (LOC)
A curated list of attack techniques that target software developers in their natural habitat: code.
VSCode Swissknife
Scriptable VS Code extension to generate or manipulate data. Stop pasting sensitive data into webpages.
Watchtower
VS Code extension that scans your workspace for malicious configurations, invisible Unicode threats, and dangerous IDE attack vectors — fully local, fully open source.
Warden
Enforce file-based policies on managed machines by automatically detecting and correcting config files that drift from approved values.
DamnVulnerableCryptoApp
An app with intentionally insecure crypto. Perfect for testing and exploiting weak cryptographic implementations and learning crypto without diving deep into the math.
Coup Sheet
If you like the board game Coup as much as I do, you'll find this sheet super helpful.
How To Test Api Keys
A visual, interactive cheat-sheet for testing whether leaked API keys and secrets are still valid — pick a service and get a ready-to-run command.
