🦗 There hasn’t been a post here in years and I really should do something about this, but in the meantime here are my slides for my BSides Dublin 2026 talk Fighting Fire with Fire: Using AI to Scale Your Product Security Team

When you want to quickly grep for something but the pattern is too elaborate, Semgrep comes in really handy. It’s a static analysis tool that has a lot of great use cases, but one usage I don’t hear about often is quickly writing disposable rules to validate an idea when reviewing code. So that’s what we’re going to do here!

When reverse engineering an application that is shipped as compiled bytecode (jar file, war file, class files, etc.), we normally use a decompiler and then audit the resulting Java code. The catch is that the language the application was written in might not have been Java! Indeed, there are multiple languages that target the Java Virtual Machine (JVM) and produce bytecode just like Java does. On top of generating generally strange decompiled code, this has for effect that the common potentially dangerous functions we normally look for might be different than the ones used in Java. For this blog post, I’m going to be looking at how each language executes shell commands and what it looks like once decompiled.

When the same data is parsed twice by different parsers, some interesting security bugs can be introduced. In this post I will show how I used fuzzing to find a parser diffential issue in Kibana’s alerting and actions feature and how I leveraged radamsa to fuzz NodeJS’ URL parsers.

Regular expression injection is a common bug that doesn’t get talked about a lot. This blog post covers how to find that bug and has 3 examples of vulnerabilities found in real applications.