about joe

My name is Joe Basirico, by day I help people build secure software. I lead a team of the most talented security experts in the world at Security Innovation to perform security assessments and help our customers reduce their risk against the ever-present threat of hackers and other ne'er-do-wells.

I started a non-profit, Technically Learning, a few years ago with the help of some friends to help kids, particularly girls and minorities, get excited about the STEM fields. Technically Learning recently merged with code.org an amazing new non-profit looking to bring Computer Science to all public schools in the US.

On this site you'll find links to all of my projects, programming projects, research, a blog and more. Learn more about me »

7/13/2016 - Posted by joe

Viral Game Highlights Calls Attention to Timeless Security Debate

I want to run into traffic, fall into a pond, catch Pokémon while my wife is in labor, and find a dead body; let's check out this Pokémon Go thing!

Pop quiz: Is this a valid login screen for Google Account services? This is the first screen I see when I click login with my Google Account from Pokémon Go. It's concerning because it offers no clear indication this is a valid page, no way for me to verify that I ...

read more...
9/3/2015 - Posted by joe

I was pretty disappointed after reading Mary Ann Davidson's blog post discouraging customers from reverse engineering their software for any reason. As CSO of Oracle, one of the largest software providers in the world, I expected her thoughts on security researchers and responsible disclosure to be more enlightened. Instead I saw a glib response that echoed sentiment from the turn of the last century.

The post has since been removed from Oracle's official blog, which shows that while this may be their internal policy and thinking, the company understands it isn't popular to hold such opinions. Because nothing can be deleted from the internet, and because of the Streisand effect, ...

read more...
6/3/2015 - Posted by joe

We've been getting a lot of Ruby on Rails Penetration tests and code reviews at Security Innovaiton, and I've been writing a decent amount of it myself. In general it's a great framework, but like any other framework there are a few little gotchas that could lead to a security vulnerability. A colleague of mine, Arvind, wrote a great blog post on the Security Innovaiton blog in which he outlined a few of these check that out here.

I also came across this on a blog post in this case using open('|[my-command]') will ...

read more...