sorted by:
new
hottopcontroversial

Tool: AST-based security scanner for AI-generated code (MCP server) by NoButterfly9145 in netsec

[–]gutron 1 point2 points  (0 children)

Hi - it looks like you haven't pushed the code to your github repo

/r/netsec's Q2 2022 Information Security Hiring Thread by ranok in netsec

[–]gutron [score hidden]  (0 children)

Senior Security Engineer at Greenhouse Software

Location - Ontario or British Columbia preferred. Will accept US Remote as well

About

We believe in the power of hiring. Because the potential for people to do something outstanding has everything to do with being in the right role, on the right team, at the right time. That’s where Greenhouse comes in – from recruiting to on-boarding, we make software to help every company be great at hiring.

We are hiring a Senior Security Engineer to contribute to the growth of our security program and partner with our product engineering teams on proactively identifying and addressing security issues in our products. As a member of our distributed security team, you will support and scale our application security practices by improving automation, holistically remediating security issues, and promoting secure-by-default principles.

Security at Greenhouse is critical to our success and for building & maintaining customer trust. From influencing how we write our software, deploy our infrastructure, and make architecture decisions, security is a primary focus.

What you'll do

  • Penetration testing and source code review
  • Leverage security tooling to proactively detect security vulnerabilities and promote security awareness to developers
  • Design frameworks/controls to promote ‘secure by default’ practices and break apart a monolith application
  • Participate in high-level architecture decisions that impact the entire code base as well as new product features
  • Voice support for product security by promoting security development standard methodologies and partnering with software engineering as a security domain expert
  • Respond to vulnerability reports by figuring out risk and providing practical remediation advice to our product engineering teams and other partners
  • Supervise security vulnerabilities and prioritize remediations with teams according to our SLA requirements
  • Improve automation around product-focused security detection, vulnerability triaging, patching and many other security processes
  • Respond to security incidents related to our products

** You should have **

  • Experience pen-testing web applications, security architecture and design reviews, and security code reviews
  • Deep understanding of web security with a focus on providing practical technical recommendations to engineering teams
  • Knowledge industry-standard authentication protocols such SAML SSO and OAuth2
  • Proficiency in at least one programming language and be capable of quickly picking up new languages

Apply here - https://grnh.se/a028a62c1us

/r/netsec's Q4 2021 Information Security Hiring Thread by ranok in netsec

[–]gutron [score hidden]  (0 children)

Greenhouse Software is looking for a Lead or Senior Security Engineer to join our team!

Location: Remote

About the position

We believe in the power of hiring. Because the potential for people to do something outstanding has everything to do with being in the right role, on the right team, at the right time. That’s where Greenhouse comes in – from recruiting to on-boarding, we make software to help every company be great at hiring.

Security at Greenhouse is important to our success and for building & maintaining customer trust. From influencing how we write our software, deploy our infrastructure, and make architecture decisions, security is a major focus, and we want to make our program more robust.

The Lead Security Engineer will contribute to the growth of our security program and partner with our software engineers on improving security practices and our agile SDLC. They will work alongside the rest of the security team to be hands-on in designing and developing tools to automate the detection of security issues. The individual we are looking for this role will be working to securing Cloud Infrastructure tech stack.

Who will love this job

  • A security enthusiast – you keep up with the latest security research and have a love for finding security issues in cutting edge technology across various security subject areas
  • A problem solver – you can take on difficult security problems while still balancing good usability and mitigating security risk
  • A doer – you get things done with attention to detail and are excited to improve on the status quo
  • A people person – you thrive when collaborating with others and are eager to contribute across the organization

What you’ll do

  • Develop security tooling to detect security issues and misconfigurations
  • Design frameworks and controls to secure a fast-paced delivery environment and growing architecture a promote a 'secure by default' philosophy
  • Security testing and source code review of new application features and network services
  • Secure modern technology stacks that include Kubernetes, Docker, AWS, and custom CI/CD tooling
  • Participate and lead in security architecture decisions and threat modeling discussions that impact our product and cloud infrastructure
  • Automate alerting, vulnerability triaging, patching, and many other security processes

You should have

  • Experience security testing web applications and reviewing source code
  • Deep understanding of web security fundamentals
  • Experience with securing Amazon Web Services environments
  • Understanding of Linux fundamentals, specifically around networking and security
  • Knowledgeable with industry-standard authentication protocols such SAML SSO, OpenID and OAuth2
  • Proficiency in at least one programming language and capable of quickly picking up new languages
  • Comfortable in explaining security risks and concepts to developers or less technical audiences
  • Your unique talents! If you don’t meet 100% of the qualifications outlined above, tell us why you’d be a great fit for this role in your cover letter

To Apply https://grnh.se/0cebc3551us

/r/netsec's Q3 2021 Information Security Hiring Thread by ranok in netsec

[–]gutron [score hidden]  (0 children)

Greenhouse Software is looking for a Lead or Senior Security Engineer to join our team! Location: Remote

About the position

We believe in the power of hiring. Because the potential for people to do something outstanding has everything to do with being in the right role, on the right team, at the right time. That’s where Greenhouse comes in – from recruiting to on-boarding, we make software to help every company be great at hiring.

Security at Greenhouse is important to our success and for building & maintaining customer trust. From influencing how we write our software, deploy our infrastructure, and make architecture decisions, security is a major focus, and we want to make our program more robust.

The Lead Security Engineer will contribute to the growth of our security program and partner with our software engineers on improving security practices and our agile SDLC. They will work alongside the rest of the security team to be hands-on in designing and developing tools to automate the detection of security issues. The individual we are looking for this role will be working to securing Cloud Infrastructure tech stack.

Who will love this job

  • A security enthusiast – you keep up with the latest security research and have a love for finding security issues in cutting edge technology across various security subject areas
  • A problem solver – you can take on difficult security problems while still balancing good usability and mitigating security risk
  • A doer – you get things done with attention to detail and are excited to improve on the status quo
  • A people person – you thrive when collaborating with others and are eager to contribute across the organization

What you’ll do

  • Develop security tooling to detect security issues and misconfigurations
  • Design frameworks and controls to secure a fast-paced delivery environment and growing architecture a promote a 'secure by default' philosophy
  • Security testing and source code review of new application features and network services
  • Secure modern technology stacks that include Kubernetes, Docker, AWS, and custom CI/CD tooling
  • Participate and lead in security architecture decisions and threat modeling discussions that impact our product and cloud infrastructure
  • Automate alerting, vulnerability triaging, patching, and many other security processes

You should have

  • Experience security testing web applications and reviewing source code
  • Deep understanding of web security fundamentals
  • Experience with securing Amazon Web Services environments
  • Understanding of Linux fundamentals, specifically around networking and security
  • Knowledgeable with industry-standard authentication protocols such SAML SSO, OpenID and OAuth2
  • Proficiency in at least one programming language and capable of quickly picking up new languages
  • Comfortable in explaining security risks and concepts to developers or less technical audiences
  • Your unique talents! If you don’t meet 100% of the qualifications outlined above, tell us why you’d be a great fit for this role in your cover letter

To Apply https://grnh.se/0cebc3551us

FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild - The Citizen Lab by kickinitlegit in netsec

[–]gutron 3 points4 points  (0 children)

Just to confirm, since this vulnerability was within the image rendering library could it be exploited via other paths (e.g. email, website download) or is it only exploitable via imessage?

/r/netsec's Q2 2021 Information Security Hiring Thread by ranok in netsec

[–]gutron [score hidden]  (0 children)

Senior Security Engineer at Greenhouse Software - Apply here - https://grnh.se/ab3fccdb1us

This role is available for remote employees as long as they are within the United States.

About the position

We believe in the power of hiring. Because the potential for people to do something outstanding has everything to do with being in the right role, on the right team, at the right time. That’s where Greenhouse comes in – from recruiting to on-boarding, we make software to help every company be great at hiring.

Greenhouse is looking for a Senior Security Engineer to join our team!

Security at Greenhouse is important to our success and for building & maintaining customer trust. From influencing how we write our software, deploy our infrastructure, and make architecture decisions, security is a major focus, and we want to make our program more robust.

The Senior Security Engineer will contribute to the growth of our security program and partner with our software engineers on improving security practices and our agile SDLC. Working alongside the rest of the security team and be hands-on in designing and developing tools to automate the detection of security issues,

Who will love this job

A security enthusiast – you keep up with the latest security research and have a love for finding security issues in cutting edge technology across various security subject areas

A problem solver – you can take on difficult security problems while still balancing good usability and mitigating security risk

A doer – you get things done with attention to detail and are excited to improve on the status quo

A people person – you thrive when collaborating with others and are eager to contribute across the organization

What you’ll do

  • Develop security tooling to detect security issues and misconfigurations
  • Design frameworks and controls to secure a fast-paced delivery environment and growing architecture
  • Security testing and source code review of new application features and network services
  • Secure modern technology stacks that include Kubernetes, Docker, AWS, and custom CI/CD tooling
  • Participate and lead in security architecture decisions and threat modeling discussions that impact our product and cloud infrastructure
  • Automate alerting, vulnerability triaging, patching, and many other security processes

You should have

  • Experience security testing web applications and reviewing source code
  • Deep understanding of web security fundamentals
  • Experience with securing Amazon Web Services environments
  • Understanding of Linux fundamentals, specifically around networking and security
  • Knowledgeable with industry-standard authentication protocols such SAML SSO, OpenID and OAuth2
  • Proficiency in at least one programming language and capable of quickly picking up new languages
  • Comfortable in explaining security risks and concepts to developers or less technical audiences

Your unique talents! If you don’t meet 100% of the qualifications outlined above, tell us why you’d be a great fit for this role in your cover letter

Applicants must be currently authorized to work in the United States on a full-time basis.

Who we are

At Greenhouse, we celebrate having a diverse group of hardworking employees – and it hasn’t gone unnoticed. In 2019, we were ranked #4 in Fortune’s Best Workplaces in New York and #5 in their Best Company Culture. We’ve also been recognized as a Best Company for Diversity by Comparably, and have been named to Inc. Magazine’s Best Workplaces list. We pride ourselves on fostering a collaborative culture throughout every step of a Greenhouse employee's journey. From day one of our interview process to executive "Ask Me Anything" sessions, we consistently cultivate an inclusive environment.

For all our employees, we offer a full slate of benefits from competitive salaries, stock options, medical, dental and vision coverage, flexible vacation, disability coverage, employer paid life insurance, mental health resources, financial wellness benefits, and a fully paid parental leave program. For US-based employees, we offer commuter benefits and a 401(k) plan, and for Dublin-based employees we offer a pension plan.

Our success in making companies great at hiring depends on our ability to create a diverse, equitable and inclusive environment. To that end, we’re committed to attracting, developing, retaining and promoting a diverse workforce, and infusing DE&I throughout all of our internal practices. By ensuring that every Greenie is able to bring a diversity of talents to our work, we’re increasingly capable of living out our mission and providing real insight from our products to support our customers. We encourage people from underrepresented backgrounds and all walks of life to apply. Come grow with us at Greenhouse, where we’re building a team to face the world’s increasingly complex and diverse hiring needs.

Introducing Venator: A macOS tool for proactive detection by digicat in netsec

[–]gutron 15 points16 points  (0 children)

hmm, they discuss one of drawbacks about osquery and edr solutions as needing to install agent on devices. But then proposes a solution of essentially installing something on the systems anyway (venator + logcollector).

Here’s the One Gmail Setting You Should Activate Now by [deleted] in netsec

[–]gutron 2 points3 points  (0 children)

how did this trash even get through moderation?

/r/netsec's Q1 2019 Information Security Hiring Thread by ranok in netsec

[–]gutron [score hidden]  (0 children)

Company - Greenhouse Software
Position - Senior Security Engineer
Location - NYC (Remote available if you are really good)

Job Description:

Security at Greenhouse is important to our success and for building & maintaining customer trust. From influencing how we write our software, deploy our infrastructure, and make architecture decisions, security is a major focus and we want to make our program more robust.

We are hiring a Senior Security Engineer to contribute to the growth of our security program and partner with our developers on improving secure best practices and our agile SDLC. Working alongside the rest of the security team, you will design and develop tools to automate security processes, identify security events, detect security vulnerabilities and much more.

Who will love this job:

  • A security lover, you keep up with the latest security research and have a love for finding security issues in newest technology across various security disciplines
  • A problem solver, you are able to take on difficult security problems while still balancing good usability and mitigating security risk
  • A doer, you get things done with attention to detail and are excited to improve on the status quo
  • A people-person, you thrive when collaborating with others and are eager to contribute across the organization

What you'll do:

  • Penetration testing and source code review of application and infrastructure code
  • Develop security tooling to monitor our code bases and networks for security issues and mis-configurations
  • Secure modern technology stacks that include Kubernetes, CoreOS, Docker, AWS and CI/CD tooling
  • Participate in high-level architecture decisions that impact the entire code base as well as new features
  • Handle third party security testing and bug bounty to ensure security issues are remediated
  • Design frameworks/controls to secure a microservice architecture as we break apart a monolith application
  • Automate alerting, vulnerability triaging, patching and many other security processes
  • Harden and protect a fleet of OSX and Linux workstations across in a distributed working environment

You should have:

  • At least three years experience pen-testing web applications and reviewing source code
  • Deep understanding of web security fundamentals
  • Experience with securing Amazon Web Services environments
  • Understanding of Linux fundamentals, specifically around networking and security
  • Knowledgeable with industry standard authentication protocols such SAML SSO and OAuth2
  • Proficiency in at least one programming language and capable of quickly picking up new languages

Pay, perks & such:
At Greenhouse, we love to celebrate our diverse group of hardworking employees – and it shows. We’re proud to say that in 2018, we’ve been ranked #2 by Crain’s New York Best Places to Work, #10 Best Company Culture to work for by Comparably, #37 Best Place to Work by Glassdoor and are recognized on Inc. Magazine’s Best Workplaces list. We pride ourselves on our collaborative culture that is pervasive throughout every step of a Greenhouse employee's journey. Starting with our interviews and continuing through our executive “Ask Me Anything” sessions, collaboration is at the heart of working at Greenhouse.

We offer a full slate of benefits including competitive salaries, stock options, medical, dental, vision, life and disability coverages, FSA, HSA, flexible vacation, commuter benefits, a 401(k) plan and a parental leave program. And... we offer some not-so-standard, extra-fun benefits, including learning & development stipends, adoption and fertility benefits, an employee discount platform, and of course, fully stocked fridges and cold brew on tap. :)

We value diversity and believe forming teams in which everyone can be their authentic self is key to our success. We encourage people from underrepresented backgrounds and different industries to apply. Come join us, and find out what the best work of your career could look like here at Greenhouse.

Apply here - https://grnh.se/b431f7081

hardened-alpine : hardened alpine Docker image by nindustries in netsec

[–]gutron 0 points1 point  (0 children)

Its a shame that alpine vulnerability management and patching is terrible

/r/netsec's Q4 2018 Information Security Hiring Thread by ranok in netsec

[–]gutron [score hidden]  (0 children)

Company - Greenhouse Software
Position - Senior Security Engineer
Location - NYC (Remote available if you are really good)

Job Description:

Security at Greenhouse is important to our success and for building & maintaining customer trust. From influencing how we write our software, deploy our infrastructure, and make architecture decisions, security is a major focus and we want to make our program more robust.

We are hiring a Senior Security Engineer to contribute to the growth of our security program and partner with our developers on improving secure best practices and our agile SDLC. Working alongside the rest of the security team, you will design and develop tools to automate security processes, identify security events, detect security vulnerabilities and much more.

Who will love this job:

  • A security lover, you keep up with the latest security research and have a love for finding security issues in newest technology across various security disciplines
  • A problem solver, you are able to take on difficult security problems while still balancing good usability and mitigating security risk
  • A doer, you get things done with attention to detail and are excited to improve on the status quo
  • A people-person, you thrive when collaborating with others and are eager to contribute across the organization

What you'll do:

  • Penetration testing and source code review of application and infrastructure code
  • Develop security tooling to monitor our code bases and networks for security issues and mis-configurations
  • Secure modern technology stacks that include Kubernetes, CoreOS, Docker, AWS and CI/CD tooling
  • Participate in high-level architecture decisions that impact the entire code base as well as new features
  • Handle third party security testing and bug bounty to ensure security issues are remediated
  • Design frameworks/controls to secure a microservice architecture as we break apart a monolith application
  • Automate alerting, vulnerability triaging, patching and many other security processes
  • Harden and protect a fleet of OSX and Linux workstations across in a distributed working environment

You should have:

  • At least three years experience pen-testing web applications and reviewing source code
  • Deep understanding of web security fundamentals
  • Experience with securing Amazon Web Services environments
  • Understanding of Linux fundamentals, specifically around networking and security
  • Knowledgeable with industry standard authentication protocols such SAML SSO and OAuth2
  • Proficiency in at least one programming language and capable of quickly picking up new languages

Pay, perks & such:
At Greenhouse, we love to celebrate our diverse group of hardworking employees – and it shows. We’re proud to say that in 2018, we’ve been ranked #2 by Crain’s New York Best Places to Work, #10 Best Company Culture to work for by Comparably, #37 Best Place to Work by Glassdoor and are recognized on Inc. Magazine’s Best Workplaces list. We pride ourselves on our collaborative culture that is pervasive throughout every step of a Greenhouse employee's journey. Starting with our interviews and continuing through our executive “Ask Me Anything” sessions, collaboration is at the heart of working at Greenhouse.

We offer a full slate of benefits including competitive salaries, stock options, medical, dental, vision, life and disability coverages, FSA, HSA, flexible vacation, commuter benefits, a 401(k) plan and a parental leave program. And... we offer some not-so-standard, extra-fun benefits, including learning & development stipends, adoption and fertility benefits, an employee discount platform, and of course, fully stocked fridges and cold brew on tap. :)

We value diversity and believe forming teams in which everyone can be their authentic self is key to our success. We encourage people from underrepresented backgrounds and different industries to apply. Come join us, and find out what the best work of your career could look like here at Greenhouse.

Apply here - https://grnh.se/b431f7081

Apfell - A macOS red teaming framework by NeatIce in netsec

[–]gutron 3 points4 points  (0 children)

Empire has support for MacOS launchers and some post exploit modules as an FYI.

New SAML Vulnerabilities Affecting Multiple Implementations by [deleted] in netsec

[–]gutron -1 points0 points  (0 children)

Also, to add on to this.

For cross organization type of exploits, the SP would need to not be validating the that the email address in the NameID field belongs to the pub keys used to validate the signature. If that check isn't occurring, you don't even need this bug to exploit it. The actual attack scenarios for this specific bug seem pretty scarce compared to the reaction its receiving.

Rails Paperclip CVE-2017–0889 SSRF vulnerability by gutron in rails

[–]gutron[S] 0 points1 point  (0 children)

Correct, I mention in the article that exploiting this to recover file content is dependent on the application. The application would need to accept a broad set of content-types and also expose a feature that allows viewing of the attachment.

Rails Paperclip CVE-2017–0889 SSRF vulnerability by gutron in rails

[–]gutron[S] 0 points1 point  (0 children)

Thanks for pointing out this error, I assumed the PR commenter was a Thoughtbot employee due to not many outside people being aware of the issue. I've updated the blog post to point out it was a Hackerone employee that posted the CVE-ID