This article is for you if you’re a senior developer, team leader, project manager, scrum master, or architect and you’re having trouble enforcing the required security quality. I had dozens of coffee conversations with developers during the security awareness workshops I ran, and they gave me valuable insights into application…

How does an internal event dedicated to security make a difference? Why keeping your security team in one place is a bad idea? No matter if you’re a senior developer, team leader, project manager, scrum master or architect — If you have trouble implementing the appropriate security quality then this…

This is a story about one of my most interesting findings without a happy ending. Spoiler alert — the bug was closed as duplicace. Duplicate is still a valid bug and in this case it’s yet another reason to improve my automation. Moreover I also learned a bit finding it. …

Long time no see. I will improve I promise. Maybe. NVM. Staying in application development area as in previous post. Some time ago I was interested in applications created in Ruby. I did some review of trending GitHub repositories and I noticed that some of them contain a Rakefile file. To…

I observed that some application deployment’s automation is done by the use of shell scripts, mostly files with .sh extensions. Based on the popular filenames found on GitHub (search for site:github.com ext:sh) I routinely check for such files during bug bounty hunting in my spare time. Once it ended up…

REAMDE.md file is meant to be helpful. It is the first file to check when you look into a new project on GitHub, see here. That’s perfectly fine from developer’s perspective. Sometimes this file stays as a development leftover all the way from the test environment to production. If it…

I love sensitive information exposure bugs. They are getting more attention at last. Below a short story about leaked Node.js code and OAuth client id and client secret which I found in there. Recon One of my bug bounty recon tools discovered a package.json file which looked interesing. The package.json file…