I build and secure software.
I'm Aaron Hnatiw, also known as "The Hacker Dev." With over a decade of experience in cybersecurity and software engineering, I specialize in developing and securing software. A background in security research and education not only allows me to craft novel security solutions myself, but also to equip others with the knowledge and tools to do so as well.
Teaching you how to develop custom cybersecurity tools. With over a decade of experience in building high-performance security tooling at every scale imaginable, I use real world examples and production code to teach you how to build your own security tools. By the end of the training, you'll have built your very own security tool that you can use right away.
Visit WebsiteWorking on a novel approach to security testing that scales web application and API vulnerability identification using machine learning algorithms.
Toronto Area Security Klatch, Toronto (2024)
"The Art of Video Game Hacking" - How to hack video games, as a way to learn advanced security techniques. From beginner to advanced, this talk includes a plethora of references and real demos.
DerbyCon, Louisville (2017)
"Hacking Blockchains" - A talk about blockchain and cryptocurrency security.
ToorCon, San Diego (2017)
"How To Move Mountains" - How to develop a modern security program, in the world of "DevSecOps". This talk highlights modern security controls and practices that integrate with CI/CD pipelines, cloud deployments, and rapid development practices.
Hack In Paris, Paris, France (2017)
"Beyond OWASP Top 10" - Similar talk to previous one of the same name, but with different web vulnerabilities.
CircleCityCon, Indianapolis (2017)
"Security Training: Making Your Weakest Link The Strongest" - Talk about how to provide effective security training, using real-world experience as an educator and a practitioner.
NolaCon, New Orleans (2017)
"Beyond OWASP Top 10" - Talk about common but impactful web vulnerabilities not listed in the OWASP Top 10.
Hackfest, Québec City (2016)
"Racing the web" - Talk about race condition vulnerabilities, including an open source tool release.
Damn Vulnerable Golang (2024)
A deliberately vulnerable Go application for education and testing purposes. View Source
Cartograph (2023-present)
Advanced proxy that maps HTTP networks and software supply chains. Designed to aid in cybersecurity assessments and research through high performance data collection and analysis. Written in Go. View Source
Race The Web (2017)
A tool that tests for and identifies race condition vulnerabilities in web applications and APIs. Includes a RESTful API to integrate it into a CI/CD pipeline. Written in Go. View Source
Input Field Finder (2017)
A web crawler that identifies and logs all input elements found, in order to identify potential vulnerability sources. Written in Go. View Source
Rogue MAC Check (2016)
Identifies rogue wireless access points by comparing a file of authorized BSSIDs (MAC addresses of the wireless access point) against a list of discovered BSSIDs. Written in Go. View Source
USB Detector (2015)
A blue team tool to help detect physical attacks using USB devices. It detects USB storage device insert/removal, logs events, and allows email alerts. Written in C#. View Source
Anchor Redirect (2013)
A proof-of-concept Google Chrome extension that exploits a flaw in JavaScript that allows anchor elements to be changed AFTER the user clicks on them. This vulnerability has since been fixed. Written in JavaScript. View Source
CISSP - Certified Information Systems Security Professional
Issued by: ISC2
CPT - Certified Penetration Tester
Issued by: IACRB
Contracted to provided specialized software engineering expertise for a new security platform. Projects included porting custom macOS security agent software to Windows, and developing static analysis software for the Oneleet security and compliance platform.
Founder of a security company that provides web and API security tools, including Infinity Insights (which has now been released as an open-source project called Cartograph).
I focused on security automation at ecobee, an IoT company specializing in smart home devices, where I architected various software solutions designed to protect millions of endpoints, including static code analysis and dynamic/runtime analysis of internet-facing web applications and APIs. These solutions were designed to operate at a massive scale, with a focus on performance and reducing noise/false positives.
Responsible for the security of all software applications for Canada's largest bank. That includes everything from the mobile app, the various web-based banking options, back to the APIs to the mainframes. There was a lot that we did that I can't talk about, but one key overarching initiative that I was especially proud of was the integration of security testing into the CI/CD pipeline. We were ahead of our time, especially as a bank, and implemented some really useful security controls that didn't slow developers down.
Conducted novel security research and shared findings through a variety of channels, including blog posts, conference presentations, and podcasts. Reserach topics included web application and API security, devsecops, blockchain security, and more.
Developed and taught a course on application security to third-year college students studying computer programming. The course itself was very hands-on, with a practical lab assignment every week, and a final assignment where students had to find and submit a vulnerability to a bug bounty platform (which I'm proud to say every student managed to accomplish).
Delivered strategic security consultancy services for companies of all sizes and geographies. Services included developing security programs, performing penetration testing, and providing advice on security architecture and design.
"I have not failed. I've just found 10,000 ways that won't work."
- Thomas A. Edison
Software that maps dependencies across web assets and identifies critical components for prioritized testing and patching. Included advanced machine learning algorithm to automatically classify and group similar web assets, with an interactive visual interface. Marketing and selling to enterprise meant that the sales cycles were long, and as a bootstrapped startup, this became untenable. This software has been migrated to the open source project called "Cartograph".
2022-2024A "plug-and-play" Wi-Fi router with advanced parental controls and security features. Aimed to keep kids safe online, the project reached the prototype phase with strong market interest. However, the venture came to a halt as in-built parental controls became standard in devices offered by major tech companies, rendering a separate solution less necessary.
2023What initially started as a new user interface for vulnerability analysis in web applications (using a novel algorithm I invented that converted the DOM into a live 3D object) gradually evolved into a platform for immersive VR world development on the web. After a sizeable investment commitment for this platform fell through, I was forced to shelve this software until a later time.
2022A high performance web proxy that created an asset inventory and passively identified security vulnerabilities through a signature-based approach. Although initially successful with bug bounty hunters and penetration testers, circumstances required a pivot back to full-time employment. However, much of the work I've done since then has leveraged the tools and techniques I developed as a part of this solution, allowing me to move well beyond the initial scope of this fledgeling software.
2019 - 2020Diploma, Computer Programmer
2012 - 2014
Governor General's Academic Medal - Awarded for achieving a perfect score across all courses in my final semester and near-perfect grades in all prior semesters, marking me as the top academic performer in my graduating class.
Diploma, Computer Technology/Computer Systems Technology
2009 - 2011
Bachelor of Science, Computer Science
2017
Note: Completed over 50% of required program credits.
Bachelor of Arts, Criminology
2008 - 2009
Note: Discovered cybersecurity and transferred to Algonquin College after one year.