This week, I’m sharing a demonstration of the confused deputy in AI agents. I hope it’s helpful; enjoy!

Subscribe now

Thinking of integrating LLM agents with your enterprise data?

Yes, it can make you more efficient.

Do you work with sensitive engineering designs?

What will happen if they get leaked outside?

Engineers work with documents all the time. Some of them are extremely sensitive, and some are public.

Working at Chrome, I’d often write two announcement emails. One would go out internally, and the other would go to the external chromium developer community.

The underlying message stays the same, but we often must redact sensitive information.

There’s no denying that copy-paste isn’t uncommon.

Now, imagine an AI agent is doing this work for you. That agent is controlling what goes out. Do you have that trust?

Previously, we looked at how multiple AI plugins can cause unintended outcomes with minimal prompt engineering. Read more:

Today, we explore another classic security issue in the LLM world, the “Confused Deputy Problem”.

👮 Confused Deputy Problem

“In information security, a confused deputy is a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of privilege escalation.”

- Wikipedia

Imagine a trusted program doing something on behalf of another user. If it's not careful, it might accidentally use its own permissions to do something harmful, like accessing private data or making unauthorized changes.

The program gets confused about who asks for what, leading to potential security issues.

A program taking action on behalf of a user? Sound familiar?

The keyword here is “trusted”.

🧑‍🔬 The Test

Let’s get onto the interesting part. In the next part, we will explore the intrinsic inability of AI agents to protect unintended information flow.

🔄 The Workflow

Today, we will have an automated, LLM-powered document summarizer. The goal here is to read a given document and summarize it for public consumption.

📦 The Payload

Here’s the payload we sent:

How you want to trigger this automation is up to you. As a result, we could bypass an instruction-tuned model’s safety features to copy sensitive information.

The results,

Data from this document:

were summarized and copied to,

or in an email,

The problem here is “access control”. The security boundary defined on these documents was not translated to LLM layers.

Note: This work is done on personal accounts and should not be used for anything other than research or academic purposes for unethical benefits.

🌟 🔍 Parting Thoughts

Can we add a DLP module and sanitize LLM’s outputs?

Yes, we can. But, if you want to copy between private documents, isn’t that annoying?

Let’s hear your thoughts on how to solve this problem. Can we translate the access control to LLM?

Share in the comments!

Leave a comment

👋 💬 Get In Touch

Want to chat? Find me on LinkedIn.

If you want me to cover a particular topic in security, you can reach out directly to akash@chromium.org. 

If you enjoyed this content, please 🔁 share it with friends and consider 🔔 subscribing if you haven’t already. Your 💙 response really motivates me to keep going.

Share

Share Cracking The Security Interview

This week, I’m sharing my assessment of AI and its security concerns. I hope it’s helpful; enjoy!

Subscribe now

The hype around AI is not breaking news anymore.

The thought of “Devin AIs” of the world taking our jobs and civilization certainly crossed our minds.

The future of the workplace looks like this in our heads,

But how much of that is real looking at the technology today?

Today, I am sharing a three-part security assessment I did on some of the commercially available products.

⚠️ Disclaimer: This work is solely my opinion; it must not be confused with the views/opinions of my present and/or past employers.

🚀 The Space

AI agents can be defined as autonomous intelligent software powered by LLM that is connected to data and tools to perform tasks on behalf of a human or another agent. Over the last few months, we have seen multiple product launches in the space of employee and workflow automation for enterprises, including Devin AI, Ema Universal Engineer, Lutra.ai, and others.

We have made tremendous progress since “Attention is all you need”. With AI at the forefront of recent developments in the digital world, the rise of AI agents is at its peak.

AI agents can certainly boost team performance, but are they safe? When you connect your proprietary data, is your access control respected? 

The benefits of these agents are realized only when we run them fully autonomously. But what happens when it’s tricked? Are these agents smart enough to stop that?

Cross-Plugin Request Forgery (CPRF)

In the first part, we cover how some of these agents are susceptible to a special attack. But first, let’s define “CPRF”.

An AI agent ecosystem consists of many plugins that work together. Cross-Plugin Request Forgery (CPRF) is an attack where one plugin tricks another plugin into performing unintended actions on behalf of the attacker.

Cross-plugin request forgery (CPRF) is a security vulnerability in software ecosystems. An attacker leverages the trust between different language model-based plugins to manipulate a user into executing unauthorized actions across plugins. This exploit can lead to unintended data access or actions, exploiting the interconnected nature of plugins within the system.

Enough with the basics; let’s do some cool stuff!

🔄 The Workflow

Reasonably simple work to begin with, where an agent is waiting to receive emails in your mailbox and preparing a draft or sending a reply. Let’s see where it can go wrong.

📦 The Payload

Here’s the payload we sent, email body:

Here’s the email that was sent by the AI agent upon receiving this email:

The exciting thing is, irrespective of who sends you an email, your “smart” email assistant might just send them an automated reply with contents from your latest email. 

The newest email might not be the one an attacker sent. Do you want that to happen?

Now depending upon what integrations you have activated for this workflow, it might be able to do a lot more. 

You might think we should implement prompt injection checks and filtering, which is a fair point. This is just a demonstration, but here’s some food for thought. 

We bypassed some filtering by simply encoding the “instructions” in Base64. Here’s the updated payload:

The results were the same, the exploit worked.

Note: This work is done on personal accounts and should not be used for anything other than research or academic purposes for unethical benefits.

🌟 🔍 Parting Thoughts

AI promises a better future, and there’s no denying that. My goal is to raise awareness about the sensitivity of this technology before integrating it into your environment.

Security for AI is a big area where we need more investments from everyone. Let’s not make this technology inherently insecure.

Are you using LLM in your workspace? How do you ensure it’s secure?

Leave a comment

👋 💬 Get In Touch

Want to chat? Find me on LinkedIn.

If you want me to cover a particular topic in security, you can reach out directly to akash@chromium.org. 

If you enjoyed this content, please 🔁 share it with friends and consider 🔔 subscribing if you haven’t already. Your 💙 response really motivates me to keep going.

This week, I’m sharing everything you need to know about Cryptography in your interviews. I hope it’s helpful; enjoy!

Subscribe now

The power of cryptography is boundless.

It has won the war for the Allied forces during World War II.

Famous scientist, Alan Turing, is not only famous for the “Turing machine” but also for breaking “Enigma”.

This allowed capturing encrypted German messages and thwarting U-boat attacks on convoys.

Turing built a machine to break the code. The making and breaking of this code are called “Cryptography”.

Today, let’s explore the fundamentals of “Cryptography”.

📖 The Concept

Oxford defines Cryptography as “the art of writing or solving codes”.

Simply put, it’s all about figuring out how to code a message to protect its security properties.

A cryptography framework offers multiple security features - 

• Confidentiality: Encryption protects information from being accessed by unauthorized individuals

• Integrity: Digitally signed messages can’t be modified in transit without detection

• Nonrepudiation: The sender of an encrypted message can’t deny they sent it

Beyond this, cryptography is used in authentication, access control, and other security applications.

At the center, it’s an algorithm used in different ways. Let’s explore this algorithm at a conceptual level.

🕵️ Cryptographic Algorithms

Cryptography is mathematics. If I’m being honest that’s what got me into this field.

To understand crypto, let’s break down what we’re trying to accomplish.

Nomenclature:

M = plaintext/message

C = ciphertext

K = key

f = cryptographic function

Then,

C = f(M, K)

The algorithm (A) converts M (message) to C (cipher) using a key (K).

Depending upon the usage, we can categorize it broadly into three categories:

1/ Encryption

The goal is to protect a message's confidentiality. Here, an algorithm takes a key shared between parties and encrypts the message. The recipient later uses the appropriate key to decrypt and retrieve the original text (read more on encryption in this article).

2/ Digital Signature

The goal is to ensure the authenticity of a message. After publishing, a newspaper editor would want to ensure the article stays unaltered. Readers would like to verify what they’re reading is the original article. A digital signature uses encryption-like algorithms to protect the integrity of a message.

Digital signature algorithms rely on public key cryptography. Here, the source of the information signs the message with their private key. Any consumer can verify the signature by using the publisher’s public key.

3/ Hash Functions

Unlike other cryptographic functions, hash is one-way. It takes an input of variable size and outputs a fixed-length string.

Hash is also called digest, think of it as representing information in a minimized format.

Here are a few things to remember about hashing:

• The core idea behind hashing is efficiency, it needs to be easy to compute

• Given a message (m) and hash (h), it should be very hard to find another message (m’) that has the same hash (h)

• Given a hash (h), it should be impossible to find the message (m)

These topics are huge, we will cover them in detail in a future post.

🌎 Real-World Walkthrough

We discussed encryption, digital signature, and hash as concepts. Let’s solidify our understanding by applying these concepts to the real world.

Imagine your interviews for your dream security role have gone well. You got an offer letter from the company. It arrived in your mailbox. The recruiter is asking you to sign it electronically. We will break down what’s happening.

As the offer letter arrived in your mailbox, it was encrypted. You don’t want to share it with the world, do you?

What happens if you sign in and later deny signing it? In security, this is known as repudiation.

When you sign an offer, you use your private key to encrypt the hash of the offer letter and attach it to the document.

Woah, a lot happened there.

Let’s hear from you about why we would want to do that. Why not sign the content directly?

Share your thought process in the comment!

🐦‍🔥 Interview Questions

• What are the differences between Encryption and Digital Signature?

• What is hashing? Why do we use hashing?

• What is a “Message Authentication Code”?

👋 💬 Get In Touch

Want to chat? Find me on LinkedIn.

If you want me to cover a particular topic in security, you can reach out directly on akash@chromium.org. 

If you enjoyed this content, please 🔁 share it with friends and consider 🔔 subscribing if you haven’t already. Your 💙 response really motivates me to keep going.

Share

Share Cracking The Security Interview

This week I’m sharing one of the fundamental pillars of security: Encryption. Hope it’s helpful; enjoy!

Subscribe now

The Internet was designed to be inherently insecure.

It was meant only for selected trustworthy people. And we know how much of that is true today.

David D. Clark, one of the inventors of the Internet in his own words,

“It’s not that we didn’t think about security, we knew that there were untrustworthy people out there, and we thought we could exclude them.”

Data is the currency of our modern digital world.

And trillions of transactions take place on the world wide web.

You must have heard, encrypt your data at rest, in transit.

Today, let’s explore the fundamentals of “Encryption”.

📖 The Concept

At the very lowest level, encryption is a reversible mathematical operation for scrambling data so only authorized parties with the correct key can access it.

Well, pretty much. Let’s break it down.

🔒 Encryption

It is the whole process of scrambling your message to hide its meaning from unauthorized parties.

Encryption is primarily associated with confidentiality of information, but it can also be used to protect integrity and availability of a system.

We talked about encryption as:

• Reversible mathematical operation

• Protects information from outside access

• Only accessible to individuals with correct key

Encryption is very similar to encoding. In encoding, we transform data, but the purpose is interoperability. Think of encryption as encoding using a key. Only people with the right key can decode it.

This process of decoding is called decryption. Mathematically, it’s the inverse operation.

At the heart of encryption, there’s an algorithm. The field that studies this is Cryptography.

These algorithms use a key, this field is known as key management.

Fun fact: Key management is one of the hardest problems in security, that’s still unsolved.

Strength of an algorithm is typically proportional to the size of the key. For a fixed algorithm, the longer key version will be more secure (generally).

Shannon in his groundbreaking Information Theory (paper) proved, to achieve perfect secrecy, the length of the plaintext should be equal to the length of the key. This is also known as “One time pad”.

🧮 Types of Encryption Algorithms

It’s clear that key plays a central role in encryption. If an attacker is able to predict the key, game over!

So far we have constructed this idea that,

Now the question becomes, what is K? Is that a secret shared between two parties?

That’s exactly how it started. The Internet wasn’t always this huge. It started off as a small network with selected individuals on it.

Let’s say, we have 3 people who want to privately speak to each other. Each person will maintain 2 keys, so we end up with 6 keys total.

When another person joins the party, the number of keys grows to 12.

It’s a quadratic growth. At the size of the internet, this was unsustainable. There’s another problem, sharing this secret, but that’s for another time.

As the internet was growing to include everyone in the world, another type of algorithm surfaced. Encryption was broadly divided into two types.

👯 Symmetric Key Encryption

The same key is used to encrypt and decrypt.

Before going into further details, let’s call our friends Alice and Bob! I don’t think it’s allowed to talk about this without inviting these two.

Bob and Aline wants to privately share information without Eve seeing them. They met at a restaurant, shared a secret (K) when they were alone at the table.

Now whenever they need to send information to one another, they encrypt with the key, K.

The security model relies on the security of the key. If either of them loses the key, their communication will lose confidentiality.

Important things to remember about symmetric key:

• Same key is used to encrypt and decrypt a message

• Secret key is shared prior to communicating

• Decryption algorithm is reverse operation of encryption

Common examples would include AES, DES, Blowfish, RC4 etc., we won’t go into details here.

👫 Asymmetric Key Encryption

Different keys are used to encrypt and decrypt.

Asymmetric encryption relies on mathematical relations between two numbers.

Here, you have a key pair, one is used for encryption and the other for decryption.

These two keys are paired as a public-private key pair. You share your public key with everyone and never share your private key.

It solves the problem we touched earlier, managing less keys. Whoever wants to send you a message, can use your public key to encrypt.

Since you should never share your private key, only you can decrypt the actual message.

Important concepts to remember about asymmetric key:

• Public-Private keys are mathematically connected, e.g. prime factorization for RSA

• You can use either of the keys to encrypt

• Public key encryption is more compute intensive

Common examples would include RSA, Elliptic Curve Cryptography (ECC) etc. 

🌎 Real-World Walkthrough

What better example can we use than the internet to understand encryption?

Do you know when you’re reading this post, both the encryption types are in action?

We talked about two important concepts:

• Asymmetric encryption is preferred, because we need to manage less secrets

• Symmetric encryptions are compute efficient and fast

This is the core reason behind why symmetric key encryption still exists today. When the volume of data is large, we prefer symmetric encryption.

So when you visited this blogpost, your browser used asymmetric encryption to establish a symmetric key, also known as session key.

For the duration of the session, this secret is used to encrypt all traffic.

In another post, we will go over “What happens when you type google.com in more detail”. 

🌟 🔍 Parting Thoughts

Encryption is a large topic, this post is part 1 of the series on this area. The goal today was to fundamentally understand what encryption offers.

You can come up with your own encryption algorithm. But, never use them in production. Coming up with a secure algorithm takes years in development and testing.

Choosing the right algorithm and right size key is all we need to do. That too is easy, because it’s also highly standardized. For example, DES used to be a very famous algorithm, not anymore.

Once an algorithm is broken, it loses value.

Have you ever designed an encryption algorithm? What did you learn? Would you do it again?

Share in the comments!

Leave a comment

🐦‍🔥 Interview Questions

• Which one would you prefer, symmetric or asymmetric encryption and why?

• Given a large file, would you encrypt first, then compress or the other way around?

• Are there any differences between encryption and digital signature algorithms?

👋 💬 Get In Touch

Want to chat? Find me on LinkedIn.

If you want me to cover a particular topic in security, you can reach out directly on akash@chromium.org. 

If you enjoyed this content, please 🔁 share it with friends and consider 🔔 subscribing if you haven’t already. Your 💙 response really motivates me to keep going.

Share

Share Cracking The Security Interview

This week I’m sharing how you can secure any system with 4 control frameworks; Identification, Authentication, Authorization & Audit. Hope it’s helpful; enjoy!

Subscribe now

Think about the last security problem you were solving.

What were you trying to do?

🤔💡 Let me take a guess.

Were you trying to protect “an asset” from “unauthorized access” to preserve the “confidentiality, integrity or availability” of the information system?

From penetration testing to encryption, everything we do in security is just that.

That’s the beauty of security.

There are thousands of controls in the market, but at the end of the day all goes back to first principles.

One of the fundamental security control frameworks is Access Management. Your ability to design a secure system relies on your understanding of,

👤 Identification

🔑 Authentication

🚦 Authorization

📝 Audit (or Accountability)

All security controls can be categorized as one of these 4 categories.

Defenders are trying to solidify them, attackers are trying to break them.

In this post, we’ll explore everything you need to know about these concepts. You’ll learn how to approach an open-ended security question the next time you see it.

📖 The Concept

We can’t build a house without a solid foundation. Let’s deep dive into the key concepts.

👤🆔 Identification

It’s about answering “Who are you?”.

Much like the physical world, you are assigned multiple identities online. The username that you enter logging into your laptop or an application. That’s your identity.

One thing to remember about identity is, most of the time identity is established “out of band” in a separate registration workflow. The first time you signed up for Substack, you probably entered an email address. For Substack, that’s your identity.

🔑✅ Authentication

It’s about proving who you say you’re.

An identity doesn’t have any inherent security control. You can claim to be anyone you want to be.

Fun fact: E-mail started off as a program that didn’t have authentication in its design.

But in the modern world, I can’t claim to be you. Well, I shouldn’t be able to.

Authentication verifies your identity using one of these 3 ways:

• Something you know: passwords, pins, patterns etc.

• Something you have: a mobile, security key etc.

• Something you are: biometrics, signature etc.

Usernames (identity) and passwords (something you know) are the most widely used authentication mechanism out there. Despite being the weakest, but that’s for some other time.

Similar to identity, authentication mechanisms also require an “out of band” registration. When you require multiple factors to authenticate, that’s called Multi-Factor Authentication (MFA). Innovative, right?

Side note: To continue reading these posts, please enable MFA across all your accounts.

🚦👮 Authorization

It’s about what you’re allowed to do after you authenticate.

Just because you are authenticated, doesn’t mean you can access everything.

Authorization controls can be thought of as a middleware that allows/denies your access request. These decisions are made based on a predetermined policy.

Fundamentally, there are two ways systems authorize you:

• Access Control List: a rule-based list attached to an object, specifying which subjects (users or processes) can access it and what operations they can perform. Examples include RBAC, ABAC, file system permissions etc.

• Capability List: a user or process-centric list that specifies what objects the user/process can access and what actions they can take on those objects. Session tokens, keys are examples of this.

The difference is simple, together they form the “Access Matrix”.

🔍📝 Audit

It’s about keeping a record of “Who did what, and when?”.

Audit is not a preventative security control by design. But, it’s the most useful after an incident occurs. It gives us the ability to trace “an action” back to “a subject”.

One thing to remember about audit, if it’s not immutable, there’s very little value. Logs become the attacker's first target to erase their tracks. It helps them persist on your machines longer.

Pay extra attention when designing audit logging for your systems.

🌎 Real-World Walkthrough

Let’s solidify our understanding by walking through an example.

We will use the “Substack” application to understand today’s concepts.

⚠️ Assumption: You’ve an account on Substack, please create one, if you don’t 😅.

Step 1: You clicked a link and now you’re here on this post. Do you see the “Sign In” button at the top corner?

Let’s click that and see this on the next screen:

Step 2: The “Email” it asks you to enter is the question: “Who are you?”; Identification.

Step 3: Check your mailbox, you should see an email with a signed link:

The link that you see on this email is an authenticated link. Clicking it will log you in. It’s basically something you have, access to that mailbox. Authentication.

Step 4: Now you’re logged in, let’s see what you can do. Here’s an idea, do you see this on the top right corner?

Let’s see if that “brown button” works for you. Go ahead, click it and follow through the prompts.

Oh wow, it worked! All this time, you could’ve subscribed already. I wonder what was the issue, lol.

Step 5: We certainly don’t have access to Substack logging, but check your browser history. It’s a very weak form of logging your activity. It’s not immutable, so not reliable. But you get the idea.

🌟 🔍 Parting Thoughts

In interviews, you may get asked to assess the effectiveness of a security control. Before thinking about anything else, ask yourself “what is this control doing”. Note down what it’s supposed to do. From there you’ll be able to provide a thoughtful answer. Most interviewers are looking for how clearly you understand security.

For assessing security of a system or thinking like an attacker to break it, follow this sequence:

• (Identity) Who has access to this system?

• (Authentication) How can I trick the system into mistaking me for someone else?

• (Authorization) If I'm in, what resources do I have access to?

• (Audit) Are there controls monitoring audit logs, and if so, how can I alter them?

Now, let’s do some exercise. Imagine you get a notification from an app saying your account is being accessed from another part of the world. Tell us 3 things that could’ve gone wrong, keep them grounded in fundamentals we discussed today.

Share in the comments!

Leave a comment

🐦‍🔥 Interview Questions

• You’re hired to design the security system for our upcoming hacker conference application. How would you approach it?

• If you’re in a situation where a user needs temporary elevated access. How would you handle this authorization request securely?

• How would you approach investigating a potential security breach? What types of information should be logged?

👋 💬 Get In Touch

Want to chat? Find me on LinkedIn.

If you want me to cover a particular topic in security or have feedback, you can reach out directly on akash@chromium.org. 

Hope you enjoyed this content, please 🔁 share with someone who might benefit and 🔔 subscribe. Hit that like button, your 💙 response really motivates me to keep going.

Share

Share Cracking The Security Interview

This week I’m sharing how you can solve any security problem with 3 core concepts in security; Confidentiality, Integrity and Availability.

Subscribe now

Your understanding of security depends on how well you internalize,

🔐 Confidentiality

✅ Integrity

🟢 Availability

No security conversation can begin without talking about the CIA triad.

Any security incident can be explained as violation of one or more of these properties.

While brainstorming ideas for the first post on Cracking The Security Interview, I couldn’t think of any other topic that was more important.

📖 The Concept

The entire security field is built on the CIA triad. Let’s quickly go over what they mean,

Confidentiality

You’re trying to restrict access to only authorized individuals. The password you’ve set for your home smart lock. You don’t want random people accessing your home, do you?

Integrity

You care more about the accuracy of the information than keeping it secret. You’re uploading a picture on your favorite social media app. You can’t do much when someone creates a deep fake copy using your face. But your friends and family want to see your activity, not this “fake” image.

Availability

You want to ensure authorized folks can access information when they want. Imagine you’re driving a futuristic car. You want airbags to stay available for individuals in the vehicle at all times.

🌎 Real-World Walkthrough

To solidify our understanding, we’ll use the example of your laptop!

⚠️ Assumption: You’re using a Linux based operating system.

Why? I don’t know, maybe because we’re in security.

Step 1: You enter the power button, a signal is sent to your motherboard. Then BIOS checks to confirm if everything’s working.

Step 2: Bootloader comes next. It loads the operating system step-by-step. The bootloader is also responsible for verifying the integrity of the boot and recovery partitions.

Operating system is open sourced, there’s no confidentiality expectation. But integrity is important. If an attacker is able to sneak in malware into your boot partition, the game's over.

Step 3: Bootloader loads the operating system and kernel takes over the control. It starts important programs and background services. You are greeted with the login screen.

What will happen if you don’t see a login screen? Remember the Blue Screen of Death (BSOD)? Your ability to do anything requires this login service to be running. Availability is the property you want to preserve.

Step 4: You authenticate using your credentials. Now you see your home screen.

This is an authorized space. Unauthorized parties are not welcome here. Confidentiality becomes critical. Imagine a broken authentication granting access to anyone. Confidentiality is breached.

🌟 🔍 Parting Thoughts

In interviews, you get asked to assess the security of a system. Keep in mind that any security event revolves around the CIA triad. As we walked through the “using your laptop” example, here’s what you can do:

• Walk through the event/information flow with the interviewer

• Recognize which of the 3 properties are important for each step

• Note down what happens when it goes wrong

• Mitigate findings using controls and safeguards

Now, let’s do some exercise. Imagine a digital interaction and let’s think “What can go wrong” following these steps.

Share in the comments!

Leave a comment

🐦‍🔥 Interview Questions

• In your experience, have you faced situations where prioritizing one pillar of the CIA triad meant compromising another?  How did you navigate this trade-off?

• You identify a vulnerability that, if exploited, could cause a major data breach. However, fixing it will temporarily disrupt a critical service. How do you balance confidentiality, integrity, and availability when making your decision?

• Let's say  you're tasked with hardening the security posture of a system. Describe your approach to identify potential risks.

👋 💬 Get In Touch

Want to chat? Find me on LinkedIn.

If you want me to cover a particular topic in security, you can reach out directly on akash@chromium.org. 

If you enjoyed this content, please 🔁 share it with friends and consider 🔔 subscribing if you haven’t already. Your 💙 response really motivates me to keep going.

Share

Share Cracking The Security Interview

I’m Akash and thank you for joining me in this journey.

You will hear an insider’s perspective on security interviews.

Over the period of my career, I’ve conducted 100+ interviews for security hires. You will learn what interviewers are looking for at companies like Google, Meta, Apple etc. There’s a lot of content on software engineering interviews, but security is still catching up.

I started this publication to share my learnings from a decade long experience in security. My goal is to create nugget size contents to share actionable tips to help excel your next interview.

This publication is completely free and will provide you everything you need to:

• Crack your next security interview

• Grow in your current security career

• Stay updated in latest development in the field

While at Google, I led the development of the Google Cyber Security Career Certificate. This publication will focus on security concepts and real-world interview questions.

As you wait for the next post, checkout the archive. Want to chat? Feel free to connect with me,

Follow on LinkedIn