During my last week at SEEK, the team and I managed to get Listo open sourced, a project I have been working on for a while (with the help of a small talented team of engineers from around the org) that was inspired by goSDL and uses questionnaires and checklists to make it easy for engineers to do right thing, regarding the software they build. The blog post with more information can be found below :)
My 5 Year Journey at SEEK
07 Feb 2020After almost 5 years it’s hard to accept that Friday was my last day at SEEK…
Absolute AppSec Ep 63 - Developer Education, RFC's and Checklists
03 Jul 2019I was invited onto the Absolute AppSec Podcast today where i was lucky enough to chat to Seth and Ken about the different types of developer education we use at SEEK, how to build a security culture, a different approach to standards via the Riot Games RFC concept, goSDL checklists, AppSec Day talks and more!
Four Years of Reflection - How (Not) To Secure Web Applications - DevSecCon | DevOps Talks | OWASP Melbourne 2019
05 Jun 2019I recently presented a talk at DevSecCon Singapore, DevOps Talks Conference and at a joint security Meetup on some of the security highlights and lessons learn’t from the last 4 years at SEEK.
Announcing SEEK's Public Bug Bounty Program
29 Jan 2019I was lucky enough to be a part of SEEK’s three year bug bounty journey. This year we announced our public program that is open to all researchers, instead of being invite only. I wrote up a short piece for the announcement on the SEEK tech blog which has some stats about our program to date that might be of interest :)
A Comprehensive Guide to Running a Bug Bounty Program
01 Jan 2019With the Year-of-the-Breach behind us (I feel like we say that every year), it’s important for businesses with publicly available assets storing sensitive data (websites, services, infrastructure) to setup a process for members of the general public to report security vulnerabilities discovered within their systems and applications…
AppSec Day Conference 2018 - In Review
19 Oct 2018AppSec Day 2018 conference has finished up for the year and what a ride it has been! This was the third year we have run the AppSec Day conference, doubling in size every year, which has it’s difficulties, but is worth the experience and the reward it brings. When receiving mostly positive feedback from attendees and those involved and the satisfaction of working with a highly passionate team of volunteers, who all worked really well together, to pull off a successful event. Below are some of the highlights from the day…
Running a Bug Bounty Program at SEEK Jobs - TConf & NDC Sydney 2017
08 Dec 2017I recently spoke at NDC Sydney 2017 and TConf 2017, Australian developer and tester conferences, about how bug bounty programs can be a great control to reduce security issues within web and mobile applications.
It covered how to run a bug bounty program, their pro’s and con’s and an update on seek.com.au’s program, including a show and tell of a few recent bugs that have been reported…
Delivering an Application Security Training Course
01 Oct 2017The goal of a web application security training program is to raise security awareness and teach technical teams about security concepts, so that security issues are less likely to turn up in production code…
Tackling Security Culture and Awareness
01 Sep 2017Software development companies are starting to realise that to innovate, stay relevant and compete with competitors they need to adopt a different culture, to enable them to develop, release software faster and attract talent…
Building an Application Security Programme
01 Aug 2017An application security programme is your company’s product security game plan, that has a goal of reducing the number of security flaws introduced into the application over the course of its software lifecycle. While, at the same time increasing the difficulty of exploitation (i.e. making it harder for an attacker to find vulnerabilities) and reducing security risks, such as data loss…
Defensive Application Security in a Modern Organisation
10 Jul 2017Defending web and mobile applications against the bad guys has always been hard, there is no escaping that fact. However it doesn’t seem to be getting any easier either. Evolving development practices (Agile, DevOps, CD/CI, IaC) have a big part to play, but there are several other trends that are also not helping the situation. So in this modern world of development, how can we better secure these applications?
The short answer is we need to change the way we approach application security, by designing an application security programme or secure software development lifecycle (SSDLC) that fits better into these evolving development practices…
Rumours of our Demise Have Been Greatly Exaggerated - CrikeyCon 2017
25 Feb 2017I spoke about the pro’s and con’s of bug bounty programs with Mike at CrikeyCon 2017. This is a community-led conference targeting those with an interest in information security around South East Queensland and beyond.
Running a Bug Bounty Program at SEEK - OWASP Melbourne AppSec Day 2017
17 Sep 2016I presented at OWASP AppSec Day 2016, an event run by the OWASP Melbourne Chapter designed to spread application security knowledge to the general tech community through talks and workshops.
Thinking Like A Hacker - DDD Melbourne 2016
13 Aug 2016I presented a slightly updated from DDD Sydney deck at DDD Melbourne about what motivates hackers to break into systems and how you could approach securing your company’s web application at scale. DDD Melbourne is a non profit community event in Melbourne run by developers for developers.
Securing SEEK’s Web Applications at Scale - Infracoders Melbourne
09 Aug 2016I presented on bug bounty programs at an Infrastructure Coders event in Melbourne. The meetup is focused on Infrastructure (DevOps) and is designed for Systems Administrators, Developers, DevOps, Web Operations Engineers and all people who build high traffic websites.
Thinking Like A Hacker - DDD Sydney 2016
29 May 2016I presented at DDD Sydney about what motivates hackers to break into systems and how you could approach securing your company’s web application at scale.DDD Sydney is a developer focused conference held in Sydney Australia.
Bypassing Android Binary Protections - WAHCKon Perth 2015
02 May 2015At WAHCKon Perth 2015 an information security conference held in Perth Australia, i presented on how to brake common Android binary protections like root detection and SSL pinning.
Bypassing Root Detection on Android
30 Jan 2015When performing a penetration test on an Android or iOS application the developer can implement what are called binary protections that hinder an attacker from easily analysing an application. Some of the more common protections are SSL pinning, code obfuscation and root detection. This article explains how to bypass the latter, namely root detection on Android.
Bypassing XSS Filters with Scalable Vector Graphics (SVG)
13 Oct 2014When you are performing a pen test or participating in a bug bounty program, sometimes you are confronted by a Web Application Firewall (WAF) designed to block malicious payloads. To properly identify and exploit a Cross-site Scripting vulnerability you will need to find a way around it! This article demonstrates a method of creating an SVG based payload to bypass those pesky WAF’s.
Penetration Testing 101 - AISA Melbourne 2014
17 Sep 2014The Australian Information Security Association (AISA), is Australia’s peak body for information and cyber security professionals. I spoke at one of the meetups with Topy about the basics of a penetration test.
Securing Modern Web Frameworks with Node.js - OWASP Melbourne Meetup
22 Jun 2014OWASP Melbourne Meetup is a local OWASP Chapter in Melbourne, Australia that runs events on all things application security. I presented to the community about some of the ways you can break Node.js applications, as well as some of the common developer mistakes.
Introduction to Buffer Overflows - OWASP Melbourne Meetup
11 Nov 2013OWASP Melbourne Meetup is a local OWASP Chapter in Melbourne, Australia that runs events on all things application security. I presented to the community on how to perform a basic buffer overflow.