I build tools, usually focused on security or low-level things.
Work
Most recently I worked at Semgrep where I built internal tooling for their security research team:
- I developed Semgrep's new Pro ruleset for detecting vulnerabilities in C and C++ code.
- I built Python tooling that allowed the team to scale the internal rule-writing process for Semgrep Secrets.
- I built a VSCode extension in TypeScript, and prototyped new tools in Ocaml, that streamlined the internal rule-writing process for Semgrep Code.
On GitHub's Product Security Engineering team, I worked on a variety of projects:
- Security tooling: I rolled out Dependabot internally at GitHub and later led the team that rolled out Secret Scanning and CodeQL. My talk at Netflix's Scaling Security conference details the lessons I learned rolling out security tooling across large orgs.
- Tool development: I built automated, distributed fuzzing system in Go to orchestrate
libFuzzerandAFL. This allowed GitHub to fuzz projects such ascmark-gfmandtree-sitter. - Bug Bounty: I triaged submissions to GitHub's Bug Bounty program and worked with SIRT to coordinate investigation work. I also worked with the legal team to add full legal protection for Bug Bounty researchers.
At Oracle/Ksplice, I worked on live patching of security vulnerabilities in the Linux kernel:
- I assessed the security impact of upstream Linux kernel commits, created live-patch updates in C and wrote high-level descriptions of vulnerabilities for customers.
- I built tools in Python to automate the patch creation process, including detecting similar patches across Linux distributions and automatically backporting patches across different kernel versions.
Contact
- GitHub: github.com/philipturnbull
Credits
This site is built with:
- Zola
- a modified version of the Anemone theme
- and the Tiniri Dark color scheme