Julian Berton

Hey, I'm Julian, author of this blog and Security Engineer at Cruise

Open Sourcing Listo - Failing Safely with Checklists and RFC’s

10 Feb 2020

During my last week at SEEK, the team and I managed to get Listo open sourced, a project I have been working on for a while (with the help of a small talented team of engineers from around the org) that was inspired by goSDL and uses questionnaires and checklists to make it easy for engineers to do right thing, regarding the software they build. The blog post with more information can be found below :)

Listo — Failing Safely with Checklists and RFC’s.

Read More

Announcing SEEK's Public Bug Bounty Program

29 Jan 2019

I was lucky enough to be a part of SEEK’s three year bug bounty journey. This year we announced our public program that is open to all researchers, instead of being invite only. I wrote up a short piece for the announcement on the SEEK tech blog which has some stats about our program to date that might be of interest :)

Read More

A Comprehensive Guide to Running a Bug Bounty Program

01 Jan 2019

With the Year-of-the-Breach behind us (I feel like we say that every year), it’s important for businesses with publicly available assets storing sensitive data (websites, services, infrastructure) to setup a process for members of the general public to report security vulnerabilities discovered within their systems and applications…

Read More

AppSec Day Conference 2018 - In Review

19 Oct 2018

AppSec Day 2018 conference has finished up for the year and what a ride it has been! This was the third year we have run the AppSec Day conference, doubling in size every year, which has it’s difficulties, but is worth the experience and the reward it brings. When receiving mostly positive feedback from attendees and those involved and the satisfaction of working with a highly passionate team of volunteers, who all worked really well together, to pull off a successful event. Below are some of the highlights from the day…

Read More

Tackling Security Culture and Awareness

01 Sep 2017

Software development companies are starting to realise that to innovate, stay relevant and compete with competitors they need to adopt a different culture, to enable them to develop, release software faster and attract talent…

Read More

Building an Application Security Programme

01 Aug 2017

An application security programme is your company’s product security game plan, that has a goal of reducing the number of security flaws introduced into the application over the course of its software lifecycle. While, at the same time increasing the difficulty of exploitation (i.e. making it harder for an attacker to find vulnerabilities) and reducing security risks, such as data loss…

Read More

Defensive Application Security in a Modern Organisation

10 Jul 2017

Defending web and mobile applications against the bad guys has always been hard, there is no escaping that fact. However it doesn’t seem to be getting any easier either. Evolving development practices (Agile, DevOps, CD/CI, IaC) have a big part to play, but there are several other trends that are also not helping the situation. So in this modern world of development, how can we better secure these applications?

The short answer is we need to change the way we approach application security, by designing an application security programme or secure software development lifecycle (SSDLC) that fits better into these evolving development practices…

Read More

Thinking Like A Hacker - DDD Melbourne 2016

13 Aug 2016

I presented a slightly updated from DDD Sydney deck at DDD Melbourne about what motivates hackers to break into systems and how you could approach securing your company’s web application at scale. DDD Melbourne is a non profit community event in Melbourne run by developers for developers.

Read More

Thinking Like A Hacker - DDD Sydney 2016

29 May 2016

I presented at DDD Sydney about what motivates hackers to break into systems and how you could approach securing your company’s web application at scale.DDD Sydney is a developer focused conference held in Sydney Australia.

Read More

Bypassing Root Detection on Android

30 Jan 2015

When performing a penetration test on an Android or iOS application the developer can implement what are called binary protections that hinder an attacker from easily analysing an application. Some of the more common protections are SSL pinning, code obfuscation and root detection. This article explains how to bypass the latter, namely root detection on Android.

Read More

Bypassing XSS Filters with Scalable Vector Graphics (SVG)

13 Oct 2014

When you are performing a pen test or participating in a bug bounty program, sometimes you are confronted by a Web Application Firewall (WAF) designed to block malicious payloads. To properly identify and exploit a Cross-site Scripting vulnerability you will need to find a way around it! This article demonstrates a method of creating an SVG based payload to bypass those pesky WAF’s.

Read More
Page 1 of 1