Application security tools get a bad reputation.

Developers often worry that security tools such as static analysis tools would slow them down, make their work look bad, or even cost them their jobs when something goes wrong. But implementing secure practices and using security tools are ultimately necessary for any business that creates software.

What are the barriers that prevent developers from producing secure code? How can we create a security tool that succeeds despite these barriers? What are some considerations when choosing a security tool for a development team?

In this Episode of Sources and Sinks, I host Alok Shukla, VP of Products at ShiftLeft to discuss barriers that developers face when building secure software, and how the team here at ShiftLeft built a security product designed to make secure development easier for developers called ShiftLeft CORE.

Joining security podcast Sources and Sinks as their host

I’m excited to say that I have joined Security Podcast Sources and Sinks as their host!

Sources and Sinks is a technology-focused podcast that talks about the business, people, technology, products, the culture of silicon valley — with a security twist. New episodes will be released every two weeks. You can listen to Sources and Sinks on Apple Podcasts, Google Podcasts, Stitcher, Spotify, Amazon Music, IHeart Radio, and many more.

In this new season, we started off by interviewing Saif Bhatti, a rhino conservationist using technology to combat rhino poaching. We also speak to Katie Paxton-Fear, a cybersecurity researcher, to…

How to scan for PII leaks, credentials, and other sensitive data leaks using data flows.

Last time, I talked about the perils of leaving secrets in open-sourced code and how to detect those secrets using regex and entropy analysis.

Hardcoded secrets are an example of a sensitive data leak. Sensitive data leaks happen when an application exposes sensitive data, such as credentials, secret keys, personal information, or configuration information, to people who shouldn’t have access to that information.

For instance, if an application writes sensitive personal information like customers’ credit card numbers into application logs, that information becomes accessible to system analysts who can read logs. It’s also common for applications to leak users' private…

How to uncover leak secrets with regex + entropy analysis

Image is taken from

As a developer, I admit that I’ve committed secrets to public Github repositories before. Hardcoded secrets have always been a problem in organizations and are one of the first things I look for during a penetration test.

When developers write secrets such as passwords and API keys directly into source code, these secrets can make their way to public repos or application packages, then into an attacker’s hands. As microservice architectures and API-centric applications become mainstream, developers often need to exchange credentials and other secrets programmatically. This means that developers can sometimes make mistakes when handling sensitive data.

To put…

A guide for writing better technical articles + blog posts

Photo by Andrew Neel on Unsplash

One of the questions I get the most in my Twitter DMs is “How do I write better technical blog posts”?

Technical writing is a specialist skill, and I am by no means an expert. But over the past few years, writing my technical blog has taught me a lot about writing for the Internet. So today, here are my tips to help you produce better technical articles.


Good writing is easy to read. This is especially true when writing on the Internet. On the Internet, your technical blog post has the potential to be shared anywhere in the world…

Impact, exploitation, and prevention of XML External Entity Vulnerabilities

Photo by Piotr Chrobot on Unsplash

Welcome back to AppSec simplified! In this tutorial, we are going to talk about how you can prevent XXEs in Java applications. If you are not already familiar with XXEs, please read my previous post first!

Why XXEs happen

DTDs are used to define the structure of an XML document. Within DTDs, you can declare “XML entities”. There is a special type of XML entities called “external entities”, which are used to access local or remote content with a URL.

For example, this DTD declares an external entity named “file” that points to file:///secrets.txton the local file system. …

Performing a code review to find vulnerabilities in applications

Photo by Joshua Aragon on Unsplash

Performing a source code review is one of the best ways to find security issues in an application. But how do you do it?

In this tutorial, I will go through some tactics for performing a security code review on your application.


Before you start reviewing code, learn what the most common vulnerabilities are for the target application type. Getting familiar with the indicators and signatures of those vulnerabilities will help you identify similar patterns in source code. For example, the signature for an XXE vulnerability is passing user-supplied XML to a parser without disabling DTDs or external entities. …

Finding XXE vulnerabilities in applications via code analysis

Welcome back to AppSec Simplified! Last time, we talked about the fascinating XXEs vulnerabilities and how they can affect your application. If you are not already familiar with XXEs, please read that post first!

This time, let’s hunt for XXEs for real! We will be analyzing the source code of an example application that is vulnerable to XXEs: the OWASP WebGoat. You can download the application here if you want to follow along with this exercise.

Setting up

We’ll be using ShiftLeft’s NG-SAST scanner to hunt for XXEs. You can register for a free account here. …

Protect your XML parsers against malicious XML documents!

Photo by Jason Leung on Unsplash

Hey! And welcome to the first installment of AppSec Simplified. Today, we are going to explore a fascinating vulnerability called XML External Entity vulnerabilities, or XXEs!

What are XXEs?

To understand XXEs, we need to first talk about “DTDs” in XML documents.

XML documents can contain a Document Type Definition, or a “DTD”. DTDs are used to define the structure of an XML document and the data it contains. They are declared within the document using a “DOCTYPE” tag, like this:

<?xml version=”1.0" encoding=”UTF-8"?><!DOCTYPE ...INSERT DTD HERE...>

Within DTDs, you can declare “XML entities”. …

And why Application Security is like wearing masks

Photo by Kobby Mendez on Unsplash

Wearing a face mask to prevent coronavirus is becoming the norm in my city. It was hit heavily by the COVID crisis, and now we have reached an unspoken consensus: wear masks, wherever you go.

This is quite different from where we were just a few months ago. Face masks had a bad reputation, and the local health department had a hard time getting people to wear them. What was stopping people from wearing masks? It turns out, people hate masks because they make breathing difficult, make glasses foggy, and can look quite awkward. But the pros of masks outweigh…

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store