Software toolsmith — application security, automated bug finding, secrets detection
I did binary static analysis for a few years, the spent a couple years *using* static analysis tools in anger to find security issues in C++ code. I did a couple years of client-facing appsec engagements. I've written lots of fuzzers and read a lot of code.
The past 4 years I've worked on secrets detection. I authored and maintained Nosey Parker, the fastest regex-based secrets detector out there, frequently used during offensive security engagements.
Currently a Principal Security Researcher at Truffle Security, working on all things secrets-related.
Formerly at Praetorian / Trail of Bits / Ab Initio Software / Veracode.
| Website | https://bradfordlarsen.com |
| GitHub | https://github.com/bradlarsen |
| Nosey Parker | https://github.com/praetorian-inc/noseyparker |
Did you know that Go's 'encoding/json' package, in addition to its inability to express required fields in serialization, also is usually slower than Python's already-slow 'json' library?
I was shocked to discover this, but am seeing Go's json parsing go several times slower than Python's. (And yes, before you ask, this performance is significant in my application.)
Familiarity breeds contempt and all that...
I got a semi-plausible-looking malware email tonight from someone I had interacted with before.
The email was BCCd to who knows how many people.
I haven't looked at email source much before, but in this case, some software along the way ended up adding TLS verification metadata about every recipient in a custom header! I wonder how common this is (where headers leak the recipients / domains in the BCC list).
Is there a term of art for usable display of hashes, keys or other crypto material?
I want things that are recognizable to a person "at a glance" and change dramatically on a small change. (thanks for the clarifying q, @jbaggs !)
I'd used the phrase "visual hash" but I'm getting a lot of things about hashing images (eg, https://www.researchgate.net/profile/Xiaofeng-Wang-32/publication/276428507_A_Visual_Model-Based_Perceptual_Image_Hash_for_Content_Authentication/links/5593471908ae5af2b0eb7420/A-Visual-Model-Based-Perceptual-Image-Hash-for-Content-Authentication.pdf)
Think the sorts of swirling dot displays Apple uses something when you migrate between phones.
I just published v0.0.6 of the `vectorscan-rs` crate for Rust. It includes a bugfix and upgrades the vendored version of Vectorscan from 5.4.11 to 5.4.12.
> [There] are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies.
>
> The first method is far more difficult.
Relevant as ever! RIP Tony Hoare.
Year 2026. Cars drive themselves, people have supercomputers in their pockets and on their wrists, and it's possible to hold real-time 4k video chats with people across the world.
Also new flat-panel displays take 10 seconds to switch inputs.
Mattias Wadman
Per Vognsen
Adam Shostack 
