Beyond The Endpoint: My Adventures In API Security Research - Vangelis Stykas

hello hello everyone hello Dublin it's really nice uh to be back uh couple of questions first is everyone okay with me ksing if no please raise your hands no okay if you raise your hand you have to go because I'm going to Care sorry it's part of my uh persona uh welcome to my lock note my first lock note uh beyond the endpoint my adventures in API security research uh which is again spoiler whenever you see this double point in uh a talk usually generated that title uh have any of you seen one of my previous talks this is your first talk no one oh some okay so this is not my typical talk my typical talk is I decide

that I don't like an industry and then I go and destroy it API are go this is more esoteric and a little bit more to the nose talk who am I uh I'm Vel stias uh most of you know me as the person who really likes uh uh figuring out what APS are doing and then doing offensive [ __ ] against them uh I'm my current position is CPO at atropos which is a penetration testing firm which is specialized on web application and application security with a n of uh photovolatic EV charges and in general uh green energy uh yeah that's our n and I'm also a PhD candidate for the past 12 years so I'm not the guy who finishes

stuff I'm not Greg there whatever I'm going to say is usual is the exact opposite of what Greg said you should follow GRE Greg's advice he's the good one and the one how it started you can Google that it's track magedon at some point I found found out that there were 12 million devices GPS small chinesium [ __ ] uh that I could see its location and then I started ping stuff for fun the main question is what is a security research as a security researcher you can find vulnerabilities in anything uh some of them pay bounties not a lot and you can also get some internet Fame as I do in the past couple

of years what are the research types first one is my research type which is for Singletons like me it's API web lwh fruits you have to know some kind of HTTP and TR understand where the developer will cut some Corners the software which needs a solid understanding of software cutting corners and possibly doing some kind of reversing and Hardware which is not for the soft definitely not for me it needs reversing it needs assembly it needs understanding of hardware and it also needs a lot of patients that I don't have so when I talked with the organizers here they we have decided that I wanted to do a talk about uh is it possible for anyone to become a

security researcher or at least what I uh specify as a security researcher the answer is yes

okay so I think you want the full talk if you want the shirt that was it you can do it go for it don't do CME or do do whatever you want don't blame me how to get started as a security researcher also this is a really nice uh Milestone when the first time that you see your name and the title security researcher aelas and like what I'm what now this happened on track mageddon and blew my mind so I'm a security researcher now yeah well everyone is how I got started I was a software engineer then I was a senior software engineer then I was a lead back and whatever I became a CPO and I decided

that I didn't like to build stuff so I jumped from that C position to a junior penetration tester and then a senior penetration tester and whatever I took a huge pay cut and I never looked back how to start learn the basics gain a solid understanding of computer science you are going to need it look at operating system look look at database and networks and try to understand what the fundamentals of web application learn your tools whatever that is uh familiarize with those if you don't like what other people are using try the old school I like thearch pretty much everyone is using ffuf which is cleaner quicker whatever I'm still old school I'm old what got you here might not get

you there so you might need to change some tools and don't always follow the way how to enter the community come to bides bides are great it's usually near you or if it's not near you fly there conferences really help go to Twitter masteron Blue Sky follow interact try to be part of the community and continue saying Twitter Twitter if you say Twitter X I hate you you are a person feeling mask and fuul mask security is ever evolving stay updated follow all the trends and vulnerability keep moving keep learning [ __ ] see are going to change stay on top of it so how do I getting started when I as I said was a c I

understood that I didn't like building [ __ ] I I kind of like building seat but I really like breaking it so if you are here you probably also understand that you don't like only building you also like breaking so come to the dark side don't go to the Defenders come to the offenders I did not answer again how to get started there's no single correct way do what you like and feel comfortable prepare to fail a lot and buy a lot I mean that most of the things that you are going to try are going to fail something is going to work for It Go for that thing that works for you I still didn't give any answer so

it's like I don't know like try what works for you what works for me might not work for you what works for you I don't know if you like it you're going to make it that's what I can say what to Target while you start your security research don't go around hacking random stuff I cannot stress that enough this is illegal don't break the law most of us at some point uh we at the bridge we never crossed it or if we crossed it we really needed a lawyer so please don't go around and ha random stuff you're going to have a lot of B Bondies uh you're going to get money but you're going to be disappointed because

right now in the past couple of years most of the backb is researching is automated so what you're going to find is also probably found in the first couple of hours that uh that thing was online the other the other part is regular research which is buy equipment buy licenses try to hack it and then probably never get paid for that research but could drive traffic to your company and your blog and you make a name of it and the final part is common penetration testing it's paid but if you are good enough you will end up finding a couple of zero days that you are not able to publish and then you're going to curse a lot you're

going to get furious but yeah it's life yes the next part is how I did something Greg said not to do it if you feel like it don't do it I like it build your personal brand when you find when you try to research uh something create a blog speak at conferences create videos I don't do it because you see me who wants to see a video of me social media is the way to go but again uh having a lot of followers doesn't mean that you should be who you are will give you increased visibility it will create opportunities and it will give you trust and credibility but again there are people with a couple of hundred followers that

are thri or four times defon speakers and there are people with a million followers that should never have an opinion about security speaking that's me my first St right at my 36th birthday besides aens that's 5 years ago uh it was was a terrible talk I'm still not a good speaker but that that was terrible so I really liked it so I said I need to get better at it I'm still trying but I'm getting better at think uh when you speak introverts are accepted I'm not an extt I don't like speaking to random people I like speaking to conferences uh you have to go outside your comfort zone and you will have to learn to tell stories and provide proper

story telling it will also help you create your personal brand it will enhance your reputation and it will increase your visibility disclosure that's getting one of the tricky stuff so is anyone here Greek other than the people I know nice so when you disclose don't be a [ __ ] malas do you know what the malakas is okay that's it when you disclose don't take the piece can you take my picture with [Music] that again it's for my mom she really likes s reports should be able to replicate the issue it should always be detailed you should give enough time prepare for a fight and I mean a huge fight don't be a big boundy if there is no back bound

you shouldn't ask for money they should give you if you ask me but you should never ask for it and also be prepared not to disclose because there are certain applications there are certain stuff that I didn't disclose although it was huge because it was on the public interest not from the company side vulnerabilities will happen I know that you believe that your product is the most secure product in the world spoil it's not they're going to happen understand that back boundy the research just help you he could have exploited it and do a lot of bad stuff but he just told you that you have a vulnerability be kind be thankful give some money if you have

some your budget that's cool it's always welcome and for the LA of God don't press Start is for to do illegal stuff because I it's not the IP that you think all of you it's something more and the security reset stuff it's intellectual property is anyone here in Academia no one that's a huge nice don't go into Academia so it's much like Academia you should trust but verify everyone or you end up with your research being published by someone else on black hat yeah uh it's a mixed band so lots of people are good some are B outs and always and I cannot stress that enough always use your name don't use your company's name don't use some your of

your friends name when you do some research it should be your research from the company you should pay the research even if it is on their own time it's not a free uh stuff to do don't remove the employees name I'm uh the employee did it your company and if you make some money of it you should pay some into the research AI I keep hearing the past four years but it's going to take our jobs so like it's going to take our jobs iate it stop doing it it's going to program itself no it's not adapt if AI will help you it's you should have it do the leg work you should have it do all the basic

stuff use it your advantage and frankly if you have following you're going to see that a lot of '90s API like idors and logical flows are happening so look at low hanging fruits in there and do a research on theyi ethics uh again Greg covered a lot of it I'm probably not the best person to talk about ethics I'm possibly the worst person to talk about ethics yeah let's go for what are the potential issues you could access other people's data or devices there's going to be some conflict of interest uh you could overstep legal boundaries if you do that do whatever you want but please notify the customer the moment that you thought that you're overstepping legal

boundaries if you end up playing around with APS or nation state actors you are going to have government and corporate pressure and let me tell you that the moment that you start having government pressure it's not nice always do responsibility reporting and you could also decline disclosure if you feel or if government or corporate feels that you should not disclose again take that as your as your Mand don't be a malakas try really hard to be a good person don't break the LW that's the first time that I saying it don't break the law let's make it five if you break it take a calculated risk I did that I'm really bad at math so I ended up with a lot of

governments and a lot of companies being pissed because I had disclosed first them so I'm doing that now cooperate with all the agencies three letters four letters two letters how many letters do that because you want to stay outside the jail and listen to that uh do we have people over 13 here okay so I guess you were in the industry when the whole Co [ __ ] happened and your mental health was not the best let's talk about that elephant in the room I do believe that some companies not a lot of them are trying to help the people but uh it's neither the best approach or good enough you have to be there for everyone you

should not you should never depend on the company to do good for you if you see someone of your colleagues that is struggling talk it's not bad we are all that we have uh I know that there are bigger companies that have uh people person and other but really we are in a really strange position and all the security guys and the security researchers are really struggling so if you have someone that is not okay please please talk why is that we end up with a lot of ethical dilemas as we saw some of us who are in manager position or C position or whatever position have really high stakes we all struggle with imposter

syndrome and we need to be constantly Vigilant because especially the Defenders have to be always right The Defenders have to be only once why we have imposter we have all been there all of us at some point believe that we were not good enough we were good enough we are good enough we have a new roles we are here so we are perfectionists and all the expectations are crazy you should always set the all the expectation where you should do it acknowledge your feelings it's okay not to be okay assess your abilities realistically you are probably not going to be the ccso or what whatever and that's okay set realistic goals and adjust them adjust them for time don't

compare yourself in the middle of your journey with someone on the end of the journey and stop comparing yourself to others like I was happy that I talked in defon in my 41 birthday and Obama was the president of the United States on his 47th birthday it is everyone has their own stuff it's okay not to be okay if you see something say something and if you don't feel right talk to one of the helpl lines I don't know I think there's also hel line in in here in the UK definitely exist in the US it exists I should have researched it but I'm not a good person so I final thoughts be consistent whatever you do

you have to be consistent you have to try and try as I said before you're going to fail miserably most of the time but if you are consistent enough you're you're going to succeed at some point participate help other people be on B sides Be an organizer be a volunteer be whatever you want if participating means that people will see you and you are going to get some friends in there never stop learning learn by doing and prepare for a lot of challenges because let's be honest our industry is a constant Challenge and on my final thing find your nie all of us have are good at something and bad at something else if you are good on everything

you're probably a unicorn good for you I'm not a unicorn I have a really small n and I'm trying to pursue it consider your market demand identify your strength assess your interest do what you love and you will end up loving what you're doing thank you guys and as a friend said I was the last hpit between you and the beers so yeah I don't think that anyone has questions about it for me right was way of anic talk to to have questions thank you guys have a good one