EXPERIENCE
Drew Kirkpatrick has 25 years of experience designing and building complex systems, including application security, network policy management, machine learning, and transit and aerospace systems. These days, he works to improve Information Security by applying penetration testing and computer science to assess the security posture of TrustedSec clients. Before joining TrustedSec, he was a security researcher at NopSec and Secure Decisions as well as a senior computer scientist for the U.S. Navy.
EDUCATION & CERTIFICATIONS
- Bachelor of Arts, Psychology/Economics, St. Mary’s College of Maryland
- Master of Science, Computer Science, Florida Institute of Technology
- Master of Science, Computer Information Systems, Florida Institute of Technology
- Offensive Security Certified Professional (OSCP)
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Mobile Device Security Analyst (GMOB)
PROFESSIONAL AFFILIATIONS
- OWASP
- TOOOL
INDUSTRY CONTRIBUTIONS
Drew has developed and contributed to several open source projects, including OWASP Attack Surface Detector, JS-Tap, and various machine learning and penetration testing tool projects.
PASSION FOR SECURITY
Drew’s love for building complex systems led to the discovery that he found tremendous joy in breaking complex systems—in a good way.
Featured Blogs And Resources
Discover the blogs, analysis, webinars, and podcasts by this team member.
Content Security Policy: Mitigating Web Vulnerabilities by Controlling the Rules of the Game
Defining a Content Security Policy (CSP) for your web application can help harden the application against many common attacks. Mitigating XSS attacks is a…
ProxyHelper2: The Sequel
TL;DR VersionHak5 Pineapples changed their module system in Mark VII's, breaking module compatibility.ProxyHelper2 is a reimplementation of TrustedSec's…
Clickjacking: Not Just for the Clicks
tl;dr versionYou can trick users into "typing" inputs in a clickjacking attack.YouTube demo: https://www.youtube.com/watch?v=VIEZ1aByFvUPoC GitHub Repo:…
JS-Tap: Weaponizing JavaScript for Red Teams
How do you use malicious JavaScript to attack an application you know nothing about?Application penetration testers often create custom weaponized JavaScript…
JS-Tap: Weaponizing JavaScript for Red Teamers
During this webinar, Senior Security Consultant, Drew Kirkpatrick will introduce a new open source tool, JS-Tap, that is designed to allow Red Teamers to…
Popping Shells Instead of Alert Boxes: Weaponizing XSS for Fun and Profit
In this webinar, we will walk through the development of XSS payloads against a WordPress administrator and test that payload against a live WordPress server.
Understanding What Burp Suite Brings to Your Application Assessment
Join Senior Security Consultant Drew Kirkpatrick as he demonstrates the core functionality of Burp Suite and learn how to get the most out of your engagements…
The Lost Underground
Join TrustedSec Principal Security Consultant Mike Felch for an eye-opening journey into the lost underground, where ingenuity, disobedience, and complexity…
BEC Basics: Your First Step to Thwarting Email Scams
Join Senior Security Consultant Steven Erwin and Security Consultant Caroline Fenstermacher as they cover the basics of BEC analysis, providing participants…
Discovering a Deserialization Vulnerability in LINQPad
Like most red teamers, I spend quite a lot of time looking for novel vulnerabilities that could be used for initial access or lateral movement. Recently, my…
Empower your business through better security design.
Talk directly with our experienced advisory consultants to learn how we can help.
