Jakob Pennington standing in front of an audience, giving a presentation on DevSecOps at the DDD Adelaide conference.

About

G’day, I’m Jakob Pennington, and I help development teams build secure software. I have an obsession for learning, and I aspire to share what I learn with others. Professionally, I share my time between software development, cybersecurity, and where the two disciplines intersect: application security. Background My career has led to application security for two key reasons: Early in my career, as I was cutting teeth as a penetration tester, I realised that a pentest is far too late in the software lifecycle to start thinking about security....

26 November 2022 · 2 min · 377 words · Jakob Pennington
Running a python script inside a kali docker container running on Windows.

Building hacking tools in Windows using Docker

Something that I have struggled with in the past as a software developer turned penetration tester is the fact that I use two operating systems on a daily basis, and this sometimes causes friction in my workflow. Note: I really don’t intend or want this to be a discussion of the merits of one OS or IDE compared with another. I use the tools that I am familiar and productive with, and it’s totally cool if you use something different....

28 July 2020 · 5 min · 1000 words · Jakob Pennington
The docker logo, a blue whale with shipping containers on it's back.

Can Docker containers replace VMs for bug bounty hunters and penetration testers?

There were many things to consider, and we may talk about some of those things in the future, but the aspect of penetration testing I want to talk about today is the infrastructure we use to conduct a penetration test. Note: With a few minor exceptions, the same thought process applies for bug bounty hunting. If that’s more your thing, feel free to sed s/penetration testing/bug bounty hunting/g. What do we need from our infrastructure?...

22 July 2020 · 10 min · 1920 words · Jakob Pennington
A flow diagram representing the 8 phases the DevOps pipeline, with security baked into each phase.

Shifting Left: DevSecOps as an Approach to Building Secure Applications

So far in the Introduction to DevOps series, we’ve covered what DevOps is at a high-level and what the practice aims to achieve. We then broke down the DevOps pipeline into phases to get a better understanding of how a DevOps pipeline hangs together as well as some common terminology. If you haven’t already go check them out first 👇 Part 1: What is DevOps? Part 2: The Eight Phases of a DevOps Pipeline...

18 July 2019 · 6 min · 1066 words · Jakob Pennington
A figure of 8 loop representing the DevOps pipeline, including continuous integration and continuous deployment.

The Eight Phases of a DevOps Pipeline

In my last article, I covered the basics of DevOps and highlighted the benefits that have motivated so many organisations to shift for this new model for software development. This article will build on the last, so if you haven’t already, go check it out 👇 Part 1: What is DevOps? When talking about DevOps, it’s useful to divide the process into phases which come together to make a DevOps pipeline....

18 July 2019 · 10 min · 2023 words · Jakob Pennington
A figure of 8 loop showing the 8 phases of the DevOps lifecycle: Plan, Code, Build, Test, Release, Deploy, Operate, Monitor.

What is DevOps?

DevOps as a philosophy for software development has been around for some time now. It has evolved from being a buzzword, the new hip thing in software development, to a tried and tested practice by organisations of all sizes. But, for people and organisations who are considering DevOps or have recently adopted a DevOps approach, it can be difficult to see the benefits of DevOps and how it works in practice....

18 July 2019 · 6 min · 1114 words · Jakob Pennington
A photo of a cute puppy.

Exploiting XSS via Markdown

I recently came across a web application in which I was able to exploit a Cross-Site Scripting (XSS) vulnerability through a markdown editor and rendering package. It was the first time I had come across this type of vulnerability, and I found it particularly interesting because it allowed me to bypass multiple layers of XSS filtering that was implemented in the application. Here’s a short article on how I came across the vulnerability and set about crafting an exploit....

8 February 2019 · 7 min · 1350 words · Jakob Pennington
A Superman Lego figurine on a tree stump.

Breaking into Encrypted iPhone Backups

This is a story about my favourite moment in Information Security so far. I thought, rather than just breaking down the technical part, I’d branch out and try something different. If you’re just interested in iOS security, feel free to skip ahead 👌 Note: Unfortunately, for legal reasons, I can’t crack your password for you. If you’ve ever worked in the IT industry, are good with computers, or were simply born after 1980, then you’re probably asked every other week to provide tech support....

21 November 2018 · 12 min · 2398 words · Jakob Pennington
A graphic showing a Build Succeeded notification on a mobile phone.

Add Notifications to your AWS CI/CD Pipeline

This post is Part 3 in a 🤷-Part series on CI/CD in AWS. Go check out my other posts to see how we got here: Part 1: Deploy a Single-Page Application (SPA) to AWS Part 2: Automated Build / Deploy with AWS CodePipeline In the last post, we set up a simple CI/CD pipeline that deploys our codebase into production each time new code is merged into the production codebase. This is great, but once we kick off a build we have two options:...

5 August 2018 · 5 min · 1001 words · Jakob Pennington
A graphic showing the Angular logo on a Super Mario Bros. background.

Automated Build / Deploy with AWS CodePipeline

In my last post, I showed how you can deploy a Single Page Application to AWS using AWS’ S3, CloudFront and Route 53. This post picks up where the last one left off, so if you haven’t read it, go check it out! This time, we’ll be improving our DevOps by building a basic CI/CD pipeline. Since we’re already using AWS to host our site, it makes sense to keep using their services since they do integrate well together (That’s how they get you!...

22 July 2018 · 7 min · 1291 words · Jakob Pennington