It’s now easy to run custom Rego policies against your live AWS account(s) with Trivy, as of version v0.33.0. In this post I’ll run through several example policies to demonstrate how it works and...

What is Trivy? Trivy is a multifunctional, open-source security scanner. It can scan various targets (filesystems, containers, git repositories and more) in order to discover security issues (vuln...

Recently I looked into writing a custom linter for an open-source project called defsec. We had a fairly unique problem with an all-too-frequent bug. We decided if we could catch this type of bug a...

It’s been a while since I’ve done an XSS write-up, and the latest Intigriti challenge was fun, so here goes… 0x00: Initial Recon The site provided by Intigriti is a single-page application that s...

A slow test-suite/build is one of the most frustrating hurdles to productivity for software engineers. Here are a few tips to speed things up with Go… 1. Run Tests in Parallel Go runs each test i...

I’ve been using Rego a lot lately and have been very pleased with it. Like any technology though, it can be abused - especially if used irresponsibly. I was inspired by this post about IaC supply-c...

Recently, tfsec added support for applying Rego policies to your Terraform code. Clear rules can be written against simple data structures, whilst providing the developer with a wealth of informati...

The Dirty Pipe vulnerability allows users to write to files for which they should only have read access. I recommend reading Max Kellermann’s vulnerability abstract to get a good grounding in how i...

The following guide will help you to set up Google Authenticator based 2FA for OpenVPN on EdgeOS 2.0+ devices. It’s recommended to ensure you have another method to access your device in case you a...

The following is my write-up for the March 2021 Intigriti XSS challenge. Let’s Get Started… The challenge takes place on a single web page, though this one appears more dynamic than those I’ve ...