| Web | https://lcisec.com |
Not only is Nerine a beautiful flower, it's a powerful static web application testing tool that allows you to send a pre-defined web request and verify the response matches your expectations. If you need a simple, reliable, affordable, non-AI enabled alternative to Postman that let's you keep your API keys and other secrets local, you should checkout Nerine, https://lcisec.dev/products.
I'm looking for beta testers for Nerine, a static web application testing tool. I built Nerine for testing web applications in CI/CD pipelines but recognize it has other uses such as web application monitoring and acting as a guardrail for vibe coding web applications. If you would be interested in beta testing Nerine, providing feedback, and discussing Nerine publicly, whether good or bad, please reach out to me.
You can download the user manual at https://lcisec.dev/manuals/nerine-ent if you want to learn more about the product.
It's been a little over a year since I blogged, but it's for good reason. I've been heads down writing a lot of code and it's been quite the journey from Web Application Starter Pack nine months ago, to Nerine today.
For a consulting business to survive it has to be good at three essential tasks, finding new clients, winning their business, and retaining existing clients. Over the course of my career, I've learned that I'm good at the latter two but am an utter failure at the first. Recognizing my weakness, I've decided to start a Referral Partner program for LCI Security. Essentially, I am looking for 5 or 6 people who are willing to refer clients to me for a small percentage of the engagement fee. If this sounds like something you are interested in please email me and let's talk.
Please note:
1. I am based in the United States and I am only looking to work with US-based referral partners and clients.
2. My current list of consulting services are available at https://www.lcisec.com/strategic and https://www.lcisec.com/tactical.
There have been a number of times I said to myself, "I should build a web application that does some cool thing," and then I would realize that is easier said than done. First, I don't like complicated frameworks, whether it's a server framework, a JavaScript front-end framework, or a CSS framework. I got my start on the Internet when people were still writing HTML, CSS, and vanilla JS and using server-side rendering. I really miss the simplicity of those days.
I contemplated relearning PHP but I have spent a number of years using Go and really liked the simplicity of their web server. The idea of routers, handlers, and HTML templates was simple enough that I thought it may work for what I want. I've spent the last few months build out a simple Go based web application starter pack (WASP) that can serve as the basis for any number of web applications.
WASP is not a framework as much as it is a boiler plate server that can be extended with your own routes, handlers, and HTML templates. It includes password-based authentication, a simple authorization scheme with unauthenticated, authenticated, and admin users, and session management. It also includes tests that cover all of the core functionality and that can be extended to cover your new functionality.
If you are familiar with Go's web server concepts and want a good base to build your next web application, give WASP a try.
https://github.com/asggo/wasp
Protip: Don't let the domain you use for email expire. Especially if that's the email on file with the domain registrar.
When just the right set of things go wrong, it can be surprisingly difficult to fix, as I've learned in the process of trying to get that domain renewed for _almost a month_. Though finally fixed now, or will be once DNS propagates.
Back in 2012, I wrote a firewall analyzer called Prometheus (https://github.com/averagesecurityguy/prometheus). I even sold a few copies back then. I'm currently rebuilding the tool in Go but I need some recent firewall configs to test my parser with.
If you have any REDACTED firewall configs you are willing to share, send them my way.
If you have particular feature requests for a firewall analysis tool, send those as well.
Finally, what would you be willing to pay for a tool that can identify basic vulnerabilities in your firewall configuration?
Back in 2012, I wrote a firewall analyzer called Prometheus (https://github.com/averagesecurityguy/prometheus). I even sold a few copies back then. I'm currently rebuilding the tool in Go but I need some recent firewall configs to test my parser with.
If you have any REDACTED firewall configs you are willing to share, send them my way.
If you have particular feature requests for a firewall analysis tool, send those as well.
Finally, what would you be willing to pay for a tool that can identify basic vulnerabilities in your firewall configuration?
Within most areas of application security there is a broad range of threat actors who have the capability to exploit vulnerabilities in an application. With cryptography though, as long as the appropriate algorithms are used for their intended purpose and implemented correctly, the range of threat actors is reduced to only well-resourced attackers (typically nation-states). When evaluating cryptographic solutions, I start by answering four basic questions:
1. Does the solution use trusted cryptographic primitives?
2. Are those primitives implemented correctly?
3. Are the primitives used for their intended purpose?
4. Is the solution needlessly complex?
If the cryptographic solution I'm evaluating holds up to these questions, I then move on to comparing the solution to it's threat model. If the solution does not hold up to these questions then it is also unlikely it will meet the security requirements of the threat model.
https://lcisec.com/posts/2025/02/evaluating-cryptographic-solutions
Lckbx (pronounced Lockbox) is a multi-user, offline, privacy-preserving encrypted note storage system. - GitHub - lcisec/lckbx: Lckbx (pronounced Lockbox) is a multi-user, offline, privacy-preserv...
averagesecurityguy
Adam Caudill