Hey Linkedin crew, we just published a new research blog post on some offensive Ruby exploit techniques! It's always exciting to find a deserialization functions accepting user input, but what’s your plan if well-known gadget chains aren’t an option for exploitation? In this post, our consulting team explores the process of building a custom gadget chain to exploit deserialization vulnerabilities in Ruby. 😁 https://lnkd.in/ejRnpJsG
Include Security’s Post
More Relevant Posts
-
Recently IncludeSec was added to two notable industry indexes of vendors. The Latio Tech vendor list (https://latio.tech) and also the https://devsechub.io vendor list. It's great to see industry recognition for our work! 😀
Latio Tech List version 1.16 is live! Here are the changes: 1. Added Traceable to API security and ADR. When talking to the "networky" API Security providers, Traceable always comes up as the scary guy in the room, and now I understand why. They started with the hard stuff (tracing) and backfilled the easy stuff (network logs) and showed some examples that were truly innovative in helping teams research and respond to events like fraud detection. The hard part is just assessing how integrated you need to be to see some of that stuff - but either way they're incredibly well positioned for the future of the market. 2. Added Include Security to pentest. Pentests are a hard category for me to evaluate, so I mostly have to go on public research information to get a sense of how in depth certain providers go. Include gives a lot of confidence in their technical ability for a pentest aimed at real security rather than check the box. 3. Added NightVision to DAST and API Security - scans you code, builds API docs based on the code, then scans your APIs from the outside 4. Added Kloudle to CSPM - a simple on demand CSPM scanning tool, unique for its ability to scan Digital Ocean.
-
We got a message from a client today telling us about how they view the current state of the industry and confirming some things we're seeing across the board. It's always a good feeling to know that the actual assurance value the Include Security team brings to the table is something that the market very much desires. One of our frequent competitors increased their rates 15% across the board recently and another frequent competitors lost most of their senior talent last year and replaced them with an outsourced shop on the other side of the world. I'm super happy we're able to execute high assurance software assessments consistently for our clients, we're doing hundreds of assessments a year of all sorts of crazy technologies. Reach via email to consider us for your next assessment/pentest: info <at> IncludeSecurity.com and let the great hacks begin! 🗡 🗡 🗡 🗡
Home - Include Security
http://includesecurity.com
-
AI/ML Hax, yeah we've got those to!
An epic tale of AI security woes! Learn more about Consumer Reports collaboration with Include Security and the brilliant Abraham Kang, Esq. diving deep into LLM application security risks with python code interpreters #techatCR #innovationatCR
Who’s Verifying the Verifier: A Case-Study in Securing LLM Applications - Innovation at Consumer Reports
https://innovation.consumerreports.org
-
Hey LinkedIn crew, we've got a fresh post for you! We introduce coverage-guided fuzzing as a concept to hunt down bugs faster via modification of the Fuzzilli fuzzer from Google Project Zero. We aim to show modifying program instrumentation can be used to more easily track down the source of vulnerabilities and identify interesting fuzzing paths! Do y'all use fuzzing in your day jobs, custom ones or public ones? Anybody using CGF techniques in your own work? Please comment below if so! https://lnkd.in/esvVFPFR
Coverage Guided Fuzzing - Extending Instrumentation to Hunt Down Bugs Faster! - Include Security Research Blog
http://blog.includesecurity.com
-
Ending the weekend on a good note for product security of one of our research targets, we're happy to see vulns we find in our R&D time get fixed with just as much happiness as when our clients fix their vulns 😀 We've been working on "bridging that cyber/kinetic gap" as the mil contractors like to say and we were able to get an attack working against an IoT product that can cause physical harm to somebody's house 😮 Here's part of the email they wrote us today, we'll release the advisory when the patch is out or 90 days hits: At <COMPANY NAME>, the security of our products is our topmost priority. We are fully committed to providing safe, reliable, and high-quality <TYPE OF PRODUCT> to our customers. Your report has highlighted an area where we can improve, and for that, we are thankful. We are currently addressing the issue urgently and have taken the following actions: 1. Implementing asymmetric encryption for firmware updates. 2. Transitioning all network communication from HTTP to HTTPS or MQTTS protocols. Have you all seen any attacks against IoT that can cause real harm to the physical world? Comment below if so!
-
Edit: We're glad everybody enjoyed our April fool's joke for 2024. See you can be serious about security but also have fun! ---------------------------------------------------------------------------- We released our new semgrep rules today. Given the recent news about executive orders from the Whitehouse, we thought it would be important to flag all of the code that doesn't meet federal standards. Memory Safety is no joke folks:
GitHub - IncludeSecurity/Memory-Safety-Detector-Rulepack: Use these SAST rules to prevent federally illegal code in your applications!
github.com
-
We're happy to support great open/free security training to get more folks into our industry. If you want to learn low-level RE/hacks/OS check out OST2! https://ost2.fyi/Home.html
Thanks to Include Security LLC for Sponsoring #OST2 at the Bronze🥉 level! More about them here: https://lnkd.in/eXh9CQrQ
Include Security Research Blog
blog.includesecurity.com
-
Today we're dropping the start of a new blog series on a different look at AI/ML security and thinking about prompt injection then what you may have seen in the past. Here's the first post in the series if you're new to this stuff make sure to read it, if you're old hat AI/MLsec then the next post is gonna be more to your liking! Intro.... Many developers are leveraging LLMs without taking advantage of system roles, making their applications vulnerable by design. Security researches may be missing severe issues with prompt design and implementation by not testing the LLM APIs and focusing on the web user interfaces of LLM providers. Our latest blog post provides prescriptive advice to LLM application developers to help them minimize the security risk of their applications. It also helps security researchers focus on the issues that are important to developers of LLM applications. This post is the first in a series of two, where in future posts we’ll cover the concept of attention in transformer models.
Improving LLM Security Against Prompt Injection: AppSec Guidance For Pentesters and Developers - Include Security Research Blog
http://blog.includesecurity.com