As of today, TSP has three plugins: SonarQube Snyk Semgrep So what I’ve been doing for the last three years? :) The trick is it’s straightforward to add a new plugin, thanks to all the underlying code I’ve already written. For example, the Semgrep plugin is currently just 92 lines, Snyk plugin - 126, and SonarQube - 135. In the screenshot, you can see a debug console with Semgrep results. I highly recommend this tool....

This is an extract from a real conversation with a colleague at one of my previous jobs. Even though their name is not mentioned here, I asked for their permission before publishing this: Colleague: I think we talked a bit when you were in your previous role about the way traditional app sec works here. Where it’s similar to how it’s been in my other experiences. What kind of stuff have you figured out about moving that into the whole CI/CD process?...

upd: archiving my blog in 2021 and reading this post again, I am no longer a fan of Sony phones and of Android. Appears that buying a Sony Xperia phone several years ago was a good call - they appeared to support OpenSource Android very well even for devices that are no longer officially supported, and they even provide instructions on how how to unlock those devices, and build your own ROMs based on AOSP - Android Open Source Project....

A conversation about TLS certificates in application security, from a chat with a colleague while working on an actual project. Published with permission. Alright, so here’s that fun part most people in security don’t know about. For us, using TLS was sort of natural because we are a security team. But many software engineers avoid it, especially at the beginning of their career. And then when they finally got to the point when they actually want to start using TLS, that usually means that they got pretty advanced in what they do....

It’s been a while since I worked with my home lab - and now I am unpacking it again, for a new journey. This time, I will be learning OpenStack and trying out various security and automation tools with it.

Been a while since I used my soldering iron last time. Really enjoyed prototyping simple electronic circuits with my kids tonight. This was 2nd time this year. First time was in June:

I thought it’s impossible, and was so surprised when I tried and it just worked under Debian Sid and Virtual Box with Windows 7 Pro. Atmel Studio was a very easy install in a VM, and it had no problems finding my USB programmers and devices attached to my host Linux machine. It’s very good news given that my new digital oscilloscope with logic analyzer arrives tomorrow :)

CVE-2014-8733: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8733 It was fun to work with Hadoop security in 2014… This vuln was a tricky one because I was responsible for Hadoop managed service platform security, and our clients had SSH access to Hadoop cluster nodes in some cases. If I remember correctly, fix wasn’t easy - required release of new CDH version which moved configuration parameters between files (world readable access was required for Hadoop client to function)....

I participated in a project in which job scheduling logic was completely implemented in shell script (it was a small project initially, and then it has grown in time). One of tasks was to enable scheduler script to wait until a specified time to run a job. Surprisingly, search in Internet did not bring anything that would look simple and elegant enough. There were bunch of quite complex solutions which did not really address my requirements and would be too hard to maintain for support teams in future… I came up with my own solution for this after reading Linux manuals, which I wanted to share....

Installed Kali Linux in my virtual lab this weekend - just to make a snapshot of currently available packages and, as usual, steal a couple of ideas for my own pentest Linux VM. Two ideas I will never steal from Kali are Safari Icon for Firefox and use of Gnome 3.