SEEKING FREELANCER | Remote | 4-12 Hours/Week IncludeSecurity (http://includesecurity.com ) works on security assessments of cutting edge and mass scale tech. We are looking for a freelance technical writer to join our…
After having worked on software security for 20yrs+ I can tell you first hand that it is a long-term losing game. Libs, frameworks, and SDKs are written to provide functionality and interop. The more…
Hey HN, we're IncludeSec. We've done thousands of assessmnts for hundreds of clients and are well on our way to replacing all of the legacy lower-quality junior heavy appsec consulting teams doing work in Silicon valley…
Hi OP, I'm Erik CEO of IncludeSec. We do many FOSS audits for Mozilla, OpenTechFund, etc. I can give you some ranges and points of consideration from what I'm seeing in the industry today. First consideration point is…
IncludeSec | app assessment/pentest | full-time | REMOTE World-wide||US Only (depends on role) Hey HN, we're IncludeSec. We're well on our way to replacing all of the legacy lower-quality junior heavy appsec consulting…
Google is one of only a handful of companies in this world that can fundamentally change the state of security in the tech industry. I love google and have many friends who work there, I truly believe in their mission.…
https://portswigger.net/research/alert-is-dead-long-live-pri...
IncludeSec | appsec/pentest managing consultant | full-time | REMOTE US ONLY Hey HN, we're IncludeSec. We're replacing all of the legacy lower-quality junior heavy appsec consulting out there in the world and are…
I'd guess that those same presidents will call them up and buy. They'd rather be a customer than try and change a behemoth with political power like these guys.
We do security audits for a living. In a nut shell, here's why things are so screwed up IMHO: 1) Most of these companies have had audits, but they're being done by 3rd rate or very inexperienced external consultants. 2)…
Include Security | Senior Security Assessment Research Consultants | Remote | Full-time | https://www.includesecurity.com twitter.com/IncludeSecurity * You're a dev, but have always been really good at hacking apps and…
It says it's trained on "billions of lines of code" I would augment that to "billions of lines of code that may or may not be safe and secure" If they could tie in CodeQL into Copilot to ensure the training set only…
Recommend for OS diffing, or OS config vuln scanning? Former, no idea, the latter is fine with any major COTS product that does vuln scanning (Nessus/Rapid7/whatever) they're all pretty decent for doing an authenticated…
My team found the tinder vuln, there are still plenty of location based apps that have that vuln...plenty. :(
They know exactly where their sploits are going and how they're being used, they chose to look away with a blind eye.
CEO of a pentesting company here, I've participated in or supervised close to ~2k tests of applications and networks. Sadly I have to report what you state is possible, but not plausible in today's modern heterogenous…
Trying to demystify CORS in a couple of paragraphs....good luck with that! I think 200 page book would still be too short to demystify it. It's a crazy topic
On the security assessment side of tech we face similar problems that these types of awesome dev tools could help us solve. Our clients either: 1) Have no docs (48%) 2) Have outdated/incorrect docs (48%) 3) Have correct…
Even worse, what happens when they MITM all of the installs because the docker container has really bad security such as: RUN wget http://nginx.org/download/nginx-1.18.0.tar.gz…
Having been in this silly industry of hacking for 20yrs, I really wish publishing negative results became more normalized. There are orders of magnitude more unpublished info regarding stories of not finding vulns there…
Idea and driving force to make this product reality was Kevin Poulsen, Aaron Swartz did most of the code on the MVP, and James Dolan did most of the security/documentation/evangelism work. Aaron and James are no longer…
Having worked with all of the founders of SecureDrop (Aaron, James, and Kevin) to audit the alpha version it was tough to see Aaron go. Also super sad that we lost James a couple of years later too…
Include Security | Senior Security Assessment Research Consultants | Remote | Full-time | https://www.includesecurity.com | @IncludeSecurity * You're a dev, but have always been really good at hacking apps and would…
This is a great FOSS tool if you don't want to deal with all of the low level stuff. https://github.com/StreisandEffect/streisand We did an audit of it and they fixed lots of configuration problems, it's now pretty…
SEEKING FREELANCER | Remote | 4-12 Hours/Week IncludeSecurity (http://includesecurity.com ) works on security assessments of cutting edge and mass scale tech. We are looking for a freelance technical writer to join our…
After having worked on software security for 20yrs+ I can tell you first hand that it is a long-term losing game. Libs, frameworks, and SDKs are written to provide functionality and interop. The more…
Hey HN, we're IncludeSec. We've done thousands of assessmnts for hundreds of clients and are well on our way to replacing all of the legacy lower-quality junior heavy appsec consulting teams doing work in Silicon valley…
Hi OP, I'm Erik CEO of IncludeSec. We do many FOSS audits for Mozilla, OpenTechFund, etc. I can give you some ranges and points of consideration from what I'm seeing in the industry today. First consideration point is…
IncludeSec | app assessment/pentest | full-time | REMOTE World-wide||US Only (depends on role) Hey HN, we're IncludeSec. We're well on our way to replacing all of the legacy lower-quality junior heavy appsec consulting…
Google is one of only a handful of companies in this world that can fundamentally change the state of security in the tech industry. I love google and have many friends who work there, I truly believe in their mission.…
https://portswigger.net/research/alert-is-dead-long-live-pri...
IncludeSec | appsec/pentest managing consultant | full-time | REMOTE US ONLY Hey HN, we're IncludeSec. We're replacing all of the legacy lower-quality junior heavy appsec consulting out there in the world and are…
I'd guess that those same presidents will call them up and buy. They'd rather be a customer than try and change a behemoth with political power like these guys.
We do security audits for a living. In a nut shell, here's why things are so screwed up IMHO: 1) Most of these companies have had audits, but they're being done by 3rd rate or very inexperienced external consultants. 2)…
Include Security | Senior Security Assessment Research Consultants | Remote | Full-time | https://www.includesecurity.com twitter.com/IncludeSecurity * You're a dev, but have always been really good at hacking apps and…
It says it's trained on "billions of lines of code" I would augment that to "billions of lines of code that may or may not be safe and secure" If they could tie in CodeQL into Copilot to ensure the training set only…
Recommend for OS diffing, or OS config vuln scanning? Former, no idea, the latter is fine with any major COTS product that does vuln scanning (Nessus/Rapid7/whatever) they're all pretty decent for doing an authenticated…
My team found the tinder vuln, there are still plenty of location based apps that have that vuln...plenty. :(
They know exactly where their sploits are going and how they're being used, they chose to look away with a blind eye.
CEO of a pentesting company here, I've participated in or supervised close to ~2k tests of applications and networks. Sadly I have to report what you state is possible, but not plausible in today's modern heterogenous…
Trying to demystify CORS in a couple of paragraphs....good luck with that! I think 200 page book would still be too short to demystify it. It's a crazy topic
On the security assessment side of tech we face similar problems that these types of awesome dev tools could help us solve. Our clients either: 1) Have no docs (48%) 2) Have outdated/incorrect docs (48%) 3) Have correct…
Even worse, what happens when they MITM all of the installs because the docker container has really bad security such as: RUN wget http://nginx.org/download/nginx-1.18.0.tar.gz…
Having been in this silly industry of hacking for 20yrs, I really wish publishing negative results became more normalized. There are orders of magnitude more unpublished info regarding stories of not finding vulns there…
Idea and driving force to make this product reality was Kevin Poulsen, Aaron Swartz did most of the code on the MVP, and James Dolan did most of the security/documentation/evangelism work. Aaron and James are no longer…
Having worked with all of the founders of SecureDrop (Aaron, James, and Kevin) to audit the alpha version it was tough to see Aaron go. Also super sad that we lost James a couple of years later too…
Include Security | Senior Security Assessment Research Consultants | Remote | Full-time | https://www.includesecurity.com | @IncludeSecurity * You're a dev, but have always been really good at hacking apps and would…
This is a great FOSS tool if you don't want to deal with all of the low level stuff. https://github.com/StreisandEffect/streisand We did an audit of it and they fixed lots of configuration problems, it's now pretty…
Include Security | Senior Security Assessment Research Consultants | Remote | Full-time | https://www.includesecurity.com | @IncludeSecurity * You're a dev, but have always been really good at hacking apps and would…