In this new series we talk to security experts on how they started their journey in this exciting field. The first is Gabor Molnar (aka “mg”), (also on Twitter) who independently co-discovered the infamous Rosetta Flash vulnerability and got nominated for a Pwnie award for the best server-side bug at BlackHat 2014.
Here is his story.
Gabor Molnar: I have a Software Engineering degree from Budapest University of Technology and Economics, and I got into computer security shortly before finishing my degree. There was a Capture The Flag competition called CrySyS SecChallenge organized by one of the university labs, CrySyS Lab, and I really enjoyed solving the challenges. After the competition, the lab started its student group called CrySyS Student Core to which I was invited to, and it was this group that helped me dive into information security. We’ve participated on international CTFs, gave presentations about interesting new security topics to the group and shared our own research. I’ve recently moved to Switzerland and work as information security engineer.
GM: Information security is becoming more and more important as we rely on computer systems more than ever. Web security is important because more than half of the attacks at companies target web interfaces. Many of the interfaces through which we interact with these systems are on the web, and users expect these to work reliably and securely. Security can be a good choice if you enjoy solving tricky problems.
GM: It usually starts with an idea that is then lingering for a few weeks. Then I find some time to experiment with it if it still looks like a good idea. The JSONP research idea came when I was looking at Prezi’s website to find vulnerabilities that are eligible for the bug bounty program. After discussing it with a few friends, the idea still looked like it could work, so I’ve dedicated a weekend to work out the details, which then became two weeks of intense research at night after work.
GM: Web frameworks we regularly use still don’t have a framework level protection against it, which means that it’s up to each developer to properly generate HTML without introducing XSS. This approach is very error-prone. I think the situation is slowly improving as almost all browser support some version of Content Security Policy now, and developers of template systems have started to realize that a framework-level protection must be provided instead of relying on developers.
GM: Find a CTF team and participate in competitions 🙂