I’ve been walking with this idea for a while: I found that it still makes sense to contribute 𝐧𝐨𝐧-𝐀𝐈-𝐠𝐞𝐧𝐞𝐫𝐚𝐭𝐞𝐝 𝐤𝐧𝐨𝐰𝐥𝐞𝐝𝐠𝐞 to the public domain, for a very simple reason – it now works not only to help humans, but to 𝐭𝐞𝐚𝐜𝐡 𝐀𝐈 𝐭𝐡𝐚𝐭 𝐬𝐞𝐫𝐯𝐞𝐬 𝐡𝐮𝐦𝐚𝐧𝐬.

Also, it kinda overlaps with my frustration around edge cases when LLMs don't help, but rather 𝐩𝐥𝐚𝐲 "𝐜𝐨𝐧𝐟𝐢𝐝𝐞𝐧𝐭𝐥𝐲 𝐰𝐫𝐨𝐧𝐠".

I use AI daily, it boosts my productivity. Until it doesn't.

Look at this trivial case: try searching the "cast send blob", and you'll find my self-answered StackOverflow post at the top.

Why is it at the top, and why is it self-answered?

That post exists for a simple reason: AI failed me on a trivial edge case, wasting a few hours ⏳ of engineering time.

Once I found a solution, I decided to contribute to public knowledge, thus posting a self-answered solution, allowing the search engine to index it and filling the "knowledge gap".

But again...

Why did the issue appear at the first place?

Fast forwarding: Nobody asks publicly → Nobody answers → AI knows nothing.

Once the article appears publicly, Google indexes it, and it quickly appears at the top. Now, AI picks it up and even partially uses my wording.

Public Knowledge Is Decaying

What happens is that in the current circumstances, when everybody is locked in their AI microcosms, information stops recycling through the public domain.

It's well-known that "StackOverflow is dying" (as for 2026), etc.

I'm trying to see it differently.

As the internet floods with AI-generated code, the "Solved questions" on StackOverflow are transitioning from "Help Desk answers" to "Ground Truth." Human validation is becoming the premium service.

(from the article here: https://gist.github.com/tanaikech/30b1fc76da0da8ff82b91af29c0c9f83)

The incentive to contribute to public knowledge has shifted. Now it is less like helping people directly and more like feeding future models that everyone will use.

AI Wastes Engineering Time at the Edges

1. I spent over an hour ⏳ asking different LLM models from different vendors how to send a blob via the cast tool. All models answered confidently – and all were wrong. They invented CLI flags, hallucinated parameters, and ignored requests for up-to-date documentation. The real solution took minutes ⏳: I stopped prompting and read cast --help carefully (and then I posted that self-answer).
2. The other day, a similar thing happened with LogQL (a query language for Grafana Loki). After an hour or two ⏳ of back-and-forth with AI, I gave up, opened the official docs, and composed a proper LogQL query myself.

This happened to me a few times.

LLMs fail similarly at edge cases.

Edge Cases Break LLM Reasoning

LLMs are trained on public texts (particularly). When edge cases aren't documented, models struggle to find correct solutions and often hallucinate non-working answers overconfidently.

This failure mode is kind of invisible. If you already know the tool or the domain well, you'll notice when the answer smells wrong and go read the docs. If you don't, you might just keep trying random variations of a hallucinated solution, assuming you're the one missing something.

That's not great, especially for less popular tools, smaller projects, or newer ecosystems. It's wastes engineering time, and it adds up. The problem isn't that the models don't know. It's that they don't signal uncertainty. The former might be fixable – models can be taught to say "I don't know". The dependency on public knowledge is a different thing, though. It's not easy to "fix".

The conclusion here is that both me and AI end up relying on static non-conversational public knowledge.

In a way, this brings us back to a familiar place: contributing to public knowledge suddenly matters. It feels like contributing to the public domain matters not only to humans but also to AI serving humans.

ʕ◔ϖ◔ʔ go f(x) = spawn(f(x)) 🦀

I had a backend project of a microservice that needed to be implemented with asynchronous Rust. At that time, there was a similar Go project, so I kinda got the chance to look at async Rust through the lens of Go's approach.

There is something cozy about Go's goroutines: you just use the go keyword, and it magically runs a function concurrently on a lightweight "green thread".

Meanwhile, with asynchronous Rust, everything seems somehow god damn complicated.

However, my point is that it only seems complicated in Rust.

There are 2 reasons:

1. The overall Rust complexity. It may complicate thinking and a learning curve.
2. The way how the asynchronous Rust is studied.

I mean, a typical Rust guide, such as the async book, quickly dives you into an in-depth exploration of async types and event loop implementation. It's the case when you can't see the forest behind the trees. In contrast, a typical Go guide skips the intricate details.

So, I think it can be really helpful - seeing something complex through the lens of simplicity.

Let’s get straight to the point. I suggest the following mind map:

The Rust's spawn method may appear from different runtime crates, e.g. tokio::spawn, or async_std::task::spawn, however, the core concept remains the same. The mental model of running the "green threads" in Go ("go the func!") maps closely to Rust’s async tasks spawning ("spawn the task!").

ʕ◔ϖ◔ʔ go the func = spawn the task 🦀

Also, there are many similar instruments in both languages like synchronization channels and the select notion.

go -> spawn

Let’s look at the Go's concurrency example and compare it to its Rust equivalent.

package main

import (
	"fmt"
	"time"
)

func say(s string) {
	for i := 0; i < 5; i++ {
		time.Sleep(100 * time.Millisecond)
		fmt.Println(s)
	}
}

func main() {
	go say("world")
	say("hello")
}

The program creates a lightweight green thread (goroutine) to execute say("world") concurrently while the main function continues with say("hello").

What is the Rust equivalent?

use tokio::time::{sleep, Duration};

async fn say(s: &str) {
    for _ in 0..5 {
        sleep(Duration::from_millis(100)).await;
        println!("{s}");
    }
}

#[tokio::main]
async fn main() {
    tokio::spawn(say("world"));
    say("hello").await;
}

say("world") runs concurrently using tokio::spawn while the main function continues with say("hello"). This causes "hello" to print five times while "world" prints concurrently, resulting in interleaved outputs.

Let's compare them closely.

Go

go say("world")

Rust

tokio::spawn(say("world"))

A similar async-std approach would look like this:

async_std::task::spawn(say("world"));

💡 spawn(f(x)) starts a new asynchronous task managed by an asynchronous runtime.

🚩 The example is simplified: the spawned task should be awaited in the main() function; otherwise, the program will exit as soon as say("hello") in main() finishes its job. The example works because main() gives the spawned task enough time by printing 5 lines.

Rust syntax is more explicit.

Also, with Rust, a lot of "meta-thinking" is involved: what runtime to choose, and are there any compatibility issues? That's why mental simplification helps to get through all these complications.

The Rust syntax looks a little bit more scary. But it only seems scary.

• #[tokio::main] annotation marks async main to be executed by the tokio runtime.
  • In Go, there is only one option: a built-in runtime (even loop), while in Rust, developers have to choose among many options.
• async in front of main is needed to mark an async context of execution:
  • In Go this detail is hidden and managed by the language itself, but in Rust, there is a clear distinction between a synchronous execution and execution in an asynchronous context.
• tokio::spawn specifies that the spawner belongs to the tokio crate.
  • I prefer the explicitness of the spawn invocation via the "crate::spawn" notation because multiple crates may provide their own spawn function. For example, ntex::spawn can coexist with tokio::spawn - they are cross-compatible but behave slightly differently.

select -> tokio::select!

Let's look at another asynchronous technique: select.

ʕ◔ϖ◔ʔ select = tokio::select! 🦀

select allows to wait on multiple concurrent branches. The basic pattern in Go and Rust is the following:

loop { // infinitely
    select { // only one of
        case #1: sending a message
        case #2: waiting for a message
        case #3: doing something async
     }
}

Let's take a concurrent Go's Fibonacci example.

func fibonacci(c, quit chan int) {
	x, y := 0, 1
	for {
		select {
		case c <- x:
			x, y = y, x+y
		case <-quit:
			fmt.Println("quit")
			return
		}
	}
}

A Rust equivalent looks as follows (pay attention to the comment lines!):

async fn fibonacci(c: mpsc::Sender<i32>, mut quit: mpsc::Receiver<()>) {
    let (mut x, mut y) = (0, 1);

    loop { // for
        tokio::select! { // select
            _ = c.send(x) => { // case c <- x
                (x, y) = (y, x + y);
            }
            Some(_) = quit.recv() => { // case <-quit
                println!("quit");
                return;
            }
        }
    }

Rust code is more verbose and explicit, but functionally identical. Here's the visual recap:

Simplify the Mental Model

A straightforward mental model can ease the learning curve, making a Rust developer competitive in the backend development domain. For instance:

1. go f(x) = spawn(f(x))
2. async fn is just a "Future", and "Future" is just a state machine
3. Rust channels are as easy as in Go
4. async block async {} is my friend :)
5. etc.

Async programming in Rust doesn’t have to be any more intimidating. With the right framing, it can be just as accessible and intuitive.

Here’s a quick recap of my 2024 in code 🚀, thanks to git-wrapped.com!

GitHub: https://github.com/fadeevab/
🌟 Universal Rank: Top 5%
🔥 Top Language: Rust
⭐ Stars Earned: 1,383
🏆 Total Commits: 566
🎉 Most Active Month: November

😉 GitHub doesn't track analytical and design activity unless you submit it.

Now, I'm dealing with EMV blockchains, Web3, and multi-language environments. More of a backend, DevOps, meshes, RPCs, etc. A bit more of async Rust 🦀. Let's see what the next year brings us.

Either way, my cliclack (~1k⭐) shows traction. I can't believe it's been over a year since I published it as a side activity:

My good-old cocoon feels good as well:

Grateful for all the challenges and growth this year. Here's to even more in 2025!

Let's compare 4 different command line prompt crates by running their basic examples.

cliclack

Crate: https://crates.io/crates/cliclack
GitHub: https://github.com/fadeevab/cliclack

cliclack is a "Clack for Rust" (clone of npm @clack/prompts).

How to run:

cargo run --example basic

Result:

Theme support:

Sample code:

intro("create-my-app")?;

let path: String = input("Where should we create your project?")
    .placeholder("./sparkling-solid")
    .validate(|input: &String| {
        if input.is_empty() {
            Err("Please enter a path.")
        } else if !input.starts_with("./") {
            Err("Please enter a relative path")
        } else {
            Ok(())
        }
    })
    .interact()?;
    
let number: u8 = input("Input a number (not greater than 256)").interact()?;

outro("You're all set!")?;

dialoguer

Crate: https://crates.io/crates/dialoguer
GitHub: https://github.com/mitsuhiko/dialoguer

How to run:

cargo run --example input

Result:

Sample code:

let mail: String = Input::with_theme(&ColorfulTheme::default())
    .with_prompt("Your email")
    .validate_with({
        let mut force = None;
        move |input: &String| -> Result<(), &str> {
            if input.contains('@') || force.as_ref().map_or(false, |old| old == input) {
                Ok(())
            } else {
                force = Some(input.clone());
                Err("This is not a mail address; type the same value again to force use")
            }
        }
    })
    .interact_text()
    .unwrap();

promptly

Crate: https://crates.io/crates/promptly
GitHub: https://github.com/anowell/promptly

How to run:

cargo run --example basic

Result:

Sample code:

use promptly::{prompt, prompt_default, prompt_opt};

// Prompt until a non-empty string is provided
let name: String = prompt("Enter your name")?;

// Prompt for other `FromStr` types
let age: u32 = prompt("Enter your age")?;

// Prompt for optional paths with path completion. Returns `None` if empty input.
let photo: Option<PathBuf> = prompt_opt("Enter a path to a profile picture")?;

// Prompt Y/n with a default value when input is empty
let fallback = prompt_default("Would you like to receive marketing emails", true);

// Prompt for a url using the url crate (requires either 'nightly' or 'url' feature)
let website: Url = prompt("Enter a website URL");

inquire

Crate: https://crates.io/crates/inquire
GitHub: https://github.com/mikaelmello/inquire

How to run:

 cargo run --example expense_tracker --features="date macros"

Result:

Sample code:

let _payee = Text::new("Payee:")
    .with_validator(required!("This field is required"))
    .with_autocomplete(&payee_suggestor)
    .with_help_message("e.g. Music Store")
    .with_page_size(5)
    .prompt()?;

let amount: f64 = CustomType::new("Amount:")
    .with_formatter(&|i: f64| format!("${i}"))
    .with_error_message("Please type a valid number")
    .with_help_message("Type the amount in US dollars using a decimal point as a separator")
    .prompt()
    .unwrap();

Safe Skies

Join Timothy Snyder’s fundraiser! 👇 Safe SkiesJoin Timothy Snyder’s fundraiser! The history professor is raising funds towards a situational alert system for Ukraine’s Air Defence Forces. Protect Ukrainian towns from terrorist attacks.

Alexander Fadeev's BlogAlexandr Fadeev

My terminal environment is usually customized as follows:

1. starship for a nice command-line prompt,
2. exa for a nice directory listing instead of original ls,
3. nerdfonts for beautiful glyphs in the terminal application,
4. Windows Terminal, as a terminal application for setting up all the beauty.

bash is the main shell I usually work in.

👉 All instructions below work in a Linux environment including SSH sessions.

Terminal emulator allows rendering custom fonts and backgrounds (like those little cartoonish bulbs 💡). I use Windows Terminal as a terminal application (terminal emulator) in Windows for simultaneous access to different terminal environments and shells in different tabs, I mainly use two environments:

1. Ubuntu in Windows Subsystem for Linux (WSL2) with bash shell.
2. Windows environment enabled with pwsh (PowerShell).

There are plenty of terminal emulators in different Linux distros, e.g. GNOME Terminal on Ubuntu, they can be configured to render different fonts and backgrounds.

💡 Just remember:

1. backgrounds and the fancy fonts 🎨 are in the terminal settings (GNOME, Windows Terminal)
2. while the command prompt (🚀 starship) is in the shell configuration (bash, fish, pwsh).

🚀 Starship

Starship is used for a nice-looking command prompt.

How to Install

The following steps work in any Linux, you can even quickly beautify your SSH session on the remote host!

sudo apt install gcc cmake

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source "$HOME/.cargo/env"

cargo install starship
eval "$(starship init bash)"

Add the next line into ~/.bashrc:

 eval "$(starship init bash)"

Don't forget to apply.

source ~/.bashrc

How the command prompt finally looks:

Root User

👮‍♂️ Additionally, set up starship for the root user.

Change a shell user to be a root user.

sudo su

vi ~/.bashrc

Add the following line into /root/.bashrc (it's literally ~/.bashrc for the root user... and don't forget to change the "<user>" part of the command line below - this is the non-root user you came from).

eval "$(/home/<user>/.cargo/bin/starship init bash)"

Run the command above in the command line or apply the config:

source .bashrc

How it finally looks for the root:

SSH

🌎 You can install starship on the remote node within an SSH session.

Just open an SSH session (like ssh alex@dsn-play-alex-01 in my case), and then follow the instructions above (rustup install , cargo install starship, etc.) and you will able to see something as follows after ssh login (command prompt shows you have a remote connection to some host):

🔧 Starship bash config

It's about how exactly Starship is going to render the command prompt.

cat ~/.config/starship.toml

[shlvl]
disabled = false
threshold = 2
symbol = "\uf07d"

[shell]
disabled = false
bash_indicator = ""

[os]
disabled = false
format = "$symbol "
symbols.Ubuntu = ""

• shlvl config makes it show the number of a shell level, e.g. it shows "↕️ 1" when running under mc (Midnight Commander).
• shell module helps identify a shell that is currently in use (bash, fish, pwsh).
• os module shows the operating system.

The last 2 options are needed because I can open a tab with PowerShell, and, with properly configured Starship, it allows me to recognize shells between each other quickly.

PowerShell Installation Notes

You can find instructions here: https://starship.rs/guide/#🚀-installation

The biggest challenge is to find where is the PowerShell config. Mine was here: C:\Users\user\OneDrive\Documents\PowerShell\Microsoft.PowerShell_profile.ps1.

Here is its content:

# Starship
Invoke-Expression (&starship init powershell)

Meanwhile, the Starship config is here: $HOME/.config/starship.toml.

🔧 Starship PowerShell pwsh config

cat ~\.config\starship.toml

[shell]
disabled = false
powershell_indicator = ""
cmd_indicator = ""

[os]
disabled = false
format = "$symbol "
symbols.Windows = ""

How It Looks in Tabs

In the following example, I can quickly distinguish OS and shells via nice glyphs:    .

  Tab #1 can be a WSL2 Ubuntu/Linux bash terminal:

  Tab #2 can be a PowerShell pwsh terminal:

🦀 =exa=

exa is a modern replacement for ls written in Rust.

How to install:

sudo apt install exa

Modify ~/.bashrc config. If the ls alias is already defined there, then substitute it with the following line:

alias ls='exa --icons -F -H --group-directories-first --git -1'

• --icons shows the icons (I want a fancy look!)
• -F type indicators
• -H hard links
• --group-directories-first list directories before other files
• --git list each file's Git status
• -1 show a table listing, 1 entry by line

And ll is usually already defined like this:

alias ll='ls -alF'

📺 Windows Terminal

Finally, a proper setup of the Windows Terminal is needed to fully enable starship and exa showing fancy fonts (e.g. "nerd" glyphs , ) on a custom background (💡) with support of different terminal environments (e.g. bash, pwsh).

1. Install the Windows Terminal from the Microsoft Store: https://apps.microsoft.com/store/detail/windows-terminal/9N0DX20HK701

2. Install Nerd Fonts. Download a "FiraCode Nerd Font": https://github.com/ryanoasis/nerd-fonts/releases/download/v2.3.3/FiraCode.zip

   Find the Fira Code Retina Nerd Font Complete Mono Windows Compatible.ttf inside of the archive and install it (double click).

   💡 You can find more nerd fonts at nerdfonts.com.

   

3. Set the Campbell color theme and FiraCode NFR Retina font, installed in the previous step:
   

4. Download my bulbs background (Right Click -> Save Image As...):
   
   And set it in the Windows Terminal:
   

Voila!

My final setup is shown in the initial screenshot at the beginning of the article:

Visual Studio Code

For the VSCode the mentioned nerd fonts look pretty bold, so I use another nerd font: Hasklug.

1. Download it from the nerdfonts.com.
2. Find a HasklugNerdFontMono-Light.otf inside.

Go to code's Settings > Editor: Font Family and add 'Hasklug Nerd Font Mono'.

GitHub repo: https://github.com/fadeevab/design-patterns-rust

GitHub - fadeevab/design-patterns-rust: Rust examples for all 23 classic GoF design patterns, and even a little more

Rust examples for all 23 classic GoF design patterns, and even a little more - GitHub - fadeevab/design-patterns-rust: Rust examples for all 23 classic GoF design patterns, and even a little more

GitHubfadeevab

My repository contains unique Rust examples covering all 23 GoF classic design patterns. It already has ~100⭐.

The repository contains an exhausting list of design pattern examples in Rust. I rigorously worked on each pattern to showcase a good meaningful way to apply each of them specifically in Rust.

I wanted to challenge the Rust language specifically on whether it can adapt literally any OOP concept existing at the moment, and it passed the challenge.

Previously, I highlighted the Mediator pattern in detail and some creational patterns.

There are examples with visual output, like Flyweight: drawing a forest of million trees 🌳.

State is another worth mentioning pattern: let's build a Music 📼 Player!

Some patterns are really easy to implement in Rust, mostly creational ones, e.g. Prototype, Static Creation Method.

The Mediator behavioral pattern is the hardest to implement with Rust, considering Rust's specific ownership model with strict borrow checker rules.

Interestingly, in Rust:

1. Almost all structural and creational patterns can be implemented using generics, hence, static dispatch.
2. Most behavioral patterns can NOT be implemented using static dispatch, instead, they can be implemented only via dynamic dispatch.

A well-thought pattern classification fits the Rust language design perfectly as "behavior" is dynamic in nature and "structure" is static.

Enjoy!

🧠 Previously, I wrote about the most difficult-to-implement software design pattern in Rust: Mediator pattern in Rust.

🧐 See all pattern examples here: 100% Unique Idiomatic Examples of All Design Patterns in Rust.

Now, let's talk about what is, in my opinion, the easiest patterns in Rust (from 23 classic design patterns).

Guess what the pattern is this:

impl Circle {
    pub fn new(radius: u32) -> Circle {
        Self { radius }
    }
}

You likely wrote this code a million times in Rust.

🌀 It is... 🥁🥁🥁 A Static Creation Method (a little relative of a Factory Method).

There is a notion of "constructor" in a typical OOP language which is a default class method to create an object. Not in Rust: constructors are thrown away because there is nothing that couldn't be achieved with a static creation method.

In a typical constructor idiom, there is no way to gracefully handle a construction error, there are also limitations about the complexity of the construction code. On the other hand, there could be any number of static methods with any kind of complex logic, e.g. loading from a database.

There are a few ways to define a static creation method.

1. A default() method from Default trait for construction with no parameters. Use either default #[derive(Default)], or a manual trait implementation.

#[derive(Default)]
struct Circle;

let circle = Circle::default();

2. A handwritten new() method for a custom object creation with parameters:

impl Rectangle {
    pub fn new(width: u32, length: u32) -> Rectangle {
        Self { width, length }
    }
}

let rectangle = Rectangle::new(10, 20);

3. A from_ prefixed method for constructing from a custom object (you can use any name, however, it's kind of a naming convention).

let circle = Circle::from_shape(shape, 10, 20);

4. Implement a From<> trait for constructing from a known type.

impl From<PriceData> for FormattedData {
    fn from(price: PriceData) -> FormattedData {
        FormattedData {
            text: format!("{} {}", price.one, price.two),
        }
    }
}

let formatted_data = price_data.into();

Alright!

Now, guess what the pattern is represented by the following snippet:

#[derive(Clone)]
struct Rectangle {
    width, height: u32,
}

let rectangle1 = Rectangle::new(10, 20);
let mut rectangle2 = rectangle1.clone();
rectangle2.set_width(50);

🌀 It is a Prototype, a creational pattern that allows you to copy existing objects without depending on their types.

Rust has standard Clone implementation (via #[derive(Clone)]) for many types which makes Prototype easy and seamless to use.

The point is that some patterns must not be programmed in a too overcomplicated manner having convenient instruments coming with language. And it's cool having a piece of knowledge about 2 creational design patterns "out-of-the-box" with knowing Rust.

As an outro, let me put a quote about the topic from Linkedin (by Michał Isalski):

"Design patterns are methods of achieving features that are not built-in into the language itself. In the old days there was a "Variable" design pattern, used in ASM. Guess what - now all languages have that built-in. The same case is shown here - Rust makes some patterns into no-ops, while others (memory-unsafe ones) into hard-to-achieve.

Additional thanks to Oliver Marc S. for expanding the topic of the static creation method.

👉 A code and a full explanation are here: https://github.com/fadeevab/mediator-pattern-rust  (a Train Station example).

By definition, Mediator restricts direct communications between the objects and forces them to collaborate only via a mediator object. It also stands for a Controller in the MVC (Model-View-Controller) pattern.

Problem	Solution

Problem

A common implementation in object-oriented languages looks like the following pseudo-code:

Controller controller = new Controller();

// Every component has a link to a mediator (controller).
component1.setController(controller);
component2.setController(controller);
component3.setController(controller);

// A mediator has a link to every object.
controller.add(component1);
controller.add(component2);
controller.add(component2);

💥 Now, let's read this in Rust terms: "mutable structures have mutable references to a shared mutable object (mediator) which in turn has mutable references back to those mutable structures".

Basically, you can start to imagine the unequal battle against the Rust compiler and its borrow checker. It seems like a solution introduces more problems:

1. Imagine that the control flow starts at point 1 (Checkbox) where the 1st mutable borrow happens.
2. The mediator (Dialog) interacts with another object at point 2 (TextField).
3. The TextField notifies the Dialog back about finishing a job and that leads to a mutable action at point 3... 💥 Bang!

The second mutable borrow breaks the compilation with an error (the first borrow was on point 1).

In Rust, a widespread Mediator implementation is mostly an anti-pattern.

Existing Primers

You might see a reference Mediator examples in Rust like this: the example is too much synthetic - there are no mutable operations, at least at the level of trait methods.

The rust-unofficial/patterns repository doesn't include a referenced Mediator pattern implementation as of now, see Issue #233.

Nevertheless, we don't surrender.

🎌 Cross-Referencing with Rc<RefCell<..>>

There is an example of a Station Manager example in Go. Trying to make it with Rust leads to mimicking a typical OOP through reference counting and borrow checking with mutability in runtime (which has quite unpredictable behavior in runtime with panics here and there).

👉 That's how it works: mediator-dynamic

🏁 I would recommend this approach for applications that need multi-threaded support. (Also, it's a good reference of how the Rust compiler could be tricked).

📄 Real-world example: indicatif::MultiProgress (mediates progress bars with support of being used in multiple threads).

Key points:

1. All trait methods look like read-only (&self): immutable self and immutable parameters.
2. Rc, RefCell are extensively used under the hood to take responsibility for the mutable borrowing from compiler to runtime. Invalid implementation will lead to panic in runtime.

⤵ Top-Down Ownership

The key point is thinking in terms of OWNERSHIP.

1. A mediator takes ownership of all components.

2. A component doesn't preserve a reference to a mediator. Instead, it gets the reference via a method call.

// A train gets a mediator object by reference.
pub trait Train {
    fn name(&self) -> &String;
    fn arrive(&mut self, mediator: &mut dyn Mediator);
    fn depart(&mut self, mediator: &mut dyn Mediator);
}

// Mediator has notification methods.
pub trait Mediator {
    fn notify_about_arrival(&mut self, train_name: &str) -> bool;
    fn notify_about_departure(&mut self, train_name: &str);
}

3. Control flow starts from fn main() where the mediator receives external events/commands.

4. Mediator trait for the interaction between components (notify_about_arrival, notify_about_departure) is not the same as its external API for receiving external events (accept, depart commands from the main loop).

let train1 = PassengerTrain::new("Train 1");
let train2 = FreightTrain::new("Train 2");

// Station has `accept` and `depart` methods,
// but it also implements `Mediator`.
let mut station = TrainStation::default();

// Station is taking ownership of the trains.
station.accept(train1);     
station.accept(train2);

// `train1` and `train2` have been moved inside,
// but we can use train names to depart them.
station.depart("Train 1");
station.depart("Train 2");
station.depart("Train 3");

👉 A Train Station example without Rc, RefCell tricks, but with &mut self and compiler-time borrow checking: https://github.com/fadeevab/mediator-pattern-rust/mediator-static-recommended.

👉 A real-world example of the approach: Cursive (TUI).

At least yet, what is not covered is asynchronous approaches, and queue-based event handling with bubble-up capability.

Expectation

Imagine, you set up your perfect DevSecOps pipeline.

⏩A developer pushes source code to a favorite source version control system,
👷‍♂️ which activates a Continuous Integration (CI) pipeline
🔬 which starts security testing,
🦠 then it finds a critical vulnerability,
🛑 which, in turn, stops the entire pipeline and the developer goes fixing the issue.

Perfect, the security toolchain has just prevented a disaster! You have just saved the world (!) from releasing a vulnerable version of the product.

The perfect outcome is to block the CI pipeline until addressing all the identified issues.

Reality

🔨You integrate a tool of your choice into the CI/CD pipeline,
📝 it gives you a ton of false positives,
🤯 you start triaging,
🤬 developers are irritated, they can't wait because the product release is scheduled "for yesterday",
😒 you "temporarily" disable the integration until you can 🧹 clean up the security testing report,
🥵 and it never ends.

SAST means a Static Application Security Testing tool.

A security scan is usually required for Pull Request verification before merging the code or after the master branch commit. You don't want to pass the vulnerable code to the release.

However,

1. What if it finds 1000 false positives (wrong findings)?
2. What if takes 1 day to finish the analysis?
3. How does the tool decide that the detected vulnerability is critical?
4. How does it decide whether the finding is an actual vulnerability at all?
5. What are the criteria for stopping the pipeline?
6. How long does it take to analyze the code?

Challenges

At the end of the day, it's often hard to deliver scan results in a synchronous (blocking) way.

I would say, there is a challenge of synchronous vs asynchronous security testing.

Why it's often hard to deliver security scan results into CI/CD pipeline in a synchronous (blocking) way?

1. Legacy code with numerous issues (with a huge SAST output)
   • “Unclean” source code may result in a lot of security findings blocking a pipeline entirely until fixing/dismissing all the findings.
2. Scanning time
   • Different SAST tools have different efficiencies in terms of time and findings.
   • A huge code base may lead to slow scans (from 1 to a few hours).
   • What we also found is that on-the-cloud solutions usually have a little bit slower and/or unpredictable scan time (depending on the SLA of the vendor).
3. SAST tool limitations
   • Some tools have either rich or poor capabilities to report the scan result, e.g. a tool may have a true positive result having no means to report the scan result back immediately.
   • SAST tools may have specific requirements for the project structure and build steps.
   • Triaging: tools always generate false positives, there should be a way to conveniently fix and dismiss the security finding by a developer with
     cross-validation by a security specialist. The challenge is having a pipeline that supports the business (not completely blocking the business).
4. Budget compromises
   • There are sophisticated tools on the market, however, budget limitations may play a major role in what the team can afford.
5. Filtering commits
   • Scans usually run only for commits and PRs to master and release branches.

Solution

Incremental Integration

In practice, the solution here is to carry out a multi-stage SAST integration approach.

1. Stage 1: Baselining
   Tools are purchased, a source code is initially scanned, and false positives are reviewed/dismissed. Tickets are created, and vulnerabilities are fixed and submitted.
2. Stage 2. Initial asynchronous integration
   SAST is integrated into a CI/CD pipeline, however, scan results don’t block the pipeline (yet). The team executes an exercise of triaging and fixing the issues.
3. Stage 3. Synchronous integration
   SAST blocks the pipeline in case of critical findings (according to the security policy). In the ideal scenario, a Jira ticket is automatically created.

The last step is quite challenging because of false positives and because of all the challenges mentioned above. With some tools, e.g. gosec for Golang, synchronous integration is easily achieved and is the only way of dealing with the commit (the tool is very quick and doesn’t produce a lot of output usually).

Having more sophisticated on-the-cloud tools (Coverity, Fortify-on-Demand, Veracode, etc.), we go with a hybrid model where we have asynchronous SAST scans for less critical projects, and synchronous scans in more critical cases wherever it’s possible (if it is technically and organizationally possible).

Triage

We have to come up with a few levels of issue severity. The simplest categorization is the following:

1. Severity 1 (Highest) implies the quickest mitigation and release (1-2 days) for the most critical issues.
2. Severity 2 (Middle) means no direct impact and implies slower mitigation (say, 30 days).
3. Severity 3 (Lowest) with 3 months for mitigation.

Different classification schemes may use up to 5 severity types implying different severity properties.

Release

There are 2 major conditions to pass the build to the release:

1. All issues are fixed.
2. The security team manually allowed the release of an urgent hotfix. It happens that SAST considers minor findings as the major ones falsely. Usually, SAST tools provide an ability to pass the build with a dismissal comment by a security specialist (appsec, security lead) of why the build is allowed to be released.

Summary

Do integration of security tools incrementally in 3 stages: baselining, initial asynchronous integration, synchronous (blocking) integration. Triage issues semi-manually to get adapted to the tools of your choice. Work with teams, gain knowledge, and evolve with your system.

My approach to exam preparation is like a machine learning approach.

What does it mean?

In the case of my CSSLP preparation, I had access to ~800 practice tests. (It is not too much in comparison to CISSP where I had ~4500 practice tests from a variety of resources).

Split a dataset of tests into 3 major parts

1. One set of tests is to train your brain.‌‌
   - For CSSLP I used Total Tester which came with CSSLP All-in-One book.‌‌
   - For CISSP I used the Official (ISC)2 CISSP Study application.
2. When you feel confident, try to get 80% of correct answers on some set of questions you never solved before. Thus, you validate your knowledge.‌‌
   - I used the quiz from the (ISC)2 CSSLP CBK book.‌‌
   - If you started with the CSSLP CBK book, then your validation dataset would be the questions from the CSSLP All-in-One book. And vice versa. You got the idea: you keep some questions in reserve and never touch them.
3. The test dataset is the exam itself.

Once you start to answer correctly on 80% of the validation set of the questions, you are ready. (70% of successful answer rate is needed to pass (ISC)2 exams).

How many questions you can find for CSSLP

1. ~150 test questions in the Official CSSLP CBK book.
2. ~300 in the CSSLP All-in-One book.
3. 350 in the Total Seminars Training Hub (the license comes with CSSLP All-in-One book).
4. "Essential CSSLP Guide" doesn't contain quiz questions.

All in all, ~800 questions. Not too many.

CSSLP is a challenging secure software lifecycle certification.

Certified Secure Software Lifecycle Professional (CSSLP) was issued by (ISC)² to Alexander Fadeev.

The vendor-neutral CSSLP credential validates that software professionals have the expertise to incorporate security practices – authentication, authorization and auditing – into each phase of the software development lifecycle, from software design and implementation to testing and deployment. CSSL…

Credly

I started my preparation right after becoming CISSP while I was still warmed up. I tried to not lose momentum: it's the moment when you have memorized a lot, you are motivated, you're ready for tricky questions. And basically, the strategy paid off, in 2.5 months I've got a new accomplishment.

However, look at this picture. 👇 Does it mean that CSSLP is probably "smaller" and easier than CISSP? Spoiler alert! NO.

The exam appeared to be very tough. At least it was not easier than CISSP, even maybe harder.

The thing is that the smaller size of the knowledge base does NOT mean that the questions on the exam will be easier. Moreover, in my perception, the questions were even vaguer and trickier (not always for a good reason).

📝 CSSLP does not overlap very closely with CISSP in the knowledge base, I saw maybe ~1-2% of similar questions on the exam. Consider CSSLP as a completely separate exam which is “an inch wide and a mile deep”.

Lessons Learned

It's not easy to find information about the format and content of the real examination. It is especially noteworthy compared to the richest amount of study materials and practice tests for the CISSP certification. Despite the fact there is a decent set of books and courses to study the theory, the lack of training materials can be the reason you might find CSSLP exam to be more difficult than the CISSP exam.

Be mentally prepared for the fact that there will be questions you're not ready to answer with 100% of confidence.

Don't worry, it's okay if you get slightly shocked on the exam. Just focus, you are still able to pass.

My experience helped me a lot. All in all, only experience can save your ass in the final battle. And that's why I appreciate my CSSLP achievement even more!

CSSLP Exam Overview

I took the exam in February 2021, and it was of the following format:

• 125 questions.
• 3 hours.
• Multiple-choice (1 option to choose at a time).
• You can't go back to the previous question.
• It is not an adaptive examination (not a CAP), and you have to answer all 125 questions.

The CSSLP exam has been shrunk to 125 questions. Funny thing is that I thought it became adaptive. This assumption made me nervous when the exam didn't stop on the 1o1st question. I lost my focus, and it could make me fail. Thankfully, I passed. Again, stay focused.

• CSSLP is an "English exam", like CISSP.‌‌
  There are questions to find the BEST answer, and particularly, it means that many questions are formulated in some vague way (that sucks).
  It will hurt those of you who are not native English speakers (like me) because sometimes there are questions where the answer is encoded into some synonym, and you probably see this word for the first time in your life, and your first step is to figure out what does the word mean in the context.
• You are a manager.
  Answering questions, imagine that you are a manager, not a strictly technical person. It means, for instance, that you have to prefer a risk assessment answer versus an option which implies immediate execution.
• There are many questions (but not too many) about the knowledge of concepts and terms.‌‌
  That's why I would suggest you NOT miss the theoretical part in your studying.

Training Process

Every certification needs its own dedication and mental preparation. Your current knowledge and skills are needed. But it is not enough.

You MUST improve:

1. Knowledge.
2. Mindset.

1. You need to get ready for the format of the examination.
   Train your mindset. You will not find too much of insights related to the CSSLP, but you can find tips and tricks related to the other major (ISC)2 certification CISSP. Better yet, I would recommend preparing for the CISSP certification first, however, it's totally up to you. (It was my way though).
   • You need a mindset to quickly scan and understand questions.
   • You need to educate your inner voice to talk about every option. It helps a lot. Don't guess by particular words, rather try to utter every option inside of your mind, and explain why the option is correct, and why is not.
2. Read the books.
   1. I started by reading "CSSLP All-in-One Exam Guide", but don't spend too much time on the final Chapters 18-20, they are completely messy, unstructured, and they won't get you the knowledge to pass the exam.
   2. Also, in my humble opinion, the "Official (ISC2) Guide to the CSSLP CBK" (2013) is much better: it is better structured, and it contains all the technical items you need to pass the exam. Just it's a bit too much bloated.
   3. You can find an "Essential CSSLP Exam Guide" audiobook which could be a convenient source for your preparation. There is a unique structure by functional roles in the company, not by the domains. The contents is pretty unique and decent.
      ⚠️ WARNING: I didn't use this book as the main source of knowledge in my preparation, I just went through a couple of freely available chapters. Therefore, I cannot assure you that you pass the exam just reading only this book.
3. Take practice tests.
   I answered all questions after each chapter in "CISSP All-in-One". They do not reproduce the format of the real questions but you don't have much choice. You need to practice.
   Then I used CSSLP TotalTester which contains 350 multiple-choice questions. You get the license key from the "CSSLP All-In-One" book. I have been practicing until I could get 78-80% pass rate.

For reference, my pass rate by CSSLP All-in-One chapters:

⚠️ However, be careful with CSSLP TotalTester as well (see below). Besides of inconsistencies, it does not reflect what you're going to see on the real exam. Questions from the Official CBK book are much closer to what you'll get.

Validation Test Set

Keep one set of questions till the end of your studying as a validation set. I used questions in the "Official (ISC)2 Guide to the CSSLP CBK", which means that I never touched them until the very end of my preparation. By the way,  I think the CBK book is the best source of the ultimate knowledge at the moment, even though the book hasn't been updated since 2013. The principles of secure software lifecycle are pretty universal and they have not been changed drastically for the last decade.

Video Courses

Let me put some links on the video course here because video is the best way to bootstrap the knowledge about the domain.

⚠️ I didn't study by these video courses, they have appeared just around the time of my examination. Therefore, I can't guarantee their quality. Nonetheless, I used video courses at the beginning of my CISSP preparation, therefore I know that video can be quite helpful.

• https://www.pluralsight.com/paths/csslpr-certified-secure-software-lifecycle-professional-2020
• https://www.linkedin.com/learning/search?keywords=csslp

Problem with CSSLP Training Materials

I'm still trying to correlate my feelings about passing the certification with the effectiveness of my training process.

CSSLP does not have the same level of consistency between a common body of knowledge and training materials compared to CISSP. There are inconsistencies between different books and practice tests, between the official guide, non-official books, and online practice tests.

I've noticed a discrepancy in the concepts between CISSP and CSSLP, and my favorite one is the different definition of a data owner and a data custodian.

1. In CISSP a data owner defines the criteria of data classification and classifies the data, while implementation goes to a data custodian.
2. In CSSLP a data owner defines criteria (only), whereas both actions of data classification and applying the controls refer to a data custodian.

And you know what? I got exactly that question on the exam. I'm still not sure whether my answer was correct.

Another problem is that there are not many practice tests in the wild. I calculated at most ~800 from all sources. In contrast, there are thousands and thousands of practice tests for CISSP. Consider, that it is believed that you need to answer at least 3000-5000 tests in order to get prepared for CISSP.

If CSSLP is your first exam, all that remains is to rely on your experience and your luck.

Train hard, fight easy. But what if there is no trainer, there is no fight concept, there is only your willingness, pictures in the book, and some experience "from da streetz"?

Beware Scam

1. You can find many weak and bad CSSLP practice tests on the Internet. For instance, you know if your quiz is a scam if you find questions about DIACAP there.
2. E.g. this course on Udemy is not a real practice test for CSSLP.
3. Skillset's practice exam is pretty weak, the questions are loosely combined by CSSLP domain titles, and I think the test cases have been taken from other certification buckets. I don't recommend spending time and money on that.

Still, You Can Do It

Mentally, just be ready for "high entropy". Rely on your experience. Trust your knowledge. Be slow. You're a manager. Try to imagine the real situations. If you completely lost, don't panic! Stay focused!

And that's basically it. I hope my feedback can help you prepare better. You can do it!  

Bonus: Be Careful With "CSSLP TotalTester"

I spent plenty of time with CSSLP TotalTester online system, and I found a lot of discrepancies there. Here is my chart of the issues:

1. There are multichoice tests in the sense that you have to select from 2 to 4 options simultaneously. I didn't see this approach on the exam. The good thing is that it trains your mind pretty well.
2. I found a question where RC4 marked as the best option to encrypt streaming video versus AES. RC4 cannot be an ultimate answer having AES in the list.
3. There is a question about risk governance (I cannot post the full question here), where the answer is supposed to be in the governance realm as well. Suddenly, risk management has been accepted as the correct answer. It's completely confusing because governance and management are different beasts.
4. One practice test assumed that source code analysis can be carried out on the system level. It is HOW? Tell me, how do you carry out source code analysis on the level of the system? A system is composed of subsystems, components, applications, interconnections, everything has been compiled (and there is source code on the components level) and integrated using different kinds of interfaces. Yes, I can reconstruct and evaluate the architecture by looking at the source code of separate components, but the "source code of the overall system" doesn't exist as a concept. Come on.
5. A question about risk management was answered with a "risk analysis" option, while the "risk management" option was declined with the reasoning that the question is about... risk management. 🤕 Don't try to understand it.
6. Sometimes there is a learning explanation, where the wording is meaningful, but the invalid option is marked as correct.
7. Vague wording, lack of detailed explanation (e.g. "it's just wrong" explanation of the accepted answer).

I wrote it quickly down during one of my ad-hoc conversations with a colleague. I had been preparing to CISSP that time, and I used it later in my preparations to CSSLP. From time to time, I come back to this cheat sheet. I decided to put it here for my and everyone's convenience. Enjoy!

1. 4th amendment
   Nobody can be unreasonably seized and attacked by police.
2. ECPA
   No unwarranted wiretapping.
3. PATRIOT Act
   But if you're maybe Alcaida, then the CIA can wiretap you (without a warrant).
4. CFAA
   If you access any computer, you are a bad guy, you are committing a crime... If you made a loss of $5000 and higher, I can sue you.
5. DMCA
   If you violate copyright, you are committing a crime. It applies to reverse engineering as well. But if copyrighted data is at rest, or in transit via ISP facilities, ISP is not liable (but you are).
6. SOX
   It is a security of accounting of public companies.
7. Privacy act of 1974
   Federal agencies must protect PII of U.S. people.
8. FISMA
   Federal agencies must establish security according to NIST SP 800-53 controls.
9. GLBA
   Security of PFI (personal financial info). Annual "Privacy Notice" by email.

1. PCI DSS
   Credit card data touches your infrastructure? Take care about security and be compliant. More transactions and money - more fines if you fucked up.
2. GDPR
   Do you handle PII of European people? These people own their data. Be friendly and compliant!
3. CCPA
   Do you handle PII of California folks? Don't sell their data!.. Without concent.

Certified Information Systems Security Professional (CISSP) was issued by (ISC)² to Alexander Fadeev.

The vendor-neutral CISSP credential confirms technical knowledge and experience to design, engineer, implement, and manage the overall security posture of an organization. Required by the world’s most security-conscious organizations, CISSP is the gold-standard information security certification tha…

Acclaim

UPDATE: I also encourage you to read my write-up about of how I passed CSSLP (after CISSP), there are even more details about my training process and study approach: The Shadow of CSSLP.

Short Formula

knowledge + mindset + dedication = success

Intro

I started somewhere in 2015 with just reading the book "CISSP All-in-One Exam Guide" (Sixth Edition, Shon Harris), and my English level didn't allow me to move quickly, I had to improve my vocabulary, reading, writing, listening. I didn't force my studying, I decided to make an overall review of all domains in to get back later with a more conscious approach to study. After a while, I dropped reading for a couple of years, and I concentrated on earning real practical experience in cybersecurity which is 14 years as of 2021.

Basically, I don't feel that having experience in 3 of 8 domains is really enough to be confident to step up the CISSP certification. I think that CISSP is more prone to corporate security, and in my case, I had many years in R&D (development in security), where you're pretty close to technicalities, but far from things like security governance, operations, access controls, etc. In 2019 I got the application security position in a company, where corporate security is the biggest challenge, and I gained exactly that experience what CISSP stands for.

At some point I just realized that I'm ready, it was October 2o2o, I just needed to prove that I am who I am. I started my dedicated preparation: 2 hours every morning (books, video courses), then I added 2 hours in the evening, then I couldn't stop and spent 6-8 hours per day, especially on the weekend, and in the end, I was spending the whole weekend in the study.

Books, video courses, 4500 practical test questions during 2 months.

Short Advice

1. Create a plan for preparation. It's easy. For example, you want to watch 10 hours of video courses and you'd like to spend 10 additional hours to learn the contents of the video, therefore you need 10 days (~2 weeks) if you spend 2 hours per day for preparation.
2. Set up a schedule in your calendar for every single day. Just do it: go to your calendar right now, and make an appointment for every day.
3. You will need to answer from 4000 to 5000 practical questions where you get ~80% of correct answers. How much time would you need? 200 questions per day = 20 additional day days of preparation. Not too much! :)
4. exam preparation != knowledge != real-life experience. It's all different. You need to concentrate at maximum in the process of your preparation to get ready for the examination.

Study Materials

All in all, I feel that all study materials contain incomplete but complementary knowledge, something like this:

1. Initially, I bought CISSP Certification video courses by Thor Pedersen on Udemy (8 courses per ~$16), and at the end of my studying, I found all those courses cheaper on his personal website https://thorteaches.com/. And because I also purchased "Boson" tests later for ~$99 (see below), it would be cheaper to just go to https://thorteaches.com/ and buy there "CISSP Bundle + Boson" for ~$175 (Thor's videos + Boson tests). Arithmetics is simple: $175 < 8 * $16 + $99. And now I don't get any referrals from this guy, I just want you to save a couple of bucks.
2. In the case if you prefer learning on Udemy I put all links here:
   1. CISSP Domain 1-2.
   2. CISSP Domain 3-4.
   3. CISSP Domain 5-6.
   4. CISSP Domain 7-8.
   5. 250 questions of CISSP practice exam #1.
   6. 250 questions of CISSP practice exam #2.
   7. 250 questions of CISSP practice exam #3.
   8. 250 questions of CISSP practice exam #4.
3. Install (ISC)2 Official CISSP Tests on your phone. Run "Quick Test" (10 questions) periodically every day, "Mock Test" (50 questions), and "Practice Test" (125 questions) whenever you wish.
4. Install Boson's test kit "ExSim-Max for CISSP 2020" ($99). There are 5 test sets (as for 2020), use them to finalize your preparation. Don't solve them all in the beginning, keep a couple of test sets to double-check your readiness later.
5. I won't recommend to start from "CISSP All-In-One Exam Guide", but I can't change my past where it helped me to discover CISSP, and later to dive into particular details of most of security domains, though there is a lot of outdated information which would not be necessary to dedicatedly learn in order to pass the exam. I answered practical questions at the end of each chapter and at the end of the book. The questions are really hardcore there, but they shake your mind pretty badly.
6. "CISSP Practice Exams" (by Shon Harris) was on my table as well, and I used it to train practice question of several CISSP domains (no all of them though).
7. There are resources that I didn't use in my preparation, but many people recommended:
   • "CISSP Study Guide" (by Eric Conrad) is a very appreciated and highly recommended book, but I didn't read it.
   • "The Official (ISC)2 Guide to the CISSP CBK Reference" is an official reference to CISSP CBK (Common Body of Knowledge). I used (ISC)2 Official CISSP Tests and Boson test kit instead of official CBK.

How I Figured Out That I'm Ready

It was Thursday's evening, and I felt that I'm fed up with preparation.

It's kind of "enough" code in my head.

I decided to solve Boson's quiz to check whether I'm ready. The goal was to pass the test exam with the ~80% rate. I passed. And in the next minute, I entered Pearson Vue (ISC)2 and scheduled my exam for the next morning.

Exam Day

I took a taxi and arrived at a PearsonVue test center half an hour before the exam. Questions were crazy. There were questions when I had no idea about what they are. Just imagine my feelings, when after processing tons of information over the years of work and through the course of studying, you still see something for the first time on the exam.

There were questions, when I had to write down some calculations to figure out the right answer. Overall, it was hard to say whether I win, or I fail.

Later, I found the official CISSP Computerized Adaptive Testing (CAT) FAQ, and I felt exactly what described there:

Consequently, many candidates will feel that they did poorly on the exam as all candidates are expected to only get 50% of items they answer correct. This psychological phenomenon is common for CAT exam candidates, as most fixed-forms exams have candidates answer a higher proportion of items correctly due to item targeting inefficiencies. It is important for a candidate to remember it is not the number of items answered correct that is important, everyone will get about 50% correct, it is the difficulty of the items that he/she answer correct which is relevant for passing the exam.

I passed the exam on the 100th question, BUT I hadn't received my result immediately in that PearsonVue center for some reason, so I had to go back home, and check the result in my PearsonVue account.

I received the official "pass" result in the evening.

CISSP is an English exam. In most questions, you can feel that 4 of 4 answers have a chance to be correct, yet there are tiny differences that you learn to identify through the course of your preparation (e.g. prefer risk-based approach and cut off any unclear answer).

The funny thing is that because I'm not a native English speaker, I just forgot whether "pass" means "good", or "bad", therefore I was pretty nervous until I got the official result on my mailbox. This is because in my native language we say "passed successfully", or "passed unsuccessfully", instead of "passed", or "failed" in English. So, if you worry, just know that "pass" means "good", and "fail" means... you know, it means that you have to try harder. ;)

What's Next?

I don't want to spend too much time on certifications, the thing is to apply knowledge, protect the common good. I'd like to pass CSSLP to showcase my secure software lifecycle experience, and I know that it's better to not lose the momentum after passing the first exam.

In the end, let me recall my own words from my LinkedIn post:

I often forget, I often disbelieve that if to put effort, motivation, and determination, you can achieve good results, and it will always remind me to not forget, and to believe in myself.

jailbreak -> select tool -> dump

Instruments

You have 3 options:

1. frida-ios-decrypt (jump to How to Use "frida-ios-decrypt")
2. Clutch (jump to How to Use "Clutch")
3. dumpdecrypted.dylib (jump to How to Use "dumpdecrypted.dylib")

Additionally, you need SSH (OpenSSH) installed on a jailbroken iPhone to be able to copy dumped files.

Overview

An application from Apple App Store is encrypted with a hardware-backed cryptographic scheme. More precisely, an executable section of the O-Mach binary inside the IPA package is encrypted, and the decryption key is accessible only on a particular device on the hardware level (Secure Enclave). But if you wonder whether it is possible to decipher an application downloaded from Apple App Store to carry out static analysis - yes, it is possible.

In the annex, you can find How To Jailbreak iPhone 12.x and How to Fix Entitlements.

How Tools Work

All tools leverage a simple principle: these tools dump a decrypted binary from the running context in the memory. It is possible because the binary MUST be decrypted before it could be even run, and the binary is dumped into a file.

You MUST jailbreak iPhone to dump decrypted executable region to the filesystem. There is no way to easily decrypt an application by any kind of magic tool on a personal computer.

There are 2 approaches to dump deciphered executable region from memory to the filesystem. All of them require superuser privileges either to trace a process, or to inject a dynamic library.

Approach #1: attach to a process

Clutch and frida-ios-decrypt work this way.

1. The tool (tracer) attaches to a running process (tracee).
2. The deciphered executable is dumped from the memory into a file.

Step 1 (tracing the process) needs superuser privileges, that's why iPhone must be jailbroken.

Approach #2: library injection

dumpdecrypted.dylib works this way (through DYLD_INSERT_LIBRARIES).

1. An application starts with a dynamic library linked into it.
2. The dynamic library dumps decrypted executable right from the application user space memory.

Superuser privilege is needed to inject a custom dynamic library into the process memory.

How to Use "frida-ios-decrypt"

Prepare USB and SSH

The main script of "frida-ios-decrypt" dump.py uses the frida package which communicates with the device via USB. When the application is successfully dumped, files will have been copied from the device via SSH (scp) to the temporary folder. To summarize, your iPhone must be accessible via both USB and SSH.

An official guide suggests to set up SSH over USB, but that way seems to be a bit complicated. I found the easier way which is to connect an iPhone to your local network (connect to the same WiFi network) and modify dump.py as the following to allow the script to connect to the phone directly over your local network:

User = 'root'
Password = 'alpine'
Host = '192.168.88.102' # Fix the Host IP to a real iPhone IP
Port = 22

Steps

1. Follow the frida-ios-dump installation guide.
2. frida-ios-dump looks for a device using SSH. Use "SSH over USB" approach, or connect your device to a local network and fix dump.py (see Preparation above).
3. List running processes:

   python2 ./frida-ios-dump-master/dump.py -l
   

4. Dump the target process:

   python2 ./frida-ios-dump-master/dump.py "TargetApp"
   

   or

   python2 ./frida-ios-dump-master/dump.py <pid>
   

Successful log

Start the target app TargetApp
Dumping TargetApp to /some/temp/path
[frida-ios-dump]: libswiftUIKit.dylib has been dlopen.
[frida-ios-dump]: libswiftIntents.dylib has been dlopen.
[frida-ios-dump]: libswiftCoreImage.dylib has been dlopen.
...
...A lot of noisy log may follow here
...
Generating "TargetApp.ipa"

Troubleshooting

Device is not found via USB

Waiting for USB device...

Ensure that you installed USB drivers for iPhone.

Also, if you're on Windows Subsystem for Linux (WSL), you would be unable to run "frida-ios-dump", because there is no USB drivers for iPhone under WSL, therefore iPhone cannot be enumerated. (Not sure about WSL 2 though).

Device is not found via SSH

Either way, if dump.py cannot connect to a device, you will see the following error:

*** Caught exception: <class 'socket.error'>: [Errno 11] Resource temporarily unavailable

or

*** Caught exception: <class 'socket.error'>: [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

Check whether you use a correct IP address in dump.py for your iPhone.

1. On iPhone: go to Settings -> WiFi -> (i) -> get the IP.
2. Verify the connection:ssh root@192.168.88.101
3. Password: alpine

How to Use "Clutch"

IMPORTANT: On iPhone 12.x you need to fix entitlements ⬇️.

1. Build and install the Clutch tool.
2. List the processes:

   Clutch -i
   

3. Dump the process obtaining decrypted binaries:

   Clutch -d 3
   

   "3" is the number of the application from the Clutch -i output.

How to Use "dumpdecrypted.dylib"

IMPORTANT: On iPhone 12.x you need to fix entitlements ➡️️.

1. Download dumpdecrypted.dylib to a computer.
2. Copy dumpdecrypted.dylib to the system path on the phone via SSH using scp tool:

   scp dumpdecrypted.dylib root@192.168.88.101:/usr/lib/dumpdecrypted.dylib
   

   Choose a path, kind of /usr/lib, not $HOME, to evade problems with kernel sandboxing.
3. Run the application with dumpdecrypted.dylib:

   DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Containers/Bundle/Application/BFED82A3-3238-4F41-B797-C1CB584CBE05/targetapp/targetapp
   

How to Jailbreak iPhone 12.x

1. Download Chimera IPA package.
2. Download Cydia Impactor.
3. Deploy Chimera package to iPhone using the Cydia tool (it will ask your Apple ID, it can be ANY free Apple ID).
   
4. On the iPhone: go to the Chimera and press a button "Jailbreak".
   

Sileo marketplace app appears after the jailbreak is installed.

1. Go to the Sileo application.
2. Find and install Frida and OpenSSH (sshd).

How to Fix Entitlements

The big advantage of "frida-ios-dump" against the "Clutch" and "dumpdecrypt.dylib" is that it doesn't need to fix entitlements of the target app.

Entitlements are special properties assigned to each application in iOS. Entitlements are signed and basically, it's not possible to change them without a jailbreak.

In iOS 12.x default entitlements of application don't allow tracing. In the case of Clutch you are going to see the following error:

Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Steps to fix entitlements:

1. Dump the current entitlements of the target application:

   ldid -e /var/containers/Bundle/Application/F8809B92-7794-4540-A4E2-0F541D78CF5A/TaretApp.app/TargetApp > ~/targetapp-ent.xml
   

2. Fix entitlements adding the following line to targetapp-ent.xml:

   <key>platform-application</key>
   <true/>
   <key>get-task-allow</key>
   <true/>
   <key>run-unsigned-code</key>
   <true/>
   <key>com.apple.private.skip-library-validation</key>
   <true/>
   <key>com.apple.private.security.no-container</key>
   <true/>
   

3. Assign new entitlements:

   ldid -S~/targetapp-ent.xml /var/containers/Bundle/Application/F8809B92-7794-4540-A4E2-0F541D78CF5A/TargetApp.app/TargetApp
   

Sometimes I feel like my half full glass is fighting ⚔️ with a half empty one. So I drew this picture to visualize that idea 🙂

And what is your glass of cybersecurity? Everything can be hacked or everything can be protected?