Hacker News Comments on
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
·
10
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this book.So given that I may likely be hiring in the web and mobile application security spaces again next year (I've _somehow_ filled all of my open positions this year; appsec is difficult to fill with external hires), I'm focusing specifically on three skills:• ability to assess tech/architecture risks in apps
• experience in devops automation ("secdevops" if you will)
• proven skill in communication regardless of depth
The ideal candidate would have all three, but I could settle with any two of these and still be happy.
I am not currently hiring, but I'll gladly keep any CVs I receive and prioritize follow-ups with anyone who reaches out to me directly. Austin/DC for curious souls.
---
p.s. the web appsec space is in ludicrous demand. If you've got a breaker mindset, you'll probably come out ahead if you read up on it. If you're a developer right now and want to dip into it, I'd suggest: https://www.amazon.com/Web-Application-Hackers-Handbook-Expl...
Trust me, us security folk will thank you. Heck I'd suggest it to non-hackery devs too. It's a good way to find out how us security types see the world.
⬐ JamesBarneyWhat are competitive rates for an appsec engineer?I'm a tech lead who's always been interested in appsec(very passively), but it always seemed like a long journey from here to there. And I was under the impression the rates were pretty similar which made the task seem more daunting.
⬐ eganist⬐ sidcoolDepends on your locale and the firm. I know of firms in the bay willing to pay well over 200 for lead appsec engineers, but the spread there can be wide and you'd need to meet most of the qualifications for the role to get it.I can share more detail in private eg on twitter.
This is my absolutely favorite work. I love coding, but I absolutely love enabling developers by providing a solid architecture and DevOps ready infrastructure. Would love it.⬐ eganist⬐ hoorayimhelpingNice. If your background is strong in automation engineering, you can frankly probably get an appsec engineer position at most decent in-house shops right now just because so many of them are trying to avoid relying on consultants for pentests and assessments. One of the larger challenges right now at most firms building out internal appsec programs is to get to a point where security-focused static code analysis and pentest tools can be automated such that devs only need to address issues that magically pop up in Jira (or any other defect tracker) rather than having to learn new tools.If you already have that experience but not specifically in security, it'd be a great fit and you'd be encouraged to apply wherever automation is even barely touched on as a requirement.
Guarantee you any appsec hiring manager will consider that background.
⬐ fmaI wasn't aware that was a big problem. My company is a large corporate company and I feel we lag behind a lot of things. However we have automated static code analysis through HP Fortify. It points to our build, scans and reports are generated automatically. Someone on the app security team needs to run the HP Webscan for pen test.I'm a senior developer and I made a name for myself when we started having the requirement. I helped secure ~10 webapps as I was the most knowledgeable about security amongst the devs.
The app sec guys I know at my company, though intelligent, are not strong developers. There were times I spun a story to get them to mark something as false positive - or I knew what the scan flagged for and coded around it. I know, bad practice, but sometimes the scanners mark something as critical when IMHO it's not.
Once our apps were secure, maintenance is pretty low as we'd just fix any new vulnerabilities introduced by coding, or updated by the scanner tools.
Do you see a need for strong developers in app sec world? If so, any recommendations on ways to make the leap? Not really looking for something where I just click a button and scan...but something more in depth that would use my development experience. I have a Security+ cert, doubt I can get a CISSP since I don't know anyone with it to get sponsored.
⬐ eganistSome mature orgs have done a good job of automating this, but it really depends on the industry. Finance and FinTech, for instance, are ahead of the curve here. Most government entities on the other hand don't even realize there's a curve ahead, as do many utilities companies and some healthcare firms. So to your point about it being a big problem, "it depends on the company."As for strong developers in the appsec world, certainly. Especially if you have a strength in the automation side, you can easily carve a niche out for yourself. The main two areas where I can see a dev taking charge are in driving the use of security features in frameworks product teams already use (this is a HUGE bullet being pushed by notables in AppSec as it reduces the effort involved in uptake of secure coding practices) as well as in leading automation of new tooling in support of new frameworks. There's also the angle of developing custom solutions to address firm-specific problems, something appsec people without a strict development background will have a hard time doing.
Quite a few appsec leads prefer bringing in developers with a breaker mindset in as appsec hires, so yes, there's always room. Depending on how you answer the question "what does 'secure ~10 webapps' mean?", you can probably easily score a lateral move into AppSec (Senior Dev -> Senior Security Engineer or Senior AppSec Consultant/Engineer).
My keybase profile has all my contact info if you want more tailored guidance. Even if you don't join my firm or any of the other firms I have a hand in shepherding, we desperately need more people in appsec, so I'm all about sharing this knowledge.
Thanks for this post. I've had that book on my shelf for months now, and I'm going to start reading it. Thanks in general for the information here, it's helped validate a few suspicions I've had, cheers!⬐ eganist⬐ devilsavocadoOf course! And by showing initiative, you're also motivating others and thereby live up to your username (for what it's worth =).What counts as 'proven skill in communication' to you? Other than how they communicate throughout the interview process, I'm not sure how else to test for this.⬐ 616cSuper interested in this space. I checked your profile but only saw a keybase profile. A friend JUST hooked me up with an alpha tonight!What if I am infosec/netsec/whatever student and I watch a ton of Pluralsight on AWS and Docker and I am starting to build my own lab. Will people hire someone like me? I ask publicly because I assume I'm not the only one.
⬐ eganistPossibly. Especially if you're using building the environment as a testbed for teaching yourself how to break into apps or how to automate security tools.About that... you know what's more likely to get you hired in the space? If you have no work experience in appsec but walk in and tell or show me a pattern for how you automated appsec testing in a build pipeline or QA process at home and describe the challenges you had to overcome, or if you have a few fleshed-out bug bounty submissions (with exploits) and can describe your favorite one in depth, or if you've taught yourself how to review code for flaws and could do it in front of me in an interview setting, I might be quite willing to waive the years in appsec requirement. Other smart hiring managers probably will too.
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Proje... <<This is a good starting point for learning how to break things. Also for learning how to fix them :)
⬐ 616cGot it. This is what I will spend my weekends on after an exam. Thanks for your response, and aapologies for my late reply.
Web Application Hackers Handbook https://www.amazon.co.uk/Web-Application-Hackers-Handbook-Ex...
⬐ twundeI'll second this. This book hits upon most common security vectors. It's amazing how few developers know what csrf is and how to defend against it even now. If you're not ready to invest money yet, check out the owasp top 10 and make sure you know how to defend against them in your preferred language/framework.
For what it's worth, that's a fair concern. I offer two things that make it not quite as bad as you may think, though :-)1. We don't expect applicants to be amazing at this already. Having a background in security is good, of course, but not necessary. As a data point: in the office I work out of, we have someone who used to work in a bakery, someone who worked for an insurance company, and several people who had never done security before applying to Matasano. It's my opinion that you generally learn more "on the job", as it were, than you would preparing for an interview anyway. @tptacek's post at [0] is a good example of the type of people we have working for us.
2. We generally send candidates resources to help them prepare - I believe a couple recent applicants got free copies of "The Web Application Hacker's Handbook" [1].
[0]: https://news.ycombinator.com/item?id=8395627
[1]: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...
⬐ fskAny interview process that requires a substantial time investment by the candidate pre-interview is broken.Why would I spend some time learning the security niche just for one interview? I could instead work on Android development, Python, Scala, or a whole bunch of other things. Those would be useful for many jobs, and not just 1-3 employers.
Why is putting in a lot of time researching security for your interview a better use of my time than learning more widely applicable skills?
What if I put in all the time, pass the pre-screening, and then when I meet you, it turns out you aren't the type of people I'd want to work with?
⬐ jjarmoc> Any interview process that requires a substantial time investment by the candidate pre-interview is broken.I disagree, but accept that this depends largely on the desired outcomes. If the candidates goal is to spray-and-pray by applying at dozens of companies and hoping one makes them an offer they can accept, I'll grant that requiring more time may be a hindrance. If, however, the candidate's goal is to learn something, improve their skills, and demonstrate to the potential employer that they're capable of doing this on a short time cycle, they may welcome the opportunity, and many have.
> Why would I spend some time learning the security niche just for one interview? I could instead work on Android development, Python, Scala, or a whole bunch of other things. Those would be useful for many jobs, and not just 1-3 employers.
Because you want to work in security generally, and for us specifically? I fully accept that not everyone shares career goals which align with our needs, and encourage them to pursue other avenues. If you're dream in life is to be a broadway actor, we're unlikely to be able to help. That doesn't make this goal less important to you or valuable to the world at large, it just differs from what we do and offer.
That said, if you think that security skills (and web app security specifically, which is the typical path for those learning for the interview) are relevant only to "1-3 employers" I fear you drastically underestimate the size of the market both within security consultancies and enterprises that have a security team (or just appreciate security-minded developers).
> Why is putting in a lot of time researching security for your interview a better use of my time than learning more widely applicable skills?
It may not be. There's a lot of paths to self improvement, and their suitability to a specific individual will vary, depending on that individuals goals, desires, and learning style. I don't think anyone is trying to prescribe 'the one true path to self improvement' but rather one that we've found to work, and one that we help our candidates advanced down.
> What if I put in all the time, pass the pre-screening, and then when I meet you, it turns out you aren't the type of people I'd want to work with?
Then we shake hands and each go our own ways, hopefully having learned something about each other and ourselves in the process. Maybe we've made contacts that'll be mutually valuable in the future whether it be for future employment, a business relationship, or simply someone to chat with at some developer meetup, conference, etc. and bounce ideas off of. Choosing not to continue a relationship is a perfectly viable outcome of any interview process.
⬐ infinite8sIt's pretty simple, then - don't apply there.
I recommend grabbing a copy of Web Application Hackers Handbook[0] and try hacking vulnerable vm's[1].I see that your a sysadmin so if network hacking is more you speed I would download Metasploit[2] and start hacking old linux or windows distros.
[0]http://www.amazon.com/The-Web-Application-Hackers-Handbook/d... [1]http://itsecgames.blogspot.com/2013/07/bee-box-hack-and-defa... [2] http://www.metasploit.com/
Also: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...
I'd also like to know Security 101 for web developers.In a recent appsec thread, there were two books that a lot of people recommended:
http://www.amazon.com/The-Tangled-Web-Securing-Applications/...
http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...
This book covers a lot of the material: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...
⬐ tptacekWe buy that book, along with _The Tangled Web_, for candidates to Matasano. We like both books a lot (I wish WAHH had a title I wasn't embarrassed to say out loud, though).The other book candidates here tend to get is _The Art Of Software Security Assessment_.
⬐ mindcrimeWhile we're talking books and education... tptacek, could you share any resources that you are acquainted with, specifically on the topic of SSL/TLS? I feel a need to really ramp up my knowledge in this space, and would be glad to hear any recommendations you might have.Note that I'm looking at this from a deployment / administration POV, not programming. I don't want to implement TLS from scratch, just understand the various issues and implications involved in rolling out TLS.
If you have some suggestions, they are much appreciated.
⬐ tptacek⬐ saturdayplaceThis is Adam Langley's blog:http://www.imperialviolet.org/
I might start with this post:
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.ht...
Seconding the recommendation for both of these books. They're both sitting on my desk here and they're both excellent. Tangled Web does a great job of explaining why browser and web app security is in the state that it's in, and each chapter includes a "cheat sheet" at the end of things a developer can do to further secure his web app. Web Application Hacker's Handbook contains exactly what's on the tin: a pretty thorough explanation of how to pull of many of the common exploits, along with the explanation for how/why they work.
The optimistic and humble side of me wants to believe that this is a rare occurrence.The truth is that I don't remember working on a single codebase that didn't have some eventually discovered vulnerability in auth(entication|orization). When I eventually do comb through controllers and find easily exploited access-control violations, I've often been met with responses similar to the behaviour of the developers at Icebox.
Rails does and will continue to protect you from a lot of mistakes, but nothing is going to help long term unless you know what words like authentication, access control and session management mean.
If you're a professional web developer and you care about your users then please buy and have a read through The Web Application Hackers Handbook[1]. Every page is dripping with easily exploitable attacks you didn't think of. That last app you built is almost definitely vulnerable to a handful of them.
[1] http://www.amazon.com/gp/product/1118026470?ie=UTF8&tag=...
Here are a couple of great books about web/software security:http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...
http://www.amazon.com/Deadly-Sins-Software-Security-One-off/...
⬐ tptacekI love WAHH.I can't stand "Deadly Sins".
I'd replace it with _The Tangled Web_, Zalewski's new web security book; WAHH and _Tangled_ is a formidable amount of knowledge to keep on tap.
⬐ jbpIf don't want/unable to get, Tangled Web, similar useful information by same author at "Browser Security Handbook" http://code.google.com/p/browsersec/wiki/Main
I think this is where you can pre-order?http://www.amazon.com/gp/product/1118026470?ie=UTF8&tag=...
By the way, does anyone know similar books?
⬐ coinWhat's with sneaking in an affiliate tag to the Amazon link (portswinet-20)?⬐ spjwebster⬐ dguidoIt's the same link as posted on the book author's buy page ( http://portswigger.net/wahh/buy.html) so I'd imagine the parent just copy/pasted it here.Not exactly, but these two are slightly related:Hacking Exposed: Web Applications, 3rd Edition - approaches the subject from a wider angle, not just about appsec.
http://www.amazon.com/HACKING-EXPOSED-WEB-APPLICATIONS-3rd/d...
Hacking: The Next Generation - more about what you can do with lots of web app flaws.
http://www.amazon.com/Hacking-Next-Generation-Animal-Guide/d...