James Cooper, Ph.D.

Erstwhile computer scientist, programmer/software developer, application security enthusiast.

DevSec(?:Ops)?

This personal site serves as a blog host and something of an online CV.

Deploying Then Securing the OWASP Juice Shop, Part Six of ?

Penetration Testing: Amateur Hour In this post, I am essentially going to fire up the OWASP Juice Shop (OJS) locally, navigate to the scoreboard to see the intended challenges, and then have a go at solving as many as I think I have a hope in heck of achieving. Given that I am not a penetration tester (in fact, I think I’d probably be rubbish as a professional pentester if I attempted it), I don’t expect to solve all that many of the challenges, at least not without getting some significant hints from elsewhere....

January 6, 2024 · 30 min · 6297 words · James Cooper

My Problem With Design Patterns

I Have A Problem With Design Patterns Just in case the title and heading didn’t tip you off, I have a problem with software design patterns. The problem isn’t actually with the design patterns themselves, nor (necessarily) with the people who promote them. My problem, at it’s root, is how people treat them with an unquestioning semi-religious idolatry, and also use them as a way to declare themselves superior to others in a most idiotic fashion....

December 16, 2023 · 8 min · 1500 words · James Cooper

Phrases in Programming That Irk Me

Irksome Lingo It is common amongst the non-executive types to deride so-called ’execu-speak’. That is, words and phrases which sound trite, stupid or (sometimes) like disingenuous euphemisms. While there can sometimes be some justification for such criticism, quite a lot of that vocabulary is simply, in essence, the jargon of that field. Software developers are actually at least as equally guilty of overusing sayings, re-using lexicon from somewhere else such that it makes little sense in the original context,1 and just plain using words and phrases that irritate me....

October 28, 2023 · 6 min · 1067 words · James Cooper

I'm a little iffy on Passkeys

I’m a little iffy on Passkeys In case you haven’t heard, passkeys are the new saviour of the security world (yes, I do say that with a tinge of sarcasm). In fact, Google apparently just recently switched their default credential system for Gmail over to passkeys from regular-old usernames & passwords. Passkeys are so strongly considered to be the way of the future that both 1Password and BitWarden seemingly bought passkeys-focused startups so that they could add the capability to their products (I didn’t manage to track down any announcements or old news articles confirming that, though)....

October 22, 2023 · 7 min · 1393 words · James Cooper

On Government Surveillance Via Data Brokers

On Government Surveillance Via Data Brokers I listen to a number of podcasts that have at least a partial focus on digital privacy. Most notably, these include The Privacy, Security and OSINT Show and Surveillance Report, while Risky Business also tends to touch on such matters at times. I have also listened to others in the past, but they either have stopped running, or I found something about them off-putting. I also read the Firewalls Don’t Stop Dragons newsletter....

September 10, 2023 · 5 min · 925 words · James Cooper

Deploying Then Securing the OWASP Juice Shop, Part Two of ?

Deploying the Juice Shop to AWS, the manual way This post covers various attempts to deploy the OWASP Juice Shop (OJS) application on AWS. Multiple approaches are trialled, with the comment element between them being that these are all fairly manual ‘point-and-click’ style methods. Good for getting oneself up and running the first time, while getting to grips with AWS. Not so good for reliable, reproducible deployments, however. For the purposes of the remainder of this series of blog posts, I will be using OJS v15....

August 10, 2023 · 42 min · 8809 words · James Cooper

Securing REST APIs Against Data Leaks

Securing REST API Endpoints (or 15 Steps to Avoid Another Optus) While I was working at Cosive, I wrote a blog post outlining some of the usual advice around securing REST API endpoints, with a particular view to preventing data leaks. This was inspired by the then-recent leak of customer personally identifiable information from the systems of Australian telecommunications outfit Optus. It was titled “Securing REST API Endpoints (or 15 Steps to Avoid Another Optus)”....

August 5, 2023 · 3 min · 622 words · James Cooper

My Weekend With PHP

My Weekend With PHP For certain reasons, I spent most of this weekend diving into scratching the surface of PHP, a language of which I have been aware for a long time but never actually touched until now. In case you somehow are reading this yet have never heard of PHP, it summarises itself thusly: A popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world....

July 30, 2023 · 8 min · 1690 words · James Cooper

Deploying Then Securing the OWASP Juice Shop, Part One-Point-Five of ?

Difficulties getting started with AWS Summary A short overview of some of the many issues I encountered when trying to get myself up and running with AWS. AWS Doesn’t Like Itself? After creating an AWS root user account, I followed their introductory instructions to create a new AWS organisation and an Administrator user inside said organisation, in accordance with best practices (i.e. don’t use your root user account for anything but administration of the overall organisation)....

July 24, 2023 · 9 min · 1748 words · James Cooper

Deploying Then Securing the OWASP Juice Shop, Part One of ?

Deploying, and then Securing, the OWASP Juice Shop Application Summary I shall deploy the deliberately-vulnerable OWASP Juice Shop application to ’the cloud’, and then use various techniques and tools to (attempt to) secure it. Introduction OWASP Juice Shop is one of OWASP’s flagship projects, and is a deliberately-vulnerable web application. It is used to demonstrate various vulnerabilities that can exist in real applications (including the whole of the OWASP Top 10), for the benefit of all three of builders, breakers and defenders....

July 11, 2023 · 6 min · 1124 words · James Cooper