Justin Steven
Independent Infosec Professional
Justin is an independent AppSec professional, specialising in Application Security Review and Source Code Review.

He has discovered and disclosed remote code execution vulnerabilities affecting software such as Ruby Version Manager (RVM), Visual Studio Code and Metasploit.

He is the author of "Do Stack Buffer Overflow Good" (a popular introductory guide to stack buffer overflow exploitation on Windows), an avid bug bounty hunter and CTF competitor, and in his spare time he live-streams the exploitation of binary "pwnables" on

The IDEs of March
Technical Level (3 being the highest score): 3

Software is "eating the world", and in the era of DevOps, those who are cutting the code have privileged access to software delivery pipelines and production systems. A developer's workstation is a fantastic place for an attacker to "be" in 2019.

We're relentlessly and rightfully focused on secure design, code quality and killing bugs. Are we hearing the call to protect the people and systems responsible for building, delivering and operating our squeaky clean code?

Through a in-depth breakdown of security bugs in client-side software development tooling (Ruby Version Manager and Visual Studio Code), and some crazy arm-waving and posturing about the CI/CD's and the Jenkinses, we'll explore the insecurities of software development software. How might an attacker gain control over a developer's workstation? What might they do once they pop shell? How can you discover your own bugs in software development software? And what should we do to close this gap and provide complete end-to-end security throughout the software delivery process?

Presentation video can be found HERE