Stefan Edwards will be giving a talk at Curry On 2017. His talk is called On Being a type-heavy Scheme programer in InfoSec, or, how I learnt to hate everything & love better type systems
PurelyFunctional.tv: How did you get into Functional Programming?
Stefan Edwards: When I was 10, a friend of my parents gave me a copy of Slackware to use on my computer, because I was interested in learning more about C (I had convinced my grandfather to buy me Borland C/C++). Included in a Slackware install (either an update or the original, I'm old!) was GNU Common Lisp. From there, I hopped into UMB Scheme on SDF (a Unix Shell server) when I was about 15, then to OCaml when leaving highschool/entering Uni at 17, and it's mainly been back & forth between ML & Scheme ever since.
PF.tv: What is your talk about?
SE: My talk is about my life as someone who breaks, rather than builds, software and systems using functional programming and types. Most "red team" folks utilize other languages such as C, Python, Ruby, or Lua, usually to mixed results. This talk is about what I do to model and understand systems, and then break them.
PF.tv: Who is your talk for?
SE: Blue team responders, system/application architects, anyone interested in infosec and moving away from the status quo of implementation.
PF.tv: What do you hope people will take away from the talk?
SE: That what "hackers" or "red teamers" isn't really magical or even terribly exciting, but rather a slow, creeping, Eldritch-like horror of discovering errors piled atop errors, and how I like to model that process.
PF.tv: What concepts do you recommend people be familiar with to maximize their experience with the talk?
SE: From the programming side, just basic techniques in FP and types. I'm really trying to keep my work and my talk simple, so that the barrier to entry to anyone from the infosec side coming over is pretty low. On the security side, if they really wanted to read up on things, they could look at the OWASP Top 10 2013/2017, DNS enumeration, NIST 800-115, Filter evasion, &c. Really, I'll be walking from modeling things from the outside in, and seeing how far I can get in a chess timer talk. I don't think I'll be stretching anyone's idea of functional programming (or at least I hope not to be; this talk is meant to be fantastically practical),
PF.tv: What resources are available for people who want to study up before the talk?
- XSS Filter Evasion Cheat Sheet
Any basic Scheme/Scala/OCaml resource.
PF.tv: Where can people follow you online?
SE: I'm "lojikil" on most social networks: twitter, mastodon.social, github, lobste.rs.
PF.tv: Are there any projects you'd like people to be aware of? How can people help out?
SE: Nothing currently; I'll probably be releasing some of my work after Curry On. Most of my simpler tools are already on Github, but I'd like to eliminate most of those eventually in favor of better tooling.
PF.tv: Where do you see the state of functional programming in 10 years?
SE: I'd like to see more friendly compilers like Elm be the norm; I think it provides the user with a huge amount of feedback that can be useful. Hopefully F*, ATS, Idris, Agda, what-have-you take over for more of the work that we currently do with verification systems; I think my clients would do well to understand not only the types but the flow of data, and making those tools easier to use and more accessible would be wonderful. I honestly hope I'm not finding XSS, SQLi, access control issues, &c. in "modern" applications when I'm in my 40s!
PF.tv: If functional programming were a superhero, what superpower would it have?
SE: I think FP would be Magneto: it's generally neutral as to whether or not you use it for "bad" or "good," but that you can really take apart the raw materials of things, repurpose them, and they just work. Also, as you become more powerful, you can shake the very earth to its core in your quest to do something.