What does it take to become a good reverse engineer? – 10 minute mail

How much money and effort does it take to become a good reverse engineer? Do you even need to be one?

There are no universally acceptable answers to these questions. Software reverse engineering (RE) is not a science but a skillset combined with specific knowledge and backed by a lot of experience.

For several years, we have been sharing the RE knowledge that we accumulated in the form of training sessions provided to paying customers. These sessions took from two days at the SAS conference to complete five workdays in the extended version, and covered many aspects of our own work, primarily in IDA Pro and the in-lab reverse-engineering framework.

A typical piece of code disassembled in IDA Pro

Due to the novel 2019 coronavirus disease, our schedule for the training sessions has changed completely. But not only this; the reversing landscape itself has changed since last year. Released in March 2019, the free and open-source reverse engineering tool called Ghidra lowered the barrier to entry into the field.

The same piece of code viewed in Ghidra

So, while we are all working from home and, hopefully, have time to learn something new, why not tear some binary code apart and pick up some reverse engineering skills? This may prove especially helpful if your work is related to malware, incident response or forensics.

It is certainly not feasible to learn RE in one webinar. Within one hour, we will outline the typical workflow that we follow when analyzing malware. We will dissect real-life malicious code using both IDA Pro and Ghidra, and use some of the most useful features of these disassemblers.

The rest, as in many other disciplines, comes with experience. And, we are still looking forward to seeing you in our reverse engineering training sessions at SAS Conference 2020 (two days) or elsewhere (a whole week!).


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

SAS, sweet SAS – 10 minute mail

As you may already know from our social network posts, we have rescheduled the SAS 2020 conference for November 18-21 due to the COVID-19 pandemic and to ensure your safety. Though we still think that Barcelona is a great place to meet and it will not be a “real” SAS if we cannot hug, shake hands and touch beer glasses in that beautiful city, we cannot just leave it all until November. That is why we invite you to SAS at Home, a series of webinars scheduled to kick off very soon, on the 28th-30th of April.

For each of the three days, we have prepared presentations and master classes by world-renowned information security experts, who will share their expertise, best practice and tricks. We will be talking about APT groups, zero-day vulnerabilities and exploits, sophisticated attacks, and the state of the information security industry. As for master classes, Igor Kuznetsov will cover some of the most useful techniques for reverse engineering malware during his webinar, Static Binary Analysis: The Essentials. And that is just one example. Last but not least, Eugene Kaspersky himself will deliver a keynote address in the good old SAS tradition.

To learn more about SAS at Home, follow us on Twitter and Instagram. Do not miss your chance to spend your self-isolation days as usefully as possible and meet the world’s top information security experts, even if not in person. See you all at SAS at Home!


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Top 4 takeaways from AppSec EU and Black Hat USA – 10 minute mail

We recently attended two key security conferences, OWASP AppSec EU and Black Hat USA to talk about web application security and the benefits of automation in this industry. The increasing need for security champions outside of the core IT security team was just one of the 4 takeaways we brought back with us. Let’s go into each takeaway in detail:

1) Building up security champions and educating employees

We heard speakers at both events talking about the need for security outside of the security team or pentesters. This can be done through continuous educational training for all employees and especially for developers. Tanya Janca, senior cloud developer advocate at Microsoft, spoke about how Security is everyone’s job…literally at AppSec EU and urged the audience to start thinking about security earlier in the design phase and continue with “pushing left” to have a pro-active relationship with security rather than reactive.

One CISO we spoke with at AppSec said, “I don’t have time to explain what an XSS is to every single person”. As a result, he appointed a dedicated security champion on the developer team to encourage a security-first mindset and security knowledge sharing. More investments in security education and transparency with knowledge sharing is needed in order to encourage everyone to work together, build security champions outside of the core security roles and make security part of the culture, all contributing to the ultimate goal of making the end-users safer.

One way to encourage learning could be to gamify it with Jeopardy-style Capture the Flag (CTF) competitions. At AppSec, Max Feldman and John Sonnenschein of Slack presented how they’ve gained employee buy-in for security awareness through Jeopardy CTF events. To appeal to people outside of security, they encouraged participation by adding more pop-culture references, fun trophies to serve as desk swag like Raspberry Pi and designing the event to not require too much extra time outside of work hours for maximum participation. 

A photo from the Black Hat plenary session. It was a packed house!

A photo from the Black Hat plenary session.

2) Offensive vs defensive security

At BlackHat, Google’s Director of Engineering Parisa Tabriz set the tone during the plenary session and reminded us that cybersecurity isn’t only about the offense. Many Black Hat goers echoed concern that the defensive side of security doesn’t get enough credit. While it may not be as appealing, it is pivotal for any organization. A big hurdle could be lack of interest or incentive from teams, or bigger structural issues in a team.

Parisa explained how Google started a paradigm shift for more interest in defensive security with Project Zero. In this project all zero-day vulnerabilities are reported to the vendor and in turn they have 90-day deadline to fix it. The vulnerabilities are only made public once it has been patched or if it is not fixed by the deadline. It requires teams to take time to look back at their work to figure out what is the root cause of the problem, and decide whether a structural change is needed to make everything more secure. Parisa reminded the crowd that it is up to everyone working with applications to defend end-user safety.

“I don’t have time to explain what an XSS is to every single person”
— CISO attending AppSec

3) Automation with education

Not every IT security professional has the possibility to educate all the developers in their workplace about OWASP Top 10 and other product specific vulnerabilities. One way to trickle this information down is to provide security education resources, as well as automation tools to scale security activities and make it accessible and user-friendly to anyone.

At Disposable mail, we believe automation is the key to scaling up security activities in companies, regardless of size. There is a high demand for security professionals, but not enough human resources to go around. Besides showing what security risks exist, our tool also shows where it is found and how the user can remediate the issue. We provide educational content in our tool Knowledge Base, as well as publish original research on Disposable mail Labs for anyone interested in bettering end-user security. Our security research team is continually working to build new modules into our tool to keep our automated scanner tool on the forefront such as misconfiguration reports on CORS and Amazon S3 buckets.

4) Bug bounty programs are not a silver bullet

There was a common belief at Black Hat that adding a bug bounty program could be the silver bullet for stopping black hat hackers and prevent newsworthy data breaches since it is hacker-vs-hacker. But besides creating the program itself, companies also have to be ready to reward ethical hackers for each finding with notable swag or money. Without a sufficient budget, this may not be a sustainable for all companies to run long-term to keep up with new vulnerabilities.

In addition to this, bug bounty programs may not provide a platform for security teams and developers to learn how to write secure code. It cannot replace having an in-house security specialist either. Bug bounties show a company that something is broken, but there is still an education gap to be filled to coach developers and IT teams to design with security in mind to reduce the frequency of insecure code. They can be effective when complementing existing security measures.

Photo of Disposable mail booth at Black Hat USA

Photo of the Disposable mail booth at Black Hat USA.

Closing thoughts

After these events, we can see a clear demand for more employee education on web security to understand why and how vulnerabilities emerge, as well as how to defend against them with more secure design. A bug bounty program may not be a silver bullet, but it can be an effective part of a larger security strategy. These can be combined with having employee education events, recruiting champions to promote a security mindset in the organization and implementing automation tools to make a scalable strategy that promotes security awareness and adoption in an organization. Sharing knowledge in the organization and web application community makes security more accessible to everyone. Security can be a fun topic, and it is should be part of every employee’s concern.

If you’re interested in adding an automated web vulnerability scanner to complement manual pentesting, bug bounty and other security tools, give Disposable mail a try today. Sign up here for a free trial and start scanning now.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.