| Presentation Title | Author(s) | Year |
|---|---|---|
| Seriously, stop using RSA | Ben Perez | 2019 |
| Best Practices for Cryptography in Python | Paul Kehrer | 2019 |
| Analyzing the MD5 collision in Flame | Alex Sotirov | 2012 |
| Presentation Title | Author(s) | Year |
|---|---|---|
| Improving PyPI's security with Two Factor Authentication | William Woodruff | 2019 |
| Linux Security Event Monitoring with osquery | Alessandro Gario | 2019 |
| osql: The community oriented osquery fork | Stefano Bonicatti, Mark Mossberg | 2019 |
| Getting started with osquery | Lauren Pearl, Andy Ying | 2018 |
| osquery Super Features | Lauren Pearl | 2018 |
| osquery Extension Skunkworks | Mike Myers | 2018 |
| Build it Break it Fix it | Andrew Ruef | 2014 |
| Presentation Title | Author(s) | Year |
|---|---|---|
| JWTs, and why they suck | Rory M | 2021 |
| The Joy of Pwning | Sophia D'Antoine | 2017 |
| How to CTF - Getting and using Other People's Computers (OPC) | Jay Little | 2014 |
| Low-level Security | Andrew Ruef | 2014 |
| Security and Your Business | Andrew Ruef | 2014 |
| Bringing nothing to the party | Vincenzo Iozzo | 2013 |
| From One Ivory Tower to Another | Vincenzo Iozzo | 2012 |
| Presentation Title | Author(s) | Year |
|---|---|---|
| Return to the 100 Acre Woods | Stefan Edwards | 2019 |
| Swimming with the kubectl fish | Stefan Edwards | 2019 |
| Presentation Title | Author(s) | Year |
|---|---|---|
| Exploiting Machine Learning Pickle Files | Carson Harmon, Evan Sultanik, Jim Miller, Suha Hussain | 2021 |
| PrivacyRaven: Comprehensive Privacy Testing for Deep Learning | Suha Hussain | 2020 |
| Presentation Title | Author(s) | Year |
|---|---|---|
| Swift Reversing | Ryan Stortz | 2016 |
| Modern iOS Application Security | Sophia D'Antoine, Dan Guido | 2016 |
| The Mobile Exploit Intelligence Project | Dan Guido | 2012 |
| A Tale of Mobile Threats | Vincenzo Iozzo | 2012 |
| Presentation Title | Author(s) | Year |
|---|---|---|
| Python internals - let's talk about dicts | Dominik Czarnota | 2019 |
| Low-level debugging with Pwndbg | Dominik Czarnota | 2018 |
| Insecure Things to Avoid in Python | Dominik Czarnota | 2018 |
| Presentation Title | Author(s) | Year |
|---|---|---|
| Hardware side channels in virtualized environments | Sophia D'Antoine | 2015 |
| Exploiting Out-of-Order Execution | Sophia D'Antoine | 2015 |
| Presentation Title | Author(s) | Year |
|---|---|---|
| Peeling back the 'Shlayers' of macOS Malware | Josh Watson, Erika Noerenberg | 2019 |
| The Exploit Intelligence Project Revisited | Dan Guido | 2013 |
| Dataset | Date |
|---|---|
| Smart Contract Audit Findings | Aug 2019 |
| Podcast | Guest | Date | Topic(s) |
|---|---|---|---|
| Risky Business 652 | Dan Guido | Jan 2022 | Zero-knowledge proofs |
| Secureum Safecast #3 | Josselin Feist | Nov 2021 | Blockchain security |
| Secureum Safecast #2 | Dan Guido | Oct 2021 | Blockchain security |
| Press Freedom Foundation | Dan Guido | Jul 2021 | Mobile security and iVerify |
| Employee Cycle | Hannah Hanks | Mar 2021 | First PeopleOps hire |
| Risky Business 614 | Dan Guido | Feb 2021 | iVerify |
| Building Better Systems #6 | Dan Guido | Jan 2021 | What blockchain got right |
| WCBS 880 | Dan Guido | Sep 2020 | Gap years and intern hiring |
| Risky Business 594 | Dan Guido | Aug 2020 | Apple security |
| Epicenter 346 | Dan Guido | Jun 2020 | Smart contract security |
| Absolute AppSec 97 | Stefan Edwards | May 2020 | Threat modeling |
| Unchained 170 | Dan Guido | May 2020 | DeFi security |
| Risky Business 580 | Dan Guido | Apr 2020 | Mobile voting |
| Absolute AppSec 91 | Stefan Edwards | Apr 2020 | Mobile voting |
| Zero Knowledge 122 | Ben Perez | Mar 2020 | Cryptography reviews, ZKPs |
| Changelog | Dan Guido | Jan 2020 | AlgoVPN |
| Risky Business 559 | Stefan Edwards | Oct 2019 | Kubernetes |
| FOSS Weekly 545 | William Woodruff | Sep 2019 | PyPI security improvements |
Podcast.__init__ 225 |
William Woodruff | Aug 2019 | PyPI security, UX, and sustainability |
| Absolute AppSec 68 | Stefan Edwards, Bobby Tonic | Aug 2019 | Kubernetes |
| Hashing it Out 53 | Dan Guido | Jul 2019 | Smart contract testing |
| Absolute AppSec 60 | Stefan Edwards | May 2019 | Android, programming languages |
| Absolute AppSec 55 | Stefan Edwards | Apr 2019 | Security testing |
| Hashing it Out 35 | Dan Guido, Josselin Feist | Jan 2019 | Ethereum's failed EIP-1283 |
| Risky Business | JP Smith | Jan 2019 | Post-quantum crypto in CTFs |
| Absolute AppSec 37 | Stefan Edwards | Nov 2018 | Programming languages, symbex |
| Risky Business 510 | Lauren Pearl | Aug 2018 | Open source security engineering |
| Absolute AppSec 34 | Stefan Edwards | Oct 2018 | Security testing, blockchain |
| Zero Knowledge 16 | JP Smith | Mar 2018 | Smart contract security |
| Risky Business 488 | JP Smith | Feb 2018 | Smart contract testing w/ Manticore |
| Risky Business 474 | Dan Guido | Oct 2017 | How to engineer secure software |
| Georgian Partners 47 | Dan Guido | May 2017 | AlgoVPN and Tor |
| VUC 643 | Dan Guido | Apr 2017 | AlgoVPN |
| Risky Business 449 | Dan Guido | Mar 2017 | Control Flow Integrity |
| Risky Business 425 | Dan Guido | Sep 2016 | Recap the week's news |
| Risky Business 421 | Dan Guido | Aug 2016 | Car hacking and the week's news |
| Risky Business 416 | Dan Guido | Jul 2016 | DARPA Cyber Grand Challenge |
| Risky Business 399 | Dan Guido | Feb 2016 | Apple vs the FBI |
| Risky Business 370 | Dan Guido | Feb 2015 | DARPA Cyber Grand Challenge |
| Risky Business 348 | Dan Guido | Jun 2015 | DARPA Cyber Grand Challenge |
Companies that have allowed us to speak about our work can be found here. Many more remain confidential.
| Product | Review Date | Level of Effort | Deliverables | Announcement |
|---|---|---|---|---|
| CoreDNS | Jan 2022 | 4 person-weeks | ||
| Terrform Enterprise | Nov 2021 | 6 person-weeks | ||
| Nomad Enterpprise | Nov 2021 | 6 person-weeks | ||
| Consul Enterprise | Oct 2021 | 6 person-weeks | ||
| Vault Enterprise | Oct 2021 | 6 person-weeks | ||
| HashiCorp Cloud | Jun 2021 | 8 person-weeks | ||
| Argo | Mar 2021 | 4 person-weeks | Security Review, Threat Model | |
| Terrform Cloud | Jan 2021 | 6 person-weeks | ||
| Consul | Oct 2020 | 10 person-weeks | ||
| Nomad | Aug 2020 | 6 person-weeks | ||
| Helm | Aug 2020 | 4 person-weeks | Security Review | Helm 2nd Security Audit |
| Terraform | Mar 2020 | 6 person-weeks | ||
| OPA | Mar 2020 | 2 person-weeks | Security Review | Open Policy Agent (OPA) Graduation Proposal |
| Vault | Feb 2020 | 12 person-weeks | ||
| etcd | Jan 2020 | 4 person-weeks | Security Review | CNCF |
| Rook | Dec 2019 | 2 person-weeks | Security Review | CNCF |
| Kubernetes | May 2019 | 12 person-weeks | Security Review, Threat Model, Whitepaper | Google, CNCF |
| Product | Review Date | Level of Effort | Announcement |
|---|---|---|---|
| Minterest Finance | Jan 2022 | 6 person-weeks | |
| StarkPerpetual | Jan 2022 | 8 person-weeks | |
| Columbus-5 | Jan 2022 | 2 person-weeks | |
| Polkadex | Dec 2021 | 4 person-weeks | |
| ShardX | Dec 2021 | 2 person-weeks | |
| IBC Protocol | Dec 2021 | 4 person-weeks | |
| Threshold-DSA | Nov 2021 | 6 person-weeks | |
| STAS SDK | Oct 2021 | 4 person-weeks | |
| PolySign HSM | Oct 2021 | 6 person-weeks | |
| STAS-JS SDK | Sept 2021 | 4 person-weeks | |
| PINT | Sept 2021 | 4 person-weeks | |
| Qredo Blockchain | Sept 2021 | 6 person-weeks | |
| PolySign | Sept 2021 | 6 person-weeks | |
| Arbitrum | Sept 2021 | 16 person-weeks | |
| ShardX | Aug 2021 | 4 person-weeks | |
| go-schnorrkel | Aug 2021 | 4 person-weeks | |
| THORChain | Aug 2021 | 12 person-weeks | |
| Casper Web Wallet | Jul 2021 | 4 person-weeks | |
| Polkaswap | Jul 2021 | 6 person-weeks | |
| AElf | Jul 2021 | 4 person-weeks | |
| CrossChain-Bridge | Jul 2021 | 8 person-weeks | |
| AlephBFT | Jun 2021 | 4 person-weeks | |
| Acala Network | Jun 2021 | 4 person-weeks | |
| DFINITY | May 2021 | 24 person-weeks | |
| Compound Chain | May 2021 | 6 person-weeks | |
| Flare Network | Mar 2021 | 8 person-weeks | |
| Arbitrum V2 | Feb 2021 | 8 person-weeks | |
| Cheque Cell & ORU | Feb 2021 | 8 person-weeks | |
| Fog Protocol | Jan 2021 | 4 person-weeks | |
| Acala Network | Jan 2021 | 6 person-weeks | |
| Bitcoin SV | Jan 2021 | 6 person-weeks | |
| eFIL | Jan 2021 | 2 person-weeks | |
| Futureswap | Jan 2021 | 2 person-weeks | |
| Tezori (T2) | Dec 2020 | 4 person-weeks | |
| Teller Protocol | Nov 2020 | 4 person-weeks | |
| Highway Consensus | Nov 2020 | 4 person-weeks | ToB Audit of the Casper Highway Protocol |
| Zerion SDK | Nov 2020 | 4 person-weeks | |
| MobileCoin BFT | Oct 2020 | 4 person-weeks | |
| Graph Protocol | Oct 2020 | 3 person-weeks | |
| Stacks V2 | Sep 2020 | 6 person-weeks | |
| Prysm | Sep 2020 | 6 person-weeks | |
| ETH2.0 Deposit CLI | Aug 2020 | 4 person-weeks | |
| VRFs | Aug 2020 | 2 person-weeks | |
| MobileCoin | Aug 2020 | 4 person-weeks | |
| Ren | Aug 2020 | 4 person-weeks | August Development Update |
| Meld Gold | Jul 2020 | 2 person-weeks | |
| Ledger Filecoin | Jul 2020 | 2 person-weeks | |
| Arbitrum | Jul 2020 | 6 person-weeks | |
| Symbol | Jul 2020 | 4 person-weeks | Symbol from NEM completes Trail of Bits Security Audit |
| Zcoin | Jul 2020 | 2 person-weeks | Lelantus Cryptographic Library Audit Results |
| Magma | Jun 2020 | 1 person-week | |
| Lighthouse | Jun 2020 | 4 person-weeks | |
| Matic | Jun 2020 | 4 person-weeks | |
| tBTC | May 2020 | 6 person-weeks | |
| Chainlink Flux | May 2020 | 4 person-weeks | |
| Zcash | Apr 2020 | 3 person-weeks | Heartwood security assessment results |
| Elrond | Mar 2020 | 6 person-weeks | |
| EOSIO SDK | Jan 2020 | 4 person-weeks | |
| Pixel | Dec 2019 | 4 person-weeks | |
| Paymail Protocol | Nov 2019 | 7 person-weeks | |
| Zcash | Nov 2019 | 6 person-weeks | NU3, Blossom, and Sapling security reviews |
| Zcash | Nov 2019 | 6 person-weeks | |
| NEAR Protocol | Nov 2019 | 8 person-weeks | |
| Status-go | Oct 2019 | 9 person-weeks | |
| Simple Ledger | Oct 2019 | 3 person-weeks | |
| EOSIO 2.0 | Oct 2019 | 8 person-weeks | |
| Oasis Labs | Sep 2019 | 13 person-weeks | |
| AZTEC Protocol | Sep 2019 | 10 person-weeks | |
| Celo | Sep 2019 | 8 person-weeks | |
| Parity Fether | Aug 2019 | 4 person-weeks | |
| Blockchain.com | Aug 2019 | 4 person-weeks | |
| RandomX | Jun 2019 | 2 person-weeks | Monero and Arweave to Validate RandomX |
| ZecWallet | Apr 2019 | 2 person-weeks | |
| Loom | May 2019 | 10 person-weeks | Loom SDK Q1 2019 Security Audit |
| Algorand | Mar 2019 | 14 person-weeks | Success and momentum of Algorand |
| Centrifuge | Mar 2019 | 5 person-weeks | |
| Tendermint | Mar 2019 | 12 person-weeks | |
| ndau | Nov 2018 | 8 person-weeks | ndau Holders Elect Inaugural Policy Council |
| Bitcoin SV | Nov 2018 | 12 person-weeks | |
| Pantheon | Oct 2018 | 8 person-weeks | What we learned from auditing our Ethereum client |
| Building Blocks | Aug 2018 | 7 person-weeks | UN WFP uses Ethereum to aid 100,000 refugees |
| Parity | Jul 2018 | 12 person-weeks | Parity completes Trail of Bits security review |
| Tezori | Jul 2018 | 2 person-weeks | Thanks to @trailofbits for their security review |
| Web3 | Mar 2018 | 2 person-weeks | W3F and TOB hardware wallet security guidance |
| RSKj | Nov 2017 | 6 person-weeks | RSK security audit results |
| Workshop Title | Venue | Date |
|---|---|---|
| Smart Contract Security Automation Workshop | TruffleCon 2019 | Oct 2019 |
| Manticore EVM Workshop | Devcon4 2018 | Nov 2018 |
| Introduction to Smart Contract Exploitation | GreHack 2018 | Nov 2018 |
| DeepState: Bringing Vulnerability Detection Tools into the Dev Cycle | SecDev 2018 | Oct 2018 |
| Smart Contract Security Automation Workshop | TruffleCon 2018 | Oct 2018 |
| Smart Contract Security Automation Workshop | ETH Berlin 2018 | Sep 2018 |
| Manticore EVM Workshop | EthCC 2018 | Mar 2018 |
| Manticore Workshop | GreHack 2017 | Oct 2017 |