Ethical Hacking Q&A with Sonya Moisset

GitGuardian’s Mackenzie Jackson had the privilege of hosting a webinar on ethical hacking with Snyk’s Sonya Moisset. What follows is a lightly edited transcript of the Q&A after her presentation... or watch the Ethical Hacking Q&A video clip on YouTube.

Mackenzie (after describing the process for submitting and upvoting questions):

I'm just going to ask my question because I'm the host and I can do that.

So the question that I have too is… when we're doing something ethically, when we're ethically hacking something, we obviously have parameters that we have to work within. Is there anything that we have to look out for that could be a legal issue if we… if we perhaps access the wrong things? Do we have to be careful of that when we're starting our ethical hacking journey?

Sonya:

Yeah. This is why I stress the fact that when you go on those bug bounty platforms, it's really important to read their rules of the game because they will let you know which endpoint you can test, which URLs, which API you can actually test. And if you do test outside of this scope, this is where it's actually illegal.

And usually, when you test on these platforms, as I mentioned, you do sign an NDA when you're doing so, so you ask permission to actually test those. If you haven't signed the NDA and you actually find one vulnerability, then you can come up to these platforms and try to find those programs.

Usually, HackerOne, Intigriti, and other platforms will help you to actually convey this report and be in a safe place. But as I mentioned during the demo I wasn't supposed to have the codebase on my machine, because this is… you can consider it an IP, intellectual property, that I actually copied and had on my machine.

You should actually do all of the things with the path traversal to have the information. So just make sure to not have copies of databases, user information, and all of those. Make sure to stay in the scope of the testing and make sure to provide a detailed report of all of the commands that you've done, because potentially the security team/developer team will actually look at the logs. So yeah, they could potentially look at what you've done in their systems.

Mackenzie:

That's great. Thanks so much for that. We have another question here. Now there's actually kind of a lot of similar questions about this and I think that maybe Snyk Learn might be a good place. But where, if people want to get started… where do the beginners go to kind of… what would be your first steps, maybe to start with, and then what would be the journey beyond that, do you think?

Sonya:

Sure. So there are a couple of websites, good websites, and also free platforms where you can start this learning journey, which are Try Hack Me and Hack The Box. They’re two great platforms where you can create an account and actually try to “Pwn” those machines.

At Try Hack Me, I find it a little bit more beginner-friendly because they do have those rooms with step by step walk throughs. When you feel a bit more confident you can go on Hack The Box and try to hack the beginner machines. So, yeah, this is potentially a good one.

There's other platforms you can also try—the OWASP Juice Shop, which is an online retail shop that has a lot of vulnerabilities. There's also picoctf. There's a lot of those platforms. There's also, as you've mentioned, Hack The Box has an academy where you can actually learn a bit more. They do have modules on specific vulnerabilities, on how to do those ethical hacking methodologies and workflows, so this is to help you on that path.

Mackenzie:

Excellent. And there are a couple of more questions along that… I don't think we need to answer them… You know there are courses, there are certifications, but if you want to start, I think that those are the places to start.

Sonya:

Yeah, I would say if you want to also demonstrate those to recruiters, and you might not have the budget to actually do the certifications, is start with Try Hack Me, Then move to Hack The Box. And when you manage to pwn the box, write a detailed walkthrough on which tools you've actually used, the commands, what were the results, and also recommendations.

Then you can start working on creating a portfolio of walkthroughs. And this is something that [you] could potentially show to recruiters because you will have hands-on, specific tools, and the methodology, which is important because you want to demonstrate the skills.

Mackenzie:

Yeah, that's really cool, because perhaps people don't realize but there are certifications that you can get and they go on the end of your, you know, a lot of people have them on the end of their LinkedIn profiles. And a lot of them are great and it can show the recruiters that you know what you're talking about, but by golly, some of them are so expensive to do. I feel like what you're saying is that if you don't have the budget to do that, then if you document it, that can be a place you can save in.

That's fantastic advice.

Now you touched on AI and we had a question here from Abdullah, who says “How do you think generative AI will affect your day as an ethical hacker and the cybersecurity field as a whole? Are there real-world applications?”

So you've kind of touched on this, but is there anything more that you could kind of add on that? Are you using AI when you're doing ethical hacking today?

Sonya:

So, here we're talking about generative AI. This is the code that is generated through Copilot, through ChatGPT, and the other LLMs, so this would depend on how… what… what you're doing about this code.

So it's great to have those tools. Let's say if we're producing code through ChatGPT, what I would recommend is the same as when you copy/paste code from Stack Overflow.

Do you have security tools? It could be GitGuardian, Snyk… just to make sure that you have a pipeline to make sure that you're scanning the code that you will introduce into your code base. You can use these tools. Just make sure to double-check and make sure to understand what you're actually putting into your codebase. The problem that you might have copy/pasting Stack Overflow would be the same with the code generated through different LLMs.

But also this was an open question for not generative AI, but any of the ethical hacking AI tools or those that are powered by AI. This is interesting. It’s always the same, as with any tools, have a good understanding of the tools that you're using and also make sure that you're using them as an assistant. Don't lean only on your tool. Make sure to double-check every time the results, the outputs, just to make sure that it doesn't produce hallucinations or false positives or false negatives in a sense.

So just make sure to use it as an assistant when you're stuck and you need better ideas or explanations. For example, line by line for code or for an exploit. So, yeah, it depends on the usage that you're actually doing on AI.

Mackenzie:

Yeah, amazing. [pauses to promote the next webinar]

Maybe a couple more questions. This one I find quite interesting: “What overlap does an ethical hacker have in the day-to-day with a typical software engineer?”

And what I kind of think–perhaps I'm interpreting this wrong–but if you're in a company, and perhaps you're a red teamer, or you're on the appsec team, how do you interact with the software engineers? Do you have any advice for how to interact, perhaps, with software engineers and help them, and not just be the “opposite team,” let's say?

Sonya:

Sure, so the most important thing is the culture that you have in the organization. The security team should be enablers. They shouldn't be blockers or gates for developers. They should have that collaboration piece and communicate with the team.

It's usually a good thing, for example, doing these kinds of webinars with live hacking demos during lunch breaks or organizing this within the company so the developers have a better understanding of what is happening in the cyber security space because it's quite exciting.

When we're talking about hacking, everyone is interested to know, to have a better understanding of it, so this a good way, actually, to increase the culture and just to break the silos between both teams.

You can also gamify it. You can dedicate a day to making sure that you go through the backlog of security vulnerabilities. And you have the security team doing some training, explaining the vulnerability, sitting down with the developers, just you have that collaboration and communication piece.

This could also go through the Security Champion program, for example. A Security Champion is basically a developer that is acting as a bridge between security and developer teams. They could also upskill through this program. So there are several ways to do so, but the company should make sure the security team are enablers. That's the most important thing.