James Cooper, Ph.D.

Penetration Testing: Amateur Hour In this post, I am essentially going to fire up the OWASP Juice Shop (OJS) locally, navigate to the scoreboard to see the intended challenges, and then have a go at solving as many as I think I have a hope in heck of achieving. Given that I am not a penetration tester (in fact, I think I’d probably be rubbish as a professional pentester if I attempted it), I don’t expect to solve all that many of the challenges, at least not without getting some significant hints from elsewhere....

I Have A Problem With Design Patterns Just in case the title and heading didn’t tip you off, I have a problem with software design patterns. The problem isn’t actually with the design patterns themselves, nor (necessarily) with the people who promote them. My problem, at it’s root, is how people treat them with an unquestioning semi-religious idolatry, and also use them as a way to declare themselves superior to others in a most idiotic fashion....

Irksome Lingo It is common amongst the non-executive types to deride so-called ’execu-speak’. That is, words and phrases which sound trite, stupid or (sometimes) like disingenuous euphemisms. While there can sometimes be some justification for such criticism, quite a lot of that vocabulary is simply, in essence, the jargon of that field. Software developers are actually at least as equally guilty of overusing sayings, re-using lexicon from somewhere else such that it makes little sense in the original context,1 and just plain using words and phrases that irritate me....

I’m a little iffy on Passkeys In case you haven’t heard, passkeys are the new saviour of the security world (yes, I do say that with a tinge of sarcasm). In fact, Google apparently just recently switched their default credential system for Gmail over to passkeys from regular-old usernames & passwords. Passkeys are so strongly considered to be the way of the future that both 1Password and BitWarden seemingly bought passkeys-focused startups so that they could add the capability to their products (I didn’t manage to track down any announcements or old news articles confirming that, though)....

On Government Surveillance Via Data Brokers I listen to a number of podcasts that have at least a partial focus on digital privacy. Most notably, these include The Privacy, Security and OSINT Show and Surveillance Report, while Risky Business also tends to touch on such matters at times. I have also listened to others in the past, but they either have stopped running, or I found something about them off-putting. I also read the Firewalls Don’t Stop Dragons newsletter....

Deploying the Juice Shop to AWS, the manual way This post covers various attempts to deploy the OWASP Juice Shop (OJS) application on AWS. Multiple approaches are trialled, with the comment element between them being that these are all fairly manual ‘point-and-click’ style methods. Good for getting oneself up and running the first time, while getting to grips with AWS. Not so good for reliable, reproducible deployments, however. For the purposes of the remainder of this series of blog posts, I will be using OJS v15....

Securing REST API Endpoints (or 15 Steps to Avoid Another Optus) While I was working at Cosive, I wrote a blog post outlining some of the usual advice around securing REST API endpoints, with a particular view to preventing data leaks. This was inspired by the then-recent leak of customer personally identifiable information from the systems of Australian telecommunications outfit Optus. It was titled “Securing REST API Endpoints (or 15 Steps to Avoid Another Optus)”....

My Weekend With PHP For certain reasons, I spent most of this weekend diving into scratching the surface of PHP, a language of which I have been aware for a long time but never actually touched until now. In case you somehow are reading this yet have never heard of PHP, it summarises itself thusly: A popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world....

Difficulties getting started with AWS Summary A short overview of some of the many issues I encountered when trying to get myself up and running with AWS. AWS Doesn’t Like Itself? After creating an AWS root user account, I followed their introductory instructions to create a new AWS organisation and an Administrator user inside said organisation, in accordance with best practices (i.e. don’t use your root user account for anything but administration of the overall organisation)....

Deploying, and then Securing, the OWASP Juice Shop Application Summary I shall deploy the deliberately-vulnerable OWASP Juice Shop application to ’the cloud’, and then use various techniques and tools to (attempt to) secure it. Introduction OWASP Juice Shop is one of OWASP’s flagship projects, and is a deliberately-vulnerable web application. It is used to demonstrate various vulnerabilities that can exist in real applications (including the whole of the OWASP Top 10), for the benefit of all three of builders, breakers and defenders....