Trying Harder and Passing the OSCP: A Developer’s Perspective

In my line of work, I design and develop enterprise products in the information security and risk management domains. These products generally serve blue teams, and I’ve wanted for a while to get the red team perspective.

So last Fall, I put myself through a self-imposed boot camp: earning the OSCP (Offensive Security Certified Professional) certificate. This is a intermediate-level certificate geared towards penetration testers. Before taking the exam, students spend significant self-directed time (30 to 90 days) in a specially constructed lab environment honing their hacking skills. The exam itself is a 24-hour test in which students are dropped into a network and need to gain admin access to as many machines as possible.

Below is a summary of my journey, along with tips for aspiring students.

Continue reading “Trying Harder and Passing the OSCP: A Developer’s Perspective”

Be Paranoid About Your Third Party Dependencies

With any programming language and its ecosystem, developers need to be judicious about the third-party dependencies they bring in. Go is no different, though it can be sometimes be astonishing how simple it is for a third-party package to wreak havoc with your program.

Case in point:

In Go, it’s a common practice to represent errors as variables using the following syntax:

package foo

import errors

var ErrFoo = errors.New("foo error")

The above code creates an error type called ErrFoo. Following Go convention, since the variable name is capitalized, it will be exported outside of its package and available to other packages that want to reference it.

One quirk of Go is that these error variables defined in this manner are modifiable. So another unrelated package can change the value of ErrFoo to something else.

Continue reading “Be Paranoid About Your Third Party Dependencies”