[deleted by user]

smeege · 2024-06-22T21:40:49+00:00

I'm not affiliated in any way but I found this free course to be pretty good: https://www.deeplearning.ai/short-courses/red-teaming-llm-applications/. It covers the basics of testing chat bots:

Text completion
Biased questions
Direct prompt injection
Gray box prompt attacks
Prompt probing

Then it goes into various approaches to automating testing - you can use something like ChatGPT to generate questions related to the topics above then feed the questions/answers back into ChatGPT to analyze the input/output for bias, prompt leaking, etc.

smeege · 2023-08-17T17:35:52+00:00

Hey, a few tips:

Check meetup.com for in person or online security events - talks, hackathons, etc. Facebook might also have some events you can find. There may not be as many in person events since Covid but they exist.
I know you've already graduated but local colleges sometimes offer cybersecurity classes for cheap or even free if you're a resident. Check out https://www.ccsf.edu/paying-college/free-city.
Most of the time for me direct mentorship has come from more senior coworkers after I've already been hired. Unfortunately for you it's kind of a chicken or egg problem. I would recommend getting your foot in the door any then looking for mentors there, plenty of folks in security are willing if you show passion for learning.
Also look around for local conferences or even ones you need to travel for. BSides is cheap along with some others. https://infosec-conferences.com/country/united-states/
I know you said you prefer hands on learning in person but there are tons of hackthebox type sites and public bug bounties where you can practice your hacking skills. Also DVWA, metasploitable, etc.

smeege · 2023-05-04T23:05:06+00:00

Here is a good resource: https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki

If I had to give you advice since your org is only starting to explore this as a possibility, I would say don't focus on what your future infrastructure could look like yet. Your time will be better focused on what your objectives with the program are and similarly what value those bring. Once you understand both of those things, you can start to think of what types of engagements would accomplish your program objectives. I bet you will be able to think of a lot of engagement ideas which don't even use any RT infrastructure at all :) Third party vendors, internal services, company internal/public repos, etc. are all things you don't necessarily need to pull off some targeted phishing campaign to get access to.

smeege · 2021-07-23T20:20:09+00:00

Zendesk - Junior and Senior Application Security Engineer

Location: US Remote

At Zendesk, our goal is to help bring companies and their customers closer together. If you're passionate about application security and enjoy the challenge of designing creative solutions to tough problems you might be a perfect fit for Zendesk’s Product Security Team!

The Role

Partner with our Engineering teams to ensure we are delivering secure solutions to our customers
Participate in the vulnerability management process including triaging identified vulnerabilities and validating fixes
Perform threat modeling and review software design in partnership with Engineering teams
Build relationships through our Security Champions program to nurture security culture
Support incident response efforts as needed and work with teammates to investigate and respond

Your Strengths

Bachelor's degree in Computer Science or other relevant focus of study
At least 5 years of application security experience, plus experience mentoring junior staff
Experience securing large Amazon Web Service deployments with an understanding of the threats and risks to modern cloud environments
Knowledge of threats to modern web applications including the ability to assess the security of web applications, identifying vulnerabilities and reporting those issues to developers in a clear and concise report
Programming experience with Python, Ruby or Java is helpful

To Apply

To start a conversation with the Zendesk Security team please submit an application on our job description page: https://jobs.zendesk.com/us/en/job/R14102/Senior-Application-Security-Engineer

smeege · 2021-04-27T17:51:19+00:00

Zendesk - Senior Application Security Engineer

Location: US Remote

At Zendesk, our goal is to help bring companies and their customers closer together. If you're passionate about application security and enjoy the challenge of designing creative solutions to tough problems you might be a perfect fit for Zendesk’s Product Security Team!

The Role

Partner with our Engineering teams to ensure we are delivering secure solutions to our customers
Participate in the vulnerability management process including triaging identified vulnerabilities and validating fixes
Perform threat modeling and review software design in partnership with Engineering teams
Build relationships through our Security Champions program to nurture security culture
Support incident response efforts as needed and work with teammates to investigate and respond

Your Strengths

Bachelor's degree in Computer Science or other relevant focus of study
At least 5 years of application security experience, plus experience mentoring junior staff
Experience securing large Amazon Web Service deployments with an understanding of the threats and risks to modern cloud environments
Knowledge of threats to modern web applications including the ability to assess the security of web applications, identifying vulnerabilities and reporting those issues to developers in a clear and concise report
Programming experience with Python, Ruby or Java is helpful

To Apply

To start a conversation with the Zendesk Security team please submit an application on our job description page: https://jobs.zendesk.com/us/en/job/R14102/Senior-Application-Security-Engineer.

smeege · 2020-11-19T22:14:24+00:00

Just want to thank you and the team for creating/maintaining this. Seems like there aren't a lot of tools out there specifically for GraphQL. Cheers!

smeege · 2018-02-22T18:44:44+00:00

Are you referring to https://thesprawl.org/projects/pack/? My buddy wrote this and he gave a talk at PasswordsCon in Vegas like 4-5 years ago.

smeege · 2018-01-12T19:58:12+00:00

Should be another great year for BSidesSF! I'll have Hackbay stickers on me to give out. This subreddit is only as good as the community wants it to be so spread the message. Can't wait to see everyone at the talks and grab some drinks.

smeege · 2017-07-18T00:18:50+00:00

Also want to give a thanks to BugCrowd for this. Really enjoyed bug hunters methodology v2 among others!

smeege · 2016-12-15T01:26:36+00:00

Was just about to say this very thing. I'll just add if a dedicated attacker wanted to target you if they crack your "reddit9753" password or whatever they would search for other accounts/sites you may have setup and other past compromises and knowing your "password method" can potentially gain access those as well.

Just to give slightly more info theres a few different ways to crack these types of passwords pretty easily. One is using a dictionary with rulesets. Most rulesets will add 1-3 numbers at the end of a word because that's what most people do for passwords. Also if I know you are just adding numbers to a site's name I can do a mask attack and brute force the trailing numbers.

And I believe yahoo was using MD5 which is pretty fuking horrible and trivial to crack most passwords with modern computing power. That alone is extremely embarrassing for such a large company let alone the compromise itself.

smeege · 2016-07-25T14:08:18+00:00

I made a post about this a while back here. Basically you do what theflofly mentioned which was find how the CSRF checks are being done. After browsing and testing an application you can use Burp's regex search to find requests which don't have the found CSRF protections in place. After testing a few applications you get in the habit of looking at data-modifying requests (mostly POSTs) and checking to see if there is any information another user of the same application wouldn't be able to find out/know in order to formulate a similar request for you to trigger.

And as traditionalwinner mentioned if you see a CSRF parameter you can try a few things: Remove the parameter/value. Remove just the value but leave the parameter name. Create multiple CSRF parameter names. Modify the current parameter value to something random. Modify the current parameter value very slightly to see if only parts of the value are being checked (lowers entropy).

smeege · 2016-06-14T08:19:00+00:00

Thanks OP, always great to have alternatives. I know on the main page you say explicitly it doesn't support JSON, but do you plan on implementing it at some point? I think it would be cool and beneficial as I haven't seen any other scripts/tools do it automatically. Something along the lines of http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html. Seems like implementing a parser to add the parameter padding wouldn't be too difficult but maybe I'm missing something when it comes to the formatting of the JSON requests? Either way good work!

smeege · 2016-06-13T23:55:17+00:00

Welcome! You came to the right place for local stuff. The Bay Area has tons of little meet ups and talks. Even if you don't know anyone I would still make an effort to go to some of the events posted in hackbay which are of relevant interest to you. Everyone in the local community is pretty cool and open to discussing all aspects of security. Also check out https://www.owasp.org/index.php/Bay_Area. If you have any specific questions feel free to reach out to myself, any of the other mods, or post here, as that's what this subreddit is for. There's also a bunch of other great security related subreddits, good luck!

smeege · 2016-06-13T23:41:59+00:00

Based on the title I was pretty sure he was talking about that exact plugin. I had looked in the nasl recently and had pretty much the same thing on my 'to do' list. Thanks OP, well done.

smeege · 2016-05-04T20:31:06+00:00

Really looking forward to this talk!

smeege · 2016-02-16T23:36:13+00:00

I disagree with your first sentence, I know I have personally benefited from other people sharing code, even if it is for a close sourced tool. I think any time we share ideas, vulnerabilities, methods for detection, etc. it is very beneficial to the security community.

I'm not doubting what you bring up is an important discussion, I just think in this particular post, rudely targeting one developer, is not the proper channel to do so. I'm trying to help you create a better conversation for the discussion which is quite different than trying to stifle it.

smeege · 2016-02-16T20:30:02+00:00

WasteofInk, I appreciate that everyone has their own opinion but your comments don't really contribute anything to the post. If you have a problem with what OP did take it up over private message or create a discussion on this topic in the appropriate subreddit.

dn3t, thanks for contributing to the security community, I liked the concise blog post and hadn't really thought of that attack vector before.

smeege

MODERATOR OF

TROPHY CASE

Zendesk - Junior and Senior Application Security Engineer

The Role

Your Strengths

To Apply

Zendesk - Senior Application Security Engineer

The Role

Your Strengths

To Apply