IncludeSecurity (http://includesecurity.com ) works on security assessments of cutting edge and mass scale tech. We are looking for a freelance technical writer to join our existing team who performs editorial review of our security assessment reports. We have excellent style guides and the QA process is asynchronous so the hours are very flexible. Previous experience in the tech industry or tech-adjacent roles preferred.
After having worked on software security for 20yrs+ I can tell you first hand that it is a long-term losing game. Libs, frameworks, and SDKs are written to provide functionality and interop. The more functionality/interop they have then the more popular they become and the more vulns they have.
The only winning move is not to code!
....OR learn to live in a state of constant vulns and put guardrails in place so that you can avoid shooting yourself in the foot as much as possible. In this case strict ngress/egress firewall rules in prod would prevent this from ever being exploited from what I've read on the vuln thus far.
Hey HN, we're IncludeSec. We've done thousands of assessmnts for hundreds of clients and are well on our way to replacing all of the legacy lower-quality junior heavy appsec consulting teams doing work in Silicon valley and the rest of the US tech sector...and we're continuing to growing quickly! (but we wont get too big, we like smaller company vibes)
We're currently looking for these roles:
1) (US Only) An application security expert who isn't afraid of the management side of things to join our rapidly expanding team as a Managing Consultant perhaps you're a people manager, or don't mind talking to clients and can help our sales team out with the tech side of things?
Hi OP, I'm Erik CEO of IncludeSec. We do many FOSS audits for Mozilla, OpenTechFund, etc. I can give you some ranges and points of consideration from what I'm seeing in the industry today.
First consideration point is quality of the team and the seniority of the people ACTUALLY DOING THE TESTING (a lot of pentest shops do bait and switch senior presenting but juniors do the actual work.)
Next consideration is location of company; EMEA and Asia are lower hourly rates than US teams.
Next consideration is scope. Do you want the front door checked, or the entire house inside and out? In this case Cure53 spent 25 work days on this asmt, which gives quite a lot of time to analyze the software and check lots of different avenues of attack.
Next consideration is type of attacks to try and security assessment methodology. Do you want just fuzzing? Perhaps you can get that for free from Google's OSS-Fuzz, they will sponsor people to set up your FOSS app with their fuzzer via CI/CD. Do you want static analysis from some big COTS vendor like coverity/fortify/checkmarx/etc. that could be useful and they often have discounted/free scans they will do for FOSS. Or perhaps you want super smart hacker pentesters to code review and dynamically attack your app (that's what my team does)
Next consideration is publicity, do you want this reporting public? Some charge extra for that.
There's a million other thing to consider when hiring a pentester, but this message is already too long. To give you a ballpark, estimate $10k to $40k for small projects, $40k to $80k for medium sized projects, and $80k to $150k for large projects. YMMV of course, but those ranges and the consideration points should get you well on your way.
Hit us up if you need more tips, happy to help via email <myfirstname>@includesecurity.com
IncludeSec | app assessment/pentest | full-time | REMOTE World-wide||US Only (depends on role)
Hey HN, we're IncludeSec. We're well on our way to replacing all of the legacy lower-quality junior heavy appsec consulting teams doing work in Silicon valley and the rest of the US tech sector...and we're continuing to growing quickly! (but we'll never get too big, we like smaller company vibes)
We're currently looking for three roles:
1) (US Only) An application security expert who isn't afraid of the management side of things to join our rapidly expanding team as a Managing Consultant (4th MC on our team.)
https://www.linkedin.com/jobs/view/2659055090/
2) (EU, South Am, North Am) An application hacker who wants to hack on a ton of apps for small and big tech companies and even loves security research too perhaps!
Google is one of only a handful of companies in this world that can fundamentally change the state of security in the tech industry. I love google and have many friends who work there, I truly believe in their mission. They have the talent and the financial resources, but sometimes they do not use those in ways that are strategically scalable IMHO.
Here's some examples of ways they could use $100MM to completely flip the script on app security:
1) Google project zero - Some of the absolute best hackers in the entire world work on this team, they identify and exploit vulnerabilities at the same skill level of the best nation states. None of this significantly moves the needle. If they took this team, expanded it's skill-set, and redirected their efforts towards building protections for compilers, runtimes and framework then that would be much more impactful then showing off the next <ubiquitous software> 0day.
2) Google's partner program - Google has a program that forces all integrators of their OAuth APIs from Gmail to Gdrive to have 3rd party security assessments conducted. The 3rd parties they use put their most junior/scanner focused pentesters on those projects. The approved 3rd party vendors turn this into a cash cow because they hire kids straight out of school and bill them out at senior rates because the API integration partners are forced to use these junior teams. Instead they could create a register of ALL pentest companies and stop the SF/SV practice of secret lists and publish all data about security assessment/pentest firms and to prioritize the effective firms, not the junior firms.
3) Google could create zero trust FOSS software for all corporations. Zero trust is a hot topic, every COTS vendor now caters to the key buzz word. Often the COTS solutions are low quality trying to make bank off a trend. Google is in the unique position of advancing the state of Zero trust world-wide by FOSS releasing zero trust and allowing all corporations in the world to jump a light year in corp-sec.
4) Advancing the state of systems programing - I love C it was my second programming language and the one I first fell in love with, I won DEFCON CTF writing exploits for C code. All of that being said, there is almost no need at all for C in 2021. For almost all cases I can use Go, Rust, or something else memory safe instead of C. Google should move from using C for most programs and advance the state of Go and Rust via SAST tooling and security rules. Yes this includes Android, Android should support non-C code such as Rust in the kernel just like Linux is currently doing.
5) Align with security best practices on all OSes and desktop apps - MS is doing some amazing experiments with high-security to make their browser extremely secure, google should have been doing the same with Chrome for the past 10yrs https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec... I know the usability/memory trade offs being made here to keep the browser performant, I still think there is more that can be done here with genius tech/sec innovators that google has.
6) OpenSSF should create an alliance to fundamentally eliminate XSS and CSRF - Google is a huge sponsor (primary I think?) of OpenSSF. That org can create an alliance with all of the top web app frameworks (Django, Rails, Flask, Gorilla, Spring, ASPMVC, etc.) for an operating mode which fundamentally uses all of the new web app security hotness (CORS, CORP, CORB, COOP, COEP, CSP, site security, etc.) to absolutely eliminate all XSS and CSRF possibilities at the webapp framework level and SQLi at the ORM level for all notable webapp frameworks. This would set a precedence across the industry.
7) ...I'm gonna stop there, I can go on forever. These are things I think about a lot being in the hacking industry 20yrs+ I'm often dreaming of "If I just had $5MM in funding I could solve so many security problems!!", but the only currently feasible way to get that funding is to use it to create a commercially viable product. Google's pledge to fund cyber security in an altruistic manner changes the game.
Google, we love you! Help us secure the Internet, you've got the power to totally change the game...we hope you do! :)
IncludeSec | appsec/pentest managing consultant | full-time | REMOTE US ONLY
Hey HN, we're IncludeSec. We're replacing all of the legacy lower-quality junior heavy appsec consulting out there in the world and are growing quickly!
We're currently looking for an application security expert who isn't afraid of the management side of things to join our rapidly expanding team as a Managing Consultant (4th MC on our team.)
I'd guess that those same presidents will call them up and buy. They'd rather be a customer than try and change a behemoth with political power like these guys.
In a nut shell, here's why things are so screwed up IMHO:
1) Most of these companies have had audits, but they're being done by 3rd rate or very inexperienced external consultants.
2) The companies limit the scope of the tests. Real hackers don't give a shit about your scope of work, they have no rules, only goals.
3) Even when a test is properly done the exec management looks for silver bullet product solutions instead of changing across people/process/technology
My company solves #1, but we can't do anything about #2 or #3 :-/
The entire idea behind modern network security is that zero-days happen regularly. You should design your security controls around this fact, defense in depth, least privilege, etc etc
"The attackers were able to exploit zero-day vulnerabilities in the VSA product to bypass authentication and run arbitrary command execution," the Miami-headquartered company noted in the incident analysis. "This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to endpoints. There is no evidence that Kaseya's VSA codebase has been maliciously modified."
This is very likely not the full story, unless the 0day in VSA was somehow wormable. That "deployment" is doable through overly permissive IAM and everything else that enables privesc.
There are two parts to these vulns. Whatever gets the foothold, and whatever allows privilege escalation. Audits do a great job in catching the misconfigs that allow privesc.
The tragic thing about these attacks is often the blast radius can be contained fairly easily by asking the right questions... If you're someone who has passed these audits, or done these audits, it becomes pretty easy to see how many unforced errors go into these catastrophic attacks.
If https://old.reddit.com/r/msp/comments/ocggbv/crticial_ransom... is correct a compentent web application security review (white box or black box) which was correctly scoped to include the affected files would likely have found the SQLi and authentication bypass issues (mentioned in update 12)
Without seeing the codebase in question, you can't be sure, but having been a web app pentester for 10+ years, these are the kind of issues that were found regularly, and whenever I saw classic ASP in tests, they were the kind of issues I'd be looking for, knowing the inherent weaknesses in the platform.
Did the RMM box really have to be on the open internet? In infra I run, anything with a public IP is behind numerous layers of FWs and VPNs, why not the same here?
IncludeSecurity (http://includesecurity.com ) works on security assessments of cutting edge and mass scale tech. We are looking for a freelance technical writer to join our existing team who performs editorial review of our security assessment reports. We have excellent style guides and the QA process is asynchronous so the hours are very flexible. Previous experience in the tech industry or tech-adjacent roles preferred.
You can see some of our public reports at https://pentestreports.com/reports/ (search for IncludeSecurity)
Email resume/interest to: careers atsign includesecurity dot com