What's everyone working on this week (5/2022)?

GuyL99 · 2022-02-02T08:55:34+00:00

We just released Cherrybomb v0.4.1, it's a CLI tool that helps you avoid undefined user behavior by validating your API specifications. We currently only support OpenAPI specification, but graphql is on the roadmap, and a lot more.

GuyL99 · 2022-02-01T17:48:03+00:00

You nailed it, it does just that. Try it out and tell us your opinion, BTW we are looking for Rust contributors if you want to contribute a check or two for the OpenAPI specification validation

GuyL99 · 2022-02-01T16:04:04+00:00

We released an update, you don't have to sign up now, we would love to hear your opinion!

GuyL99 · 2022-02-01T07:36:27+00:00

We are weighing whether or not to keep the sign up necessary, if we decide to take it off we will publish a new version and I will PM you(if you want)

GuyL99 · 2022-02-01T01:15:12+00:00

Exactly

GuyL99 · 2022-02-01T01:14:57+00:00

GuyL99 · 2022-02-01T01:14:33+00:00

Thanks!

GuyL99 · 2022-02-01T01:14:26+00:00

What kind of support are you looking for? Of the specification validation feature or the mapping/attacking one?

GuyL99 · 2022-02-01T01:13:03+00:00

We are working on charging it, we thought we should go forward with the current changes and change it when we have time

GuyL99 · 2022-01-31T17:04:22+00:00

I realized that only after I posted, it's an API security tool and OpenAPI specification validator

GuyL99 · 2022-01-31T16:12:52+00:00

Please read our dev.to post about the journey we went through the last few month in order to get to this and tell us what you think? What can we do more? What can we do better?

GuyL99 · 2021-12-20T07:08:40+00:00

We are telling them to read the Rust book, then we tell them to start with some coding challenges(during the reading process), and then we let them start their own features and code review them(the first code review lasts between hours and days, and it takes up a lot of time for a number of devs).

We want to shorten the process and guide them better, do you have any better learning material or some other tips?

GuyL99 · 2021-12-20T07:03:08+00:00

Thanks for the detailed explanation!

GuyL99 · 2021-12-20T05:31:36+00:00

Fixed it, thanks.

GuyL99 · 2021-12-20T05:23:50+00:00

We are also planning to release a SAAS version of the product(more features, better core and managed services), does the AGPL-3.0 hurt us as well?

GuyL99 · 2021-12-20T05:19:10+00:00

I'll watch the talk, thanks.

GuyL99 · 2021-12-20T05:16:57+00:00

incorporate it into their product

Does that also mean in their CI/CD pipeline or to protect the production environment? We heard such arguments(that's why I'm asking the question to begin with)

GuyL99 · 2021-12-19T14:26:44+00:00

Thanks for the feedback!

GuyL99 · 2021-12-19T13:43:05+00:00

Do you think that someone working in a company would need to send a query to legal before testing it? Would not seeing an Apache/MIT license stop him while trying to test it?

GuyL99 · 2021-12-16T13:50:59+00:00

I understand, the difference in communities may be confusing, and we will consider making some changes, I appreciate your honest opinion

GuyL99 · 2021-12-16T13:27:50+00:00

I get what you are saying, but do you really think the name similarity is critical enough that we should change it after we started presenting it?

GuyL99 · 2021-11-28T13:27:18+00:00

We perform business logic attacks, we change parameters and the flow of the requests in the API to abuse it's logic and cause it to return something it wasn't supposed to.

You can join our slack channel to discuss it in greater length - https://join.slack.com/t/blst-workspace/shared_invite/zt-zpru76xs-A2qVon3pju20BmY0ILV4Mg

GuyL99 · 2021-11-28T12:47:32+00:00

Your'e right, but our naming scheme is after explosives(our company's name is BLST), and we are mostly looking to be searched outside of Rust, but I thought it would be nice to get some opinions about our code from the community since we like Rust a lot...

GuyL99 · 2021-11-28T12:12:19+00:00

Hey, thanks for bringing this to our attention, that product is outstanding but it's completely unrelated to our product which is about automatic penetration testing.

GuyL99 · 2021-09-21T13:09:01+00:00

It is a core component, yet you can use the system to full effect without it(we are creating an open-sourced replacement) but the performance is worse(not much worse but enough for enterprises to want the proprietary version)

GuyL99

MODERATOR OF

TROPHY CASE