Since 2005, BlueHat has been where the security research community, and Microsoft, come together as peers; to debate, discuss, share, challenge, celebrate and l...
In this episode of The BlueHat Podcast, host Nic Fillingham and Wendy Zenone are joined by Brad Schlintz, independent security researcher and bug bounty hunter. Brad shares how he transitioned from a decade-long career as a software engineer to hacking Microsoft products while traveling the world with his wife. He recounts his early days tinkering with RuneScape bots, his experience working in SharePoint and Azure at Microsoft, and the moment he first encountered a real-world cybersecurity incident. He also discusses his journey into ethical hacking and his qualification for the upcoming Zero Day Quest, showcasing how he turned bug hunting into a lifestyle that allows him to work from anywhere—including a stunning island in Brazil.
In This Episode You Will Learn:
How a single discovered bug can lead to finding multiple vulnerabilities in the same area
The importance of exploring app integrations when searching for security vulnerabilities
Why building on prior discoveries can make it easier to uncover more hidden security issues
Some Questions We Ask:
What guidance can you share with other researchers and hackers on how to find vulnerabilities?
Why did your background in software engineering help you in your bug bounty work?
How did you transition from working on the website incident to more full-time security research?
Resources:
View Brad Schlintz on LinkedIn
View Wendy Zenone on LinkedIn
View Nic Fillingham on LinkedIn
Related Microsoft Podcasts:
Microsoft Threat Intelligence Podcast
Afternoon Cyber Tea with Ann Johnson
Uncovering Hidden Risks
Discover and follow other Microsoft podcasts at microsoft.com/podcasts
The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
--------
38:43
PoCs, Patching and Zero Day Quest Participation with Michael Gorelik
In this episode of The BlueHat Podcast, Nic and Wendy are joined by seasoned security researcher, and CTO of Morphisec, Michael Gorelik. Michael discusses his approach to security research, which often begins by exploring PoCs released by other researcher groups and continues through to the release and validation of – sometimes multiple rounds of – fixes. Michael also provides an overview of this BlueHat 2024 presentation from last October and discusses his upcoming participation in the Zero Day Quest Onsite Hacking Challenge.
In This Episode You Will Learn:
How Michael Gorelik transitioned from security researcher to company founder
Deeper motivations driving ethical hackers like Michael Gorelik beyond money
The importance of identifying incomplete security patches before attackers do
Some Questions We Ask:
What are you looking forward to with Zero Day Quest?
Did you have a moral dilemma about hacking when you were younger?
What was your experience like at Deutsche Telekom Laboratories?
Resources:
View Michael Gorelik on LinkedIn
View Wendy Zenone on LinkedIn
View Nic Fillingham on LinkedIn
Related Microsoft Podcasts:
Microsoft Threat Intelligence Podcast
Afternoon Cyber Tea with Ann Johnson
Uncovering Hidden Risks
Discover and follow other Microsoft podcasts at microsoft.com/podcasts
The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
--------
46:25
Secret Herbs, Spices and Hacking Copilot Studio
In this episode of The BlueHat Podcast, host Nic Fillingham is joined by Scott Gorlick, Security Architect for Power Platform at Microsoft. Scott shares his unconventional journey into cybersecurity, from managing a KFC to driving big rigs before landing in tech. He dives into security research in Copilot Studio, discussing how AI models interact with security frameworks and how researchers can approach testing these systems. We also explore his recent training video on YouTube, which provides guidance for security researchers looking to engage with Microsoft’s bug bounty program.
In This Episode You Will Learn:
What Scott does to ensure Power Platform applications remain governable and secure
Why security and software quality go hand in hand in modern development.
How security researchers can explore vulnerabilities in Microsoft's low-code AI development platform
Some Questions We Ask:
What kinds of security issues should researchers focus on in Copilot Studio?
Can Copilot help researchers write better reports, especially in different languages?
How can researchers get access to Copilot Studio? Is there a free version?
Resources:
View Scott Gorlick on LinkedIn
View Wendy Zenone on LinkedIn
View Nic Fillingham on LinkedIn
Security Research in Copilot Studio Overview and Training on YouTube
Related Microsoft Podcasts:
Microsoft Threat Intelligence Podcast
Afternoon Cyber Tea with Ann Johnson
Uncovering Hidden Risks
Discover and follow other Microsoft podcasts at microsoft.com/podcasts
--------
43:58
Automating Dynamic Application Security Testing at Scale
In this episode of The BlueHat Podcast, hosts Nic Fillingham and Wendy Zenone are joined by Jason Geffner, Principal Security Architect at Microsoft, to discuss his groundbreaking work on scaling and automating Dynamic Application Security Testing (DAST). Following on from his BlueHat 2024 session, and outlined in this MSRC blog post, Jason explains the key differences between DAST, SAST, and IAST, and dives into the challenges of scaling DAST at Microsoft’s enterprise level, detailing how automation eliminates manual configuration and improves efficiency for web service testing.
In This Episode You Will Learn:
Overcoming the challenges of authenticated requests for DAST tools
The importance of API specs for DAST and how automation streamlines the process
Insights into how Microsoft uses DAST to protect its vast array of web services
Some Questions We Ask:
What's a lesson from this work that you can share with those without Microsoft's resources?
Can you explain what the transparent auth protocol is that you mentioned in the blog post?
How is your work reducing the manual effort needed to configure DAST system services?
Resources:
View Jason Geffner on LinkedIn
View Wendy Zenone on LinkedIn
View Nic Fillingham on LinkedIn
Related Blog Post: Scaling Dynamic Application Security Testing (DAST) | MSRC Blog
Related BlueHat Session Recording: BlueHat 2024: S10: How Microsoft is Scaling DAST
Related Microsoft Podcasts:
Microsoft Threat Intelligence Podcast
Afternoon Cyber Tea with Ann Johnson
Uncovering Hidden Risks
Discover and follow other Microsoft podcasts at microsoft.com/podcasts
--------
45:56
Refactoring the Windows Kernel with Joe Bialek
In this episode of The BlueHat Podcast, hosts Nic Fillingham and Wendy Zenone are joined by BlueHat 2024 presenter Joe Bialek, a security engineer at Microsoft with over 13 years of experience. Joe shares his fascinating journey from intern to red team pioneer, recounting how he helped establish the Office 365 Red Team and pushed the boundaries of ethical hacking within Microsoft. He discusses his formative years building sneaky hacking tools, navigating the controversial beginnings of red teaming, and transitioning to the Windows Security Team to focus on low-level security and mitigations. Joe reflects on the challenges of internal hacking, the human reactions to being "hacked," and the value of strengthening defenses before external threats arise.
In This Episode You Will Learn:
How Microsoft is developing tooling to identify and address bad programming patterns
Why kernel-related discussions are primarily focused on Windows and driver developers
The challenges developers face when reading and writing through pointers in C or C++
Some Questions We Ask:
How does working with the Windows kernel impact system security and performance?
What sets Windows kernel and driver development apart from other types of development?
Why should internal teams test systems for vulnerabilities before external hackers?
Resources:
View Joe Bialek on LinkedIn
View Wendy Zenone on LinkedIn
View Nic Fillingham on LinkedIn
BlueHat 2024 Session: Pointer Problems – Why We’re Refactoring the Windows Kernel
Related Microsoft Podcasts:
Microsoft Threat Intelligence Podcast
Afternoon Cyber Tea with Ann Johnson
Uncovering Hidden Risks
Discover and follow other Microsoft podcasts at microsoft.com/podcasts
The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
Since 2005, BlueHat has been where the security research community, and Microsoft, come together as peers; to debate, discuss, share, challenge, celebrate and learn. On The BlueHat Podcast, Microsoft and MSRC’s Nic Fillingham and Wendy Zenone will host conversations with researchers and industry leaders, both inside and outside of Microsoft, working to secure the planet’s technology and create a safer world for all.