I am Parsia, I try to do application security most days. I am currently taking a sabbatical and doing some contract work.

2024-Present: Senior Offensive Security Engineer at Microsoft.

2022-2024: Sabbatical. Dev contract work for a static analysis tool that automatically generates an OpenAPI spec from the backend source code. Some security research, mainly static analysis and Rust. See Personal Semgrep Server in Rust, semgrep-rs: Rust crate to interact with Semgrep, and some tree-sitter stuff.

2019-2022: Senior Security Engineer at Electronic Arts. I worked on many internal and external product (mostly videogames) and services. Realistic video of me hacking videogames at work.

2013-2019: Associate Consultant to Senior Security Consultant at Synopsys Software Integrity Group via the 2016 Cigital acquisition.

Major Presentations

• DEF CON 26 Main Track: Tineola Taking a Bite Out of Enterprise Blockchain
  • https://www.youtube.com/watch?v=xKYIde5jh_8
  • I guess I should add DEF CON Speaker to my LinkedIn title (lol).
• DEF CON 28 Appsec Village: localghost: Escaping Browser Sandbox Without 0-Days
  • https://www.youtube.com/watch?v=Cgl51ZcACLg&t=90

Who is Hackerman?

Hackerman is a character from the movie Kung Fury. He is the greatest hacker of all time and can hack people through time. He also hacks with a Nintendo Power Glove like me. His cheesy hacking tutorial.

"I trust this man, he has a power glove."

I actually have a working Nintendo Power Glove.

What is This Website?

This website is my security research and notes. It doubles as my cheat sheet and knowledge base along with parsiya.io. I look up pages or send links to this website at least a few times every day. It's part of my brand. You don't wanna be the other guy from Wham!

What does "Don't be The Other Guy from Wham!" Mean?

Wham! was a popular UK music duo. Most people remember one of its members, George Michael. No one remembers the other guy, Andrew Ridgeley. Write a blog, don't be afraid to promote yourself (if you have the time). It's worth it.

Goals in Progress:

• Bug bounties: I started the bug bounty game really late and mostly only work the occasional Windows desktop application.
  • My first and highest bounty to date: $15,000 from PlayStation
  • Hacker One profile: https://hackerone.com/parsiya
  • Bugcrowd profile (I have one bug there lol): https://bugcrowd.com/parsiya
  • If you have Windows desktop applications and especially videogames in your program, please invite me.
• Go in security: I have replaced Python with Go in my workflow.
  • https://github.com/parsiya/Hacking-with-Go
  • https://github.com/parsiya/Go-Security
  • https://github.com/parsiya/Parsia-Code
  • https://parsiya.net/categories/go/
• Automation (never done):
  • https://parsiya.net/categories/automation/
  • Borrowed Time: My project and note management app
    • https://github.com/parsiya/borrowedtime/
  • ESLinter: Burp extension to automatically extract and ESLint JavaScript
    • https://github.com/parsiya/eslinter

Done and Dusted:

• Enterprise blockchain and Hyperledger Fabric security:
  • DEF CON 26 video: https://www.youtube.com/watch?v=xKYIde5jh_8
  • My post on Synopsys' corporate blog: Tineola: Taking a Bite out of Enterprise Blockchain
  • Tineola the tool: https://github.com/tineola/tineola
  • Random posts as I learned: https://parsiya.net/categories/blockchain/

Gone to The Dogs:

• In-memory fuzzing via binary instrumentation (aka traversing arbitrary assembly blobs over and over and over).
  • https://parsiya.net/categories/winappdbg/