First steps with Flask and Static Code Analysis with Semgrep

Photo by Gary Butterfield on Unsplash

This week I spent a bit of time learning something new. Flask has been on my list of things to learn for a while. So the time came and I attended some of the Pluralsight courses on this topic.

One of the characteristics I’ve heard from Flask has to do with its simplicity and power; so I decided to give it a try at the time I attended the training tutorial.

For the sake of clarification, I’m attending the Building Web Applications with Flask path at Pluralsight.

Writing the first lines of code

Dennis Ritchie in…

Package download metrics are easy to manipulate

Photo by Mika Baumeister on Unsplash

Disclaimer: I reported this issue to the Microsoft Security Security Response Center (MSRC), but according to their assessment ( which I agree with), the report would not meet the definition of a security vulnerability.

I’ve been very keen to understand what is security scrutiny that Package Managers (such as NPM Registry, Maven Central, NuGet among others) perform at the time of publishing a library.

Targeting third-party libraries is a common technique in which threat actors steal credentials or run arbitrary code or deploy cryptocurrencies mining tools. This is covered by MITRE ATT&CK technique…

HTTP HEAD is an interesting and powerful HTTP method.

Photo by Ümit Yıldırım on Unsplash

HTTP is by far, the most efficient, large, and complex system that exists.

As explained by Jon Flanders in his book RESTful .Net “The success of the Web can be attributed in part to luck and timing, but some of the credit for its success can be attributed to its architecture. The architecture of the Web is based on few fundamentals principles that have taken it from its small beginning to the large of information and functionality that exists today.”

What is the HTTP HEAD Method Anyway?

Curiosity leads us to be better engineers is so cliché that…

Photo by Chris Ried on Unsplash

SAST or Static Application Security Testing or sometimes refer as Static Source Code Analyzer is a security mechanism in which source code vulnerabilities are detected early during the Software Development Life Cycle.

The truth of the matter is that writing secure code is damn hard, and manual code review is challenging even for the trained eye. It is good to see that the SAST landscape has evolved rapidly to adjust to the current needs of the DevSecOps principles.

I was introduced to SAST tools back in 2020 when I was working as a Software Engineer at Security Innovation in a…

Disclaimer: This is not a technical article, however as I’m doing marginal adjustments in my life, I’m also starting to appreciate small things.

Over the weekend, I took this picture that really gave me a life lesson:

Ficus aurea tree growing up on a dead tree host

It is a tree known as Ficus aurea. According to Wikipedia “seed germination usually takes place in the canopy of a host tree with the seedling living as an epiphyte until its roots establish contact with the ground”.

But even when the nature of this tree is by living as an epiphyte in the host tree, this image provides some good life lessons…

I’ve always agreed with the old saying that states most great things in life are free to some extend (family, friends, health). I have a place, a small land I own, that allows me to disconnect from time to time.

The view is great from the property and everything looks green. Birds sing in the early morning and I can get some spare time to organize my ideas, do meditation and read.

With the lockdown due to the pandemia, I have started to appreciate this place even more because it allows me to recharge energies for the week, think, and get ideas either for writing or for the startup projects I’m working on.

Here are some pictures, I hope you enjoy them.

A view from the property

From time to time, I have got into this mental state of sabotage in which our mind tricks you so badly that you start to believe that you don’t deserve your own achievements, that you are not that good, and that one day, there will be someone knocking at your door to tell you that it is all over.

I’ve learned that this mental state is known as Impostor Syndrome. According to Wikipedia, “ Impostor Syndrome is a psychological pattern in which individual doubts their skills, talents, or accomplishments and has a persistent internalized fear of being exposed as a…

When the SSH port is exposed through the Internet, threat actors will try to challenge its security by attempting to brute force it. This is true for most of the standard protocols. Reducing the attack surface by closing unnecessary ports is a must.

Essentially, Fail2ban is a utility that will protect servers against brute-forcing attacks.

This guide describes how a service called Fail2Ban can be installed and configured in Ubuntu 20.04 to protect the SSH port. It’s very rare to need to expose SSH to the whole internet by the way. …

I’m an old-fashioned person that prefers that physical book to digitalized versions such as PDF or Kindle. I don’t own a physical Kindle myself, so I can not judge that experience of reading on such a device, I have the applications running on my iPhone and in my Mac.

However, I’m a big fan of reading and feeling the physical book. You might argue that traveling with such books is complicated to what I would reply that you are absolutely right. …

I’m a big fan of Leanpub, If you want to start writing your book and don’t want to follow the rigorous (although necessary) process of working with a publisher, Leanpub becomes a great option.

Following the lean principles, the fundamental idea of this tool is that you can publish often as many times a day as needed, you only focus on the creative thinking process of writing and they do the rest.

The editor itself is based on markdown, a great markup language for writing content. It keeps things simple, it gives you the essential tools to get the job…

Software Engineer and Application Security Engineer focused on Cybersecurity, Web Application Security, Research and Development. Based in Costa Rica

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store