Security research projects, tool development, and technical analysis work.
Feb. 9, 2020
Project: Custom SAST integration for CI/CD pipeline
Overview: Developed automated security tooling to integrate static analysis into the development workflow, catching vulnerabilities before code reaches production.
Features:
- Automated scanning of commits and pull requests
- Pattern matching for common vulnerability classes (SQL injection, XSS, hardcoded secrets)
- Integration with GitHub/GitLab for inline code comments
- Configurable severity thresholds and blocking rules
- False positive filtering with machine learning classification
Technologies: Python, AST parsing, regular expressions, CI/CD integration (GitHub Actions / Jenkins)
Feb. 6, 2020
Research Focus: State management vulnerabilities in distributed systems
Overview: Researched state desynchronization vulnerabilities where client-side and server-side state diverge, leading to authorization bypasses and unintended access.
Methodology:
- Mapped state transitions across multi-step workflows
- Identified critical decision points dependent on state
- Tested edge cases: network interruptions, concurrent requests, malformed state data
- Developed proof-of-concept exploits demonstrating impact
Example Vulnerability: Multi-step checkout flow allowing price manipulation through state manipulation between steps.
Impact: Unauthorized access to restricted functionality, data integrity violations, business logic bypass.
Jan. 23, 2020
Project: Analysis of C/C++ authentication mechanisms
Overview: Reverse engineered native binaries to understand authentication flow, credential storage, and cryptographic implementations. Focus on identifying hardcoded secrets and weak cryptographic primitives.
Technical Approach:
- Static analysis using IDA Pro and Ghidra
- Dynamic analysis with x64dbg for runtime behavior observation
- Memory inspection to locate credential storage
- Control flow graph analysis to map decision points
Findings: Discovered weak key derivation, insufficient input validation, and timing vulnerabilities in authentication routines.
Jan. 21, 2020
Project: Custom Java agent for runtime method instrumentation
Overview: Developed a dynamic instrumentation framework to monitor JVM application behavior at runtime. The tool hooks critical methods, logs parameter values and return data, and tracks state transitions across distributed system boundaries.
Technical Approach:
- Java Instrumentation API for bytecode manipulation
- ASM library for low-level class transformation
- Custom logging framework with minimal performance overhead
Use Case: Identifying logic flaws in authentication workflows by observing actual runtime behavior vs. documented specifications.
Jan. 21, 2020
Project: Custom fuzzer for proprietary network protocols
Overview: Built a targeted fuzzing framework to test custom application-layer protocols for input validation vulnerabilities and unexpected state transitions.
Technical Approach:
- Python-based fuzzer with modular mutation strategies
- Wireshark protocol dissectors for traffic analysis
- Automated crash detection and reproduction
- Coverage-guided input generation
Results: Identified multiple input validation bypasses and edge-case handling failures that could lead to denial-of-service or information disclosure.
Tools Used: Python, Scapy, Wireshark, custom mutation engine
Jan. 7, 2020
Project: Security-first REST API with comprehensive input validation
Overview: Designed and implemented a backend API with security integrated at every layer—from request validation to authorization enforcement to secure data handling.
Security Controls Implemented:
- Schema-based request validation with strict type checking
- Role-based access control (RBAC) enforced at every endpoint
- Parameterized queries to prevent SQL injection
- Rate limiting and request throttling
- Comprehensive audit logging (excluding sensitive data)
- Secrets managed via environment-specific vaults
Technologies: Python (Flask/FastAPI), PostgreSQL, Redis (caching/rate limiting), Docker