Benjamin Beale
I am a software engineer with experience incorporating security principles into various roles across the development cycle. My areas of expertise include security (red and purple team), software, blockchain and "Web3" development, quality engineering, test and security tooling, and process automation.
I'm also a Gitcoin KERNEL Fellow.
Services
Security
Penetration Testing
- Adversary Simulation
- Attack Surface Enumeration
- Exploit Development
Vulnerability Assessment
- Vulnerability Enumeration
- Adversary Simulation
- Mitigation Strategies
Code Review
- Static Application Security Testing
- Secure Development Practice Adherence
- Business Logic Assessment
Web2 / Web3
Security
During my time across varying software engineering roles and teams, I have integrated offensive security practices alongside dev, QA, and other security efforts, often working in a purple team-like capacity.
As a QA engineer, I conducted vulnerability assessments and penetration test re-runs after engaging 3rd party security vendors, and worked closely with the development team to verify mitigations were correctly in place. Furthermore, I have added layers of vulnerability checks to automated test suites.
As a DevSecOps engineer, I have performed several vulnerability audits within the scope of the work.
As a security analyst charged with reviewing bug bounties, I gained a unique hands-on perspective on the attack and defense sides of a vulnerability. Replicating exploit steps submitted by other ethical hackers was an invaluable learning experience.
Auditing conventional application and Web3 smart contract code has shown me that vulnerabilities do not always present themselves in places that can be directly affected or seen by users.
I am motivated by studying the various ways in which software can break or behave differently from what is expected.
- mongo-parse - Code injection.
- sheetjs - ReDoS
- urlregex - ReDoS
- safer-eval - Command injection
- fun-map - Prototype pollution
- bson-objectid - Insufficient input validation
- objutil - Prototype pollution
- Mobie - Universal payments and rewards ecosystem.
- DuBois Gold - DuBois Gold Market Solidity contracts.
- Dock.io - High-performance distributed ledger technology for Verifiable Credentials.
- Gitcoin LearningCurve - Smart contracts for free and continuous online learning environments.
Quality Engineering
I have a range of quality engineering experience which includes functional testing, security testing, test planning, automated test development, along with the integration of workflow and test tooling for the team -- some of which from third party vendors, with another being a project of my own.
I am knowledgable of current QE processes. I am equally, if not more comfortable opening up a code editor alongside of a test session to obtain insight that can only be gained by looking under the hood.
Perhaps more importantly, I am aware of the impact that a well-designed and thorough quality engineering program can have on the number of bugs or defects. Even those that are related to security.
Official U.S. List of Certified & Credentialed Software Testers™ profile
Blockchain
Blockchain applications (dApps) need to be more thoroughly tested than comparable web2 apps.
While all software should be tested to minimize risks and maximize user experience, due to the immutability of public blockchains, a dApp or smart contract deployed to mainnet with an overlooked vulnerability will forever remain in the wild, putting users and their funds at risk. This is extremely dangerous, given the large sums of crypto assets at stake across many projects.
I bring to the table a unique mix of development, QA, application security, and blockchain experience, giving me an edge over auditors from other tech backgrounds and developers from non-blockchain or non-security backgrounds.
- early stage
- not logistically prepared for a full audit
- already covered by a trusted audit partner
Feel free to contact me anyway, I would be happy to go over how I might be able to help improve your security posture and maximize the impact of any planned or upcoming audits.
Prep Your ProjectProjects
- GANSEC - A GAN-based vulnerability scanner.
- ARPcanary - A simple ARP spoof detector that I made while playing around with Scapy.
- Malware Research - A sample of miscellaneous malware written for academic/research purposes.
- Test Automation Samples - Examples of past automated tests I've written in PHP and Python with identifying context stripped out.
- GitTreasures - An integration for QE teams connecting Git/GitLab, Jira, Trello and TestRail.
- TestRailYak - A Python wrapper for interacting with the TestRail API.
- u-nectix - Algorithmic trading bot for stocks, forex, and cryptocurrencies. Written in Python.
- py-trade-signal - A library for algorithmic or mechanical discretionary traders to determine buy/sell signals based on multiple technical indicators.
- tradeSnake - A much earlier algorithmic trading bot for cryptocurrencies that used an exchange no longer operating in the US. Also written in Python.
- Battleship - A Battleship-type game from a game development class.
- taxonomizer - A small library for working with text from taxonomic classification. Originally written using Levenshtein based string matching algorithms, renewed interest in this project by way of another project is prompting heavy upgrades. The current version under development makes use of natural language processing techniques.
- COMING SOON turbid - An auction site bidding bot that algorithmically looks for arbitrage opportunities.
- NoSQLMap - Automated NoSQL database enumeration and web application exploitation tool.
- alpaca-trade-api-python - Python client for Alpaca's trade API.
- alpaca-trade-api-js - NodeJS client for Alpaca's trade API.
- Reconnoitre - A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
Blog
Get a hold of me
Feel free to send me an email, connect with me on LinkedIn, or view my GitHub profile.