I'm a computer scientist in Massachusetts with graduate education and 15 years of security-relevant industry experience. I’ve worked hands-on in binary- and source-based static program analysis, symbolic execution, compilers and interpreters, high-performance computing, fuzz testing, application security, secrets detection, and production machine learning systems.
I currently work at Truffle Security doing research and development on secrets detection and all other things secrets-related. Previously, for nearly 4 years, I authored and maintained Nosey Parker, a fast, high-signal secrets detector designed for offensive security engagements.
I love building tools that people use, and I deeply value craftsmanship. I've done my very best work when I’m directly involved with the entire product life, including ideation, development, distribution, and working with users to understand their problems and make them successful.
My professional interests focus on making software better, based on the thesis that computers can be leveraged dramatically more than they are today to aid in constructing software that works as intended. This involves things like building correct-by-construction libraries, scaling program analyses to real software, applying fuzzing and property-based testing to existing code, and integrating machine-based checks into the software development process. Imagine—software that works!
You can find a PDF of my resume here. I’ve also written and presented several peer-reviewed publications over the years.
You can find me on the infosec.exchange Mastadon instance as @bradlarsen.
The majority of my professional work has been in closed-source proprietary codebases. But some has been open-source, including these things:
- I authored and maintained Nosey Parker, a fast secrets detector for offensive security with high signal-to-noise, and its complementary Nosey Parker Explorer TUI app for interactive triage
- I found and fixed a bug in the tokenizer in SQLite that caused it to not work on EBCDIC systems
- I contributed additional fuzz targets to CPython's OSS-Fuzz integration, which found a few bugs
- I found and fixed memory errors in the parser in CPython that also affected its related
typed-astlibrary - I added the
sha1function to DuckDB - I found and fixed several bugs in Manticore, the low-level symbolic execution engine, enhanced its ARMv7 support, and enhanced its Linux filesystem emulation