
Hi, I’m Sam!
Developer
and web security enthusiast.
Practical web application security for developers.
Pentesting workflows and security methodology.
My skills
Web pentesting
I use Burpsuite Pro and my knowledge of OWASP top 10 vulnerabilities to test applications for vulnerabilities.
Part-time bug hunting has taught me how to map an attack surface and professionally report findings.
Security Champion
I manually test for security vulnerabilities early in the SDLC, create threat models, run Fortify scans, and keep myself educated.
Quality Engineer
I test the functionality, accessibility, and performance of applications. I write automated tests using Playwright.
Developer
I fix bugs, write production code in TypeScript, and lead my own projects. I give Knowledge transfer sessions and work closely with my scrum team.
Biography
I specialize in developing and testing agentic applications at ServiceNow. With experience as both a QE and Developer, I have a unique perspective that allows me to write quality code. As my team’s Security Champion, my role also includes incorporating security best practices early in the pipeline.
With a focus on web application security, I continually study real-world vulnerabilities and testing techniques. On the side, I bug hunt and share what I learn through detailed blog posts.
Blog
-
Recently, I built an API using Node and express. Recently, I built an API using Node.js and Express. Building an API isn’t particularly novel, but that wasn’t my goal. Instead, I wanted to build an application I could be proud of from a security perspective. I wanted to make it as secure as possible —
-
A while ago, I did a writeup on Cicada. In this post, I’ll share my thought process and what I’ve learned solving EscapeTwo. EscapeTwo is the second box in the Attacking Active Directory Track on Hack The Box. So, it’s only natural that I stick with that theme. Enumeration Scanning Every enumeration starts with nmap.
-
I failed my first attempt at the Burp Suite Certified Practitioner Exam (BSCP). It definitely hurt and was a blow to my ego. Especially after having studied so much for months on end. For those who don’t know, the BSCP is an exam based on Portswigger’s Web Security Academy training. It’s 100% practical and tests
Get updates
The latest on how you can leverage your developer knowledge to applied web pentesting.