Blog Post Ideas

Training ideas

Do interactive online exercises like the fuzzing book or Deadlock Empire.

Presentation Ideas - Humor

Show of hands

  • You threat model every day
  • You want to add threat modeling to your practice
  • You do research work on Threat Modeling
  • You are in the wrong room and too shy to leave after three slides into the presentation

Websites - humor ideas / snark examples

  • Purging Memory Safety Bugs with Fire (and LangSec)
    • Killing Memory Safety Bugs by Automatically Converting C to Rust
    • If there’s one thing I like more than avocado toast and sustainably sourced oat milk, it’s killing classes of bugs.
    • Interview with C2Rust folks, combine notes from Tel Aviv keynote (Mozilla/Microsoft efforts)
    • Rewrite in Rust meme
  • Snake oil vendor reviews
    • NeuralLegion - Award winning AI powered AppSec
      • Automated DevSecOps with Integrated SDLC security
    • Rate companies on marketing from 1-5 RSAs/vendor halls, on whether it actually works on 1-5 crowne sterlings, snake oil
  • Researcher profile - Hillel Wayne - discuss his various blog posts and talks

  • “What it was like incorporating with Stripe Atlas”
    • When we’re ready for open enrollment. Have @StripeAtlas retweet it for broader publicity
    • Moonlight did this, posted on the Stripe Atlas Medium page
  • Use Iodide to create an interactive, reproducible security research summary blog post
  • “How to meet people at security meet-ups”
    • Somone you know, “Hey, mind if I join you?”, talk with 1 of the people from the company hosting, nice t-shirt, approach another loner
    • Post on the event/Twitter/online before to try to meet like-minded people
    • Start off with some principles: people are generally nice in security, you have the same common interest, have a ton in common already.
    • Ask Tanya Janca to review - has she written anything already I can reference?
    • Look up other resources people have written about this - Daniel Miessler?
  • The evolution of how many companies implement access controls
    • Start off with inline one-off controller checks, in model, separate lib/microservice, etc.
    • Why would one do each, strengths and weaknesses of each approach, what people tend to do.
    • Get feedback from Neal Poole, Kevin Babcock, Scott Behrens and Astha
  • Build vs Buy - an interview series asking people how they decide when to build something internally vs buy it. What is their decision criteria? - What have they done in the past that went well? What should they have done differently? - Any classes of things you should generally build or buy? - Gunter, Ahsan/Hemanth, Astha/Scott/Jason Chan, Flee, Joel Scambray, Zane, Doug DePerry, Hongyi/Dev, Rob Mann, James Dolph @ Salesforce? John Steven. Chris (Astha’s partner). Ben Hagen. John Heasman. Bei Yuan @ Apple. Caleb Yassir/DevSecOps guy at Okta. Laksh @ Paypal. Larkin. - Have a blog post summarizing each one, link to the full audio on Youtube. - Sign up to mailing list to get the full transcript. - Once I’ve interviewed a bunch of people, do a meta post summarizing everything I learned, and include that post + each individual summary + all transcripts in a PDF/epub/mobi if you sign up - Share in Slacks/HN/Reddit/etc.
  • Can do the same as above for: security metrics (what to track, why, how), how to build an AppSec program, etc.

NCC Group

  • An honest look at life as / being a consultant at NCC Group
  • How to become a consultant / penetration tester at NCC Group
  • The Day-to-Day Life of NCC Group Consulting
  • Progressing Your Career at NCC Group


  • “How to do Security Research and Present at Conferences” blog series
    • Have a Lean pub ebook version that combines all the posts as a lead magnet
    • For writing CFP submissions, use before/after examples like this:

Static Analysis

  • How SAST Tools Work and What (/N Things) Your Vendor Isn’t Telling You
  • How to Actually Get Value from Your SAST Tool
    • Part 1 - working with devs, Jira integration, don’t auto push (triage) to devs, integrate into CI/CD
      • More organizational and structural, like Jeremy’s whitepaper
    • Part 2 - the more technical part, methodology for rolling it out, what to focus on (training slides diagram)
  • “SAST is dying, they just don’t get it yet”
    • On DevSecOps, detecting bad practices vs data flow
    • What your expensive static analysis tool sucks
  • Static Analysis from Grep to Dataflow: Using the Right Tool for the Job
  • How to run Brakeman on every commit using GitHub Actions
  • How brakeman, the rails static analysis tool works
  • How FindSecBugs Works
  • Rolling your own custom static analysis from scratch (use some content from slides)
  • Finding command injection in NodeJS code
    • Example from Slack report but go into more detail
    • Have babel code that can actually reason about args, value of args, etc.
    • exec(var + "foo") or exec("bar" + arg) - latter case breaks regexes that only warn on not ("...)
  • Could walk through some program analysis stuff via drawing on an iPad
  • Intro to program analysis - what do common terms mean?
    • Soundness, completeness, path-sensitive, flow/control-sensitive, 0-1CFA
    • Give examples of when these do and don’t matter, the tradeoffs implementers make.
  • Program Analysis Overview - static vs dynamic analysis, fuzzing, model checking, formal methods
    • Massive evergreen post that gives you a sense for basically all the ways to find bugs.
    • Basically our ShellCon 2018 talk but in more detail.
  • How to extract Rails routes using static analysis
    • Show why it’s hard (loops, conditionals, need to understand Rails’ DSL)
    • Run endpoint finder to determine what it misses and why
    • Write a custom script using semantic
      • Can we use it to reason about loops/sym exe and actually get the right answer?
      • Part of the value of this post is - showing methodology of writing custom SA checks
  • How to extract Rails routes when you can’t build
    • Show process of locating rails routes source code
    • Stub out things that fail so rake routes loads every thing it needs to and works regardless - even if there are 3rd party deps you don’t have (internal) or can’t get DB stuff working
    • Open source snippets to get it to work
  • The Joy of (Mostly) Seamless Pairing with VS Code
    • From:
    • Basically just give an overview of what you can do, what works, what doesn’t work, etc.
      • Sharing audio requires separate extension
      • Can see output in terminal (but NOT what is highlighted)
      • Can see file browser vue but NOT when folders are opened
      • All code view panes seem to sync as expected
      • Can share a port:
      • Browser preview requires extension to be installed (for all parties)
      • Running git mv on a file seems to make the collaborator no longer able to view it.
  • NCC blog post/whitepaper - how to determine types and navigate systems (common use case for code reviews)
    • Review LSP, VSCode, JetBrains, Source Graph (how does it work?), Java symbol resolver, ctags, etc.
    • Get Daniel’s help for LLVM/C/clang
    • Make whitepaper Creative Commons licensed so I can usein PPA material, or at least link to it from PPA site.
  • NCC blog post - here’s how to run security checks on every commit in:
    • GitHub actions, Gitlab, AWS/GCP/Azure DevOps, sonarcube, Atlassian Bamboo or whatever, Jenkins/Travis/etc, Komand/ZeroNorth
      • GH has checks API, GH apps, old GH scan API
    • Where you host code, your cloud provider, your CI/CD tool, a third party security orchestration tool, Atlassian whatever
    • Then in PPA blog post - here’s step by step how to do it for GH Actions in detail
  • NCC white paper - a survey of Java static analysis tools
    • Sell it by it being useful to our consultants as well as clients - they often ask us for advice
    • Create a set of criteria to vet everything against
    • Benchmarks: OWASP benchmark, SAMATE, webgoat or other Java goat apps (servlet/), try to find at least a handful of “real” Java apps we can run on (libraries as well as web apps)
    • Tools: FB infer, Google error prone, kythe, spot bugs, find sec bugs, awesome static analysis list, sonar qube, WALA, SOOT, LGTM, ShiftLeft
      • Can we use Fortify/Checkmarx on open source? Are we violating EULAs by publishing our comparisons?
    • Open source, free, ease of use, customizability, do rules focus on security or reliability, how long did it take to get set up?, documentation, maintained? FP/TP rate.
  • NCC blog series - I tried this academic tool - does it work, how do you use it, is it useful for appsec professionals or pen testers?
    • 1 week per tool
    • Maybe whitepaper or con talk after I’ve done a few
  • Z3 tutorial, when would you use it?
  • NCC blog post / larger review article - value of property based testing, review the Elixir book, ToB paper/blog posts, etc.
  • Extended blog posto / series - “How to get C-Suite buy-in into security”, overcoming objectionos, what metrics to measure, etc.
    • Interview Yassir, Doug DePerry, Zane, Himanshu, Patrick Heim, Larkin,
  • Blog series - watching vendor material so you don’t have to
    • Watching vendor webinars/reading whitepapers and summarizing technical content, rate it on a scane of 1-5 RSA icons for amount of vendory-ness

Checkmarx - ask a friendly company if I can use it to create some sample tuning blog posts, freely publicly available

  • Show how to use Audit workbench - what’s where
  • Customize sources/sinks
  • Add cleanse functiion
  • See what files it’s scanning and ignore the appropriate files
  • run only high value rules/create presets, etc.
  • Create new custom sink/source rule that’s org-specific
  • Show how to navigate custom rules and make the decision of where to modify them - up or downstream matters.

Extracting routes from the Internet

  • VueJS
    • app.__vue__ - browser console, can access store and router
    • Can use dev tools -,
    • - Vue detected but plugin disabled because Vue in prod mode
      • README: “If the page uses a production/minified build of Vue.js, devtools inspection is disabled by default so the Vue pane won’t show up.” - challenge accepted!
      • app.__vue__.$options
      • Vue.config.devtools = true - works but requires a page refresh, plugin has internal state already set, can disable plugin but reenabling it doesn’t refresh UI. Might need to have a separate plugin that runs before Vue plugin or send a message that resets the plugin’s internal state.
    • Check Vue version: Vue.version
      • Implementation to detect VueJS -
      • Error message:
    • More targets -
    • - browser plugin says no Vue detected
      • But you can see VueJS errors in the console, and app.__vue__ works
    • - devtools detected Vue but disabled because prod mode
    • - app.__vue__
  • Run JS on a site automatically -

  • A love letter to secure defaults, or why finding bugs is lame

  • David Scrobonia: What are the best things to automate?
    • What shouldn’t you automate / what shouldn’t you spend time on?
    • I feel like we always see “automate security to scale”, it would be cool to see a more opinionated version of that statement. What problems specifically, how much code should I write vs using tools to help automate, what shouldn’t I try to automate, what does practical automation look like (Jira workflows and github hooks vs writing a whole microservice), etc… I think it’s easy to justify spending an entire quarter building something in the name of automation just to realize that the problem you automated probably wasn’t a priority and you could have purchased a solution
    • I would also love to see a talk one day strictly on what not to spend your time on, I bet you’d have great insight into that

Security Lint

  • Here’s how to set up continuous grepping / linting with GitHub actions / Gitlab CI/CD
  • Walk through examples of building a secure wrapper library for a bug class (e.g. open redirect) and making sure someone uses it
  • Canonical examples of when you’d want better grep
    • Look for methods with this annotation
    • Look for function calls where this arg is/isn’t a hard coded string/int/value

Career advice

  • Should I Get a Graduate Degree in Computer Security?
  • An overview of the jobs in security
  • How to get into computer security


  • Email various program analysis people, make a blog post + transcript as well.
  • Dan Guido
  • Kestrel
  • Ben Davis / others at Galois
  • Facebook or Google program analysis people
  • David Molnar or other Microsoft/MSR people
  • Mathias Madou - Secure Code Warrior, building in an IDE
  • Fortify people - Geoff Morrison, Jacob West, Ekaterina, various current people?
  • Sqreen - challenges in building a RASP
  • Signal Sciences - technical details on building a WAF
  • Contrast Security - technical challenges in building a RASP/IAST


  • Mostly Not Terrible Financial Advice for Technical People Who [Hate Thinking Abouot Financial stuff | thinking about money | the technical but financially illiterate]
    • TODO: reference a bunch of good books and Mad Fientist / Mr. Money Mustache articles.
    • After a draft is done, reach out to Mad Fientist to get his approval, maybe he will tweet about it?


  • ISSTA (, PLDI, and associated workshops have some good program analysis + security talks.
  • ICSE too?

Structural thoughts:

  • Consider having an intro for people I know when I cover their work. Paint a human portrait, include some funny details.
  • Dress up as Victorian era England person (monocle and tophat) with mechanical keyboard and pipe - for intro video or picture at the top
    • Sitting in a fancy chair with pipe, reading newspaper that’s printed out HackerNews/Stack Overflow/Reddit

I can’t comment on other fields, as my personal lawyer and “fixer” has informed me, but…

… when I was an -indentured servant- PhD student at… … when I -worked in the mines of Moria- was a PhD student at…

All AppSec Cali 2020 writers

  • Tash Norris (offered on Twitter DM)
  • Nikki Becher (offered at AppSec Cali 2019, DM on Twitter)
  • Daniel DeFreez

Bootstrapping a Security Company

  • Related work:
  • John Villamil - Doyensec
  • Haroon Meer - Thinkst
  • Louis - Pentester Lab
  • Daf - Portswigger
  • Halvar Flake
  • Dan Guido - ToB
  • Caleb Sima
  • Zane Lackey
  • Message People in the Security Founders Slack
  • Himanshu - Data Theorem
  • Samy Kamkar
  • Masha Sedova
  • Abhay Bhargav
  • Frank - NSC42

Being head of research

  • Israeli Guy on LI message -
  • Matt Austin - Contrast
  • ToB head of research
  • Dan Crowley
  • Matt Lewis
  • Jennifer Fernick
  • Caleb Fenton - Sentinel One
  • James Condon - - Head of Security & Research Lacework
    • Responsible for Lacework’s Information Security program to include compliance, corporate security, and product security. Conducts risk assessments, manages organization policies, oversees vulnerability management and remediation, and works across the organization to execute security vision. Additionally, leads the Lacework Labs team tasked with evangelizing and improving products through cloud security research
    • Researches cloud security threats to improve company solutions and contribute to the security community. Evangelizes research through public speaking, blogging, and webinars. Collaborates with engineering teams on detection initiatives.
    • Spoke at several conferences (KubeCon, DerbyCon, BSidesSF, ACoD, RMISC, more) on security topics related to containers, Kubernetes, Linux, and malware. Wrote AWS security configuration checks w/ Python.
  • Chris Elbring - @ChrisElbring - Twitter DM
    • we know a bunch of folks in common. i used to run ioa’s research stuff and started a new firm, anvil, a few years back. we post blogs on interesting security research every once in a while. just wanted you to be aware of us. we love tl;dr. great stuff.
  • Gafnit Amiga - Director of Security Research, Lightspin -
  • Moshe Zioni,,Apiiro
  • - staff technologist formerly Pivotal, co-host of software defined talk podcast, former director of marketing at Pivotal, Research Director at 451 Research, director of software and cloud strategy at Dell (going back in time in resume)