I occasionally touched on security topics in this blog. The last two posts were about the Sophos Blackhat 2013 puzzle and Greedy Git. I guess one thing I didn’t post about, which had massive knock-on effects was my involvement in the excellent Cyber Security Challenge UK, which I entered on a whim in 2011, played for 2 years (getting to the Masterclass Final in both) and had loads of incredibly fun and useful experiences with other enthusiasts and security professionals. One of the prizes from the competition was the Certified Application Security Tester (CAST) course from 7Safe, which was great and helped me loads with making my web application development more security focussed. Ultimately though, I found that breaking other people’s web sites is way more fun than the painstaking process of building your own and I decided to pack in being a web developer and become a pentester, getting my CREST Registered Tester qualification in my own time (so that someone would take me seriously) and then getting a job at Nettitude. About 9 months later I upgraded my CREST qualification to the web-centred “CREST Certified Tester (Applications)” (CCT).
Most of what I do day to day I can’t talk about in detail, but here’s some stuff I’ve blogged for Nettitude to give you a general idea:
- Server Side Request Forgery
- Input Blacklisting – Is It Ever The Right Approach?
- CVE-2015-2314: Custom Content Type Manager Plugin Remote Code Execution
- CVE-2015-5227: Zeropress and Remote Code Execution in WordPress Landing Pages
- CVE-2015-5243: phpWhois Remote Code Execution