About

Hi -- I'm a security researcher and Liverpool FC fan pretending to be a serious software executive. I am endlessly fascinated with the offensive and defensive side of information security, and have sort of spent my entire life in the software security/code security/appsec space!

I started Contrast Security with Jeff Williams. We make (well, they make, now) the best damn vulnerability analysis tool on the market. It works by monitoring the application at runtime and noticing dangerous patterns of execution, which turns out to be way more precise than just scanning the code. The technology and business are successful, having been valued at $1.2B in 2021. Forbes also wrote about this company because of my dad's interesting immigration story.

I left and started Pixee where I now make a GitHub App (@pixeebot) that hardens your code and remediates your vulnerabilities -- fixing the things discovered by the tools people like me make, "closing the loop" of software security. I'm very proud of our free tier -- you can install it today and start getting cool PRs immediately!

Open Source Stuff I Make

Codemodder - a framework for building expressive codemods in Java and Python, one of the core technologies underneath @pixeebot.

OWASP AntiSamy - a tool which cleanses HTML of malicious content while retaining the good markup bits. This is amazingly quite widely used, including the Alexa!

Java Security Toolkit - a small library which aims to offer many different security controls for common security use cases, focused on security (of course), developer UX and ease of integration.

JavaSnoop - an awesome but now-unmaintained tool for hacking Java thick clients using dynamic injection instrumentation. You could use it to "just jump into" an arbitrary Java process and start mucking around with lots of power tools. This one deserves a comeback some day, even if nobody uses Java thick clients anymore.

Talks

BlackHat - 2010 - JavaSnoop - a talk whereby I introduce JavaSnoop (discussed above) and get to share with the world my appreciation for Anna Faris.

BlueHat - 2018 - DEP For the App Layer - a discussion on porting the concepts of the memory protections we built into our compiler toolchain and operating systems to the application layer. These concepts were being productized as Contrast Security Protect. Point of pride: customers who used that product were invulnerable to log4shell!

OWASP AppSec - 2016 - How to Find the Next Great Deserialization CVE - my attempt to demystify the deserialization vulnerability discovery and exploitation process, walking through some CVEs I found.

OWASP AppSec - 2012 - Static Analysis of Java Class Files for Quickly and Accurately Detecting Web Language Encoding Methods - a presentation with Matt Paisner (one of my best interns ever!) on cheap, fast and wide heuristic detection of security controls in the Java ecosystem, with the purpose of adding them automatically to a security tool's knowledge base. This worked was productized into Contrast Assess and helped with accuracy of XSS detection quite a bit!

OWASP AppSec - 2008 - Next Gen Cross Site Scripting Worms - an exploration of building a maximally effective (i.e., remotely controlled, tamper-resistant, domain-jumping) stored XSS worm. Talk was structured along the the framework laid out by Jose Nazario's excellent analysis framework of network worms.

Misc

CVE-2016-0792 - an interesting deserialization RCE in Jenkins with an original gadget chain. It's a really "pretty" deserialization exploit, which is rare! Here is the metasploit module.

CVE-2009-2705 - two XSS filter bypasses involving null-byte injection and canonically decomposable UTF in CA SiteMinder.

Bypassing Web Authentication and Authorization with HTTP Verb Tampering - this is happily considered the seminal paper on this bug class, and showed how web frameworks configuration design was confusing developers and leading to creating dangerous and bypassable web security, including in many of their own examples and documentation.