About Punkcoder

I am a Software Developer with a passion for Security, ALM, Agile, and Coding Practices. I have been working in .NET as a developer for over a decade, a network admin for years before that. I have worked for large companies and small ones, many that you would recognize some that you probably interact with. I am opinionated and deeply curious about the world. If you have a problem there is a good chance that I would be interested in hearing about it. More than that I want to help others, mostly because I believe that helping a single person raises the quality for everyone.

This is here instead of ads...

Please Show Some Love...
Loading...

Chall Profiles

Developer

Canary

Blog Posts

Nebraska Code 2018

Published On: Apr 9, 2018

So it’s been a little bit since there was an update but I have exciting news coming down the pipe… I will presenting three sessions this year at Nebraska.Code(). I decided that I would be branching out this year and attempting to add another conference to Prairie.Code(), that was until I found out that there wouldn’t be a Prairie.Code() this year. While I am sad to see it go I think that with the proximity of the two conferences it’s probably for the best.

The great news is that I managed to get three of my sessions accepted this year, one of the sessions is an 8 hour workshop. So without any further yapping from me, here are the presentations that will be presented at Nebraska.Code()

Application Security or Hacking yourself everyone else is…

Software security isn’t a tool or a library, everyone knows that you should check your parameters, and watch out for SQL injection, but is that really enough? If you have never had the opportunity to spend time hacking your own applications, you are really doing yourself a disservice. More than ever, the web is becoming an increasingly hostile environment, and because of it developers really need to step up their game. In this session we will go over some of the methodologies that we use internally to test applications, helping developers to think more strategically about designing applications for general security. As part of this conversation I will go over active attacks that we have seen against production sites using sterilized examples.

Application Security or Hacking yourself everyone else is…

Offensive Application Security for Developers…

Application developers are the first line in defending applications from attack, there are thousands of software and hardware solutions to attempt to make your software more safe and secure. In the end if the software isn’t developed properly and securely no amount of software or hardware is going to protect you. In this session I plan to go over, identifying weak code, testing for it, and fixing it.

In this session we will go over in-depth the process for doing application security testing on your own applications. As part of the session we will go through and identify all of the items on the OWASP top 10, how to test them using DVWA (the Damn Vulnerable Web Application), and talk about strategies to mitigate the.

Requirements: Students to the class must have:

  • A laptop that they have root or administrator access to.
  • A laptop capable of running a virtual box machine, multi-core, with 8gb+ of ram.
  • All materials outside of the Requirements will be provided.

Offensive Application Security for Developers…

Privacy By Design: Software Development in the age of GDPR

This conversation is an indepth dive into the Important parts of GDPR for software developers. Even though GDPR is a European standard, there’s no denying that this is the direction that the software industry is going, more emphasis will be placed on protecting the data that customers and businesses rely on. In this conversation we will discuss the GDPR, the impacts of this law, and what can be done from the software development side to make sure we develop software that follow defense in depth practices.

Privacy By Design: Software Development in the age of GDPR

Pluralsight IQ

Published On: Mar 7, 2018

For a long time I think it’s been difficult for me to prove where on the developer scale I am or a candidate that I am talking to is at relatively. This is the main problem that I’ve had with interviewing on both sides. The problem is that most of the assessments are too easy or don’t cover the depth that I would expect. The problem with this is that it ends up leading the interviewing process down the road of trying to figure out if the person on the other end of the phone is capable of doing their job, far more than the important question of if they are a good fit for the company. This lead me down the road of asking more analytical questions than questions relating to programming. My favorite question from this was asking a candidate to act as a consultant and tell me the factors that they would take into account to help me estimate the number of X items in a city.

I have been a subscriber to pluralsight for a long time, off and on through various companies and for a while paying for it on my own.

New Job and the Internet

Published On: Dec 15, 2017

So it’s been a long time since there has been an update.

Prairie.Code() 2017

I wanted to give a big thumbs up to everyone who came out to see me speak at this years prairie.code(). We had a good time talking about Application Security and the joys of softwareconsulting. To everyone out there who missed it this year, You should get on it… see you there next year.

10-4

After some heavy contemplation, I ended up leaving my position at BlueBolt, Inc. There comes a point where you realize that because of various forces that you are no longer offering the same level of value that you once were.

Since then I have taken up a developer position with some security tasks as part of my new position with 10-4, coming on about two and a half months into the job and I am finally starting to feel like I’ve got a better handle on the work that they are doing.

Net Neutrality

This one came down the pipe yesterday and the paint isn’t even really dry on this one, so I really can’t say that there is a whole lot to talk about but I am working on some things that might be helpful in the future fight. If you are interested you can find out more infromation here, as it will be better kept up to date. https://github.com/punkcoder/NetNeutrality-BlockList

Rebuild CentOS Environment

Published On: Aug 21, 2017

Today as part of one of the projects that I am working on we needed to rebuild an environment and the hosting provider wouldn’t give us the pieces that we needed, so with a couple of quick min I managed to build a quick script that I thought that I would share. The problem is that we have a client that we are doing work for an one of the modules on thier site isn’t behaving as we would expect. So the first step in this process was going through and making sure that our environment matched as much as possible. We talked with the hosting provider and they were more than happy to sell us another environment.

First I had to get the infromation about all of the packages installed on the server, and where they were coming from.

yum list installed > installed.txt
yum -v repolist > repolist.txt

Once this was done it was easy enough to parse out the infromation and push it to build a build script.

import io
import re

def build_repos(output):
    file = open('repolist.txt')
    print('[+] Reading from the repolist file...')
    repoFileName = ""
    output = output + "# installing repos\n"
    for l in file:
        if l.startswith("Repo-baseurl : "):
            link = l.replace('Repo-baseurl : ','').split(' ')[0].strip()
            output = output + "sudo yum-config-manager --add-repo " + link + " \n"
    print('[+] Writing out to the install.sh')
    output = output + "\n\n"
    return output

def build_install(output):
    file = open('installed.txt','r')
    print('[+] Reading from installed packages file...')
    output = output + "# installing packages \n"
    output = output + "sudo yum install"
    finder = re.compile(r"[0-9]{1,3}:")
    for l in file:
        if l.startswith("Loaded plugins:"):
            continue
        if l.startswith("Installed Packages"):
            continue
        alllineparts = l.split(' ')
        lineparts = []
        for item in alllineparts:
            if item:
                lineparts.append(item)
        if len(lineparts) > 2:
            package = finder.sub("", lineparts[0].replace('.x86_64','').replace('.noarch',''))
            version = finder.sub("", lineparts[1])

            # Apparently the MariaDB people are not friendly with old versions
            if (package.startswith("MariaDB")):
                output = output + " " + package + " "
            else:
                output = output + " " + package + "-" + version
    output = output + " --nogpgcheck"
    return output

def write_file(output):
    print('[+] Writing install of packages to install.sh...')
    outputfile = open('install.sh', 'w')
    outputfile.writelines(output)
    outputfile.close()

output = ""

output = build_repos(output)
output = build_install(output)

write_file(output)

At the end of the process I ended up spending more time waiting on the CentOS iso to download than processing and building a build scirpt. Pretty useful stuff. At this point I am trying to figure out if it’s worth the effort for syncing up the configurations, or if I should just use this as a one off.

Anyway thought that I would pass this along in the event that someone finds it useful.

DEFCON 25 Wrap Up

Published On: Aug 7, 2017

Another DEFCON down and I am still trying to process all of the infromation, I love the confrence becuase everytime I go, I end up with more questions and more things to look into than when I went. Overall I would say that the theme of this years confrence was chaos, there were alot of improvements over the past couple of years, but everything seemed a little scattered. This year there was more than enough seating in all of the main tracks, however they were so far apart that you had a tendency to stick close to one of the tracks that had more of the talks that you wanted to see.

One of the better talks that I sat in on was the talk “The Brains Last Stand” which is already available here. But there were alot of other really good talks that I will try to track as they come online. But by far the winner was a talk on digital archeology… it was a great talk and I will try to link to it once it goes online.

I ended up getting into two of the workshops which were amazing and I really enjoyed the work that I got to do. I got a lot out of it, one of these years though I really need to dig deeper into the villages. For next year, I think I will only do one of the workshops if possible, it just ends up taking too much of the confrence time.

Bravo to all of the organizers putting everything together, you all do an amazing job year after year, getting the best confrence together with the most passionate people. I will see you all again next year.