less than 1 minute read

Welcome to my site, I am a Security Engineer at Appfolio.

I like dynamic code analysis, and tools that allow for better awareness from a security point of view in different environments.

Whether this is through training or tools that are meant to be used in Incident Response, they can include…

  • Writing security training applications like destiny_app
  • Writing ruby code that will do correlation for me (Who likes reading logs anyway)
  • Using static code analysis tools like brakeman

Past efforts included developing a ruby script that can be required into any other ruby program that will report a specific vulnerability present in the loaded classes. I would use this in security assessments as a complement to static code analysis with brakeman to find silly code like the following…

# Hello I am a method YAML.load likes to use to allow code injection.
def []= key, val
  instance_eval "@#{key}=\"#{val}\""