What’s going on with (Sem|open)grep?
This post discusses the recent changes in Semgrep, the creation of the Opengrep fork, and the implications for the open-source community.
Posts
2025
Passkeys, now with improved user experience
In this post, I revisit my experiments with passkeys to see what has changed, what has improved, and what has stayed the same.
2024
One does not simply implement passkeys
Having an opportunity recently to consider recommending passkeys, I decided to experiment with a real life implementation.
2023
5 Product Security talks that caught my eye on the Black Hat USA 2023 schedule.
A summary of five product security talks that are worth attending at Black Hat USA 2023.
Five Black Hat USA courses that caught my eye, (#5 won’t shock you at all!)
A look at five interesting courses from Black Hat USA 2023, including one by the author.
Getting multiple GitHub accounts on one Linux/WSL machine – 2023 update
A guide on how to manage multiple GitHub accounts on a single Linux/WSL machine, updated for 2023.
2022
Discover your inner security engineer with this one weird trick (hackers hate it!)
In 2022 I prepared a talk, aimed at non-security people working on building software such as developers and DevOps engineers. The aim was to introduce them t...
Building a high-value AppSec scanning programme.
I am delivering training courses on how to build effective processes around application security scanning tools as part of my work for Bounce Security. The c...
Getting multiple GitHub accounts on one Linux/WSL machine
A guide on how to set up and manage multiple GitHub accounts on a single Linux/WSL machine.
2018
5 reasons to attend an OWASP Global Event
I recently had the privilege of attending and speaking at the OWASP AppSec USA 2018 conference in San Jose, California, one of OWASP’S global events. This w...
Security through Non-testability
There are some great security technologies out there to act as a defensive layer in front of your application. However, if you want an efficient application ...
Setting up an OWASP Juice Shop CTF
I recently used the very excellent OWASP Juice Shop application developed by the very excellent Björn Kimminich to run an internal Capture the Flag event (CT...
AppSecEU 2018 – UNOFFICIAL  Frequently asked questions
Some completely unofficial answers to questions about OWASP and the AppSecEU 2018 debacle based purely on publicly available information.
2017
The Grinch who stole AppSecEU
Whilst most people were preparing for the festive season, in a shock move OWASP decided to suddenly claw back its flagship conference from the hugely success...
Reflections on attending and presenting at AppSec Israel 2017
For various reasons, this year was the first year I made it to OWASP AppSec Israel, the national Application Security conference here in Israel. Not only tha...
HPKP is pinning^W pining for the fjords – A lesson on security absolutism?
It looks like this standard will not go into widespread adoption but I think we can learn a lesson about InfoSec cost/benefit and the risks of expecting all ...
The OWASP Top 10 — An update and a chance to have your say
If you care about AppSec, you have until 30th August to have your say on what new items should be in RC2 and until 18th September to provide additional data ...
Daily Pen Test reports — Pros and Cons
My thoughts on how daily reporting can both enhance and damage the security testing process.
WannaCry — Do you feel lucky?
Would MS17–010 have received enough attention without WannaCry?
OWASP Top 10 2017 — What should be there?
Having made my long term thoughts on the OWASP Top 10 process clear, I want to talk about the list as it stands at the moment and how I think it should be fo...
The OWASP Top 10 — Response to the controversy from Jeff Williams
Jeff Williams, OWASP Top 10 Co-Author and Contrast Security CTO, has responded but I am not convinced he has alleviated concerns.
Behind the The OWASP Top 10 2017 RC1
The OWASP Top 10 has become web app critical infrastructure but do people understand how it is produced?