Forem: Hamza

AI Wargame at NDC Sydney & Black Hat Asia

Hamza — Wed, 15 Apr 2026 02:33:22 +0000

NDC Sydney and Black Hat Asia are only a week away.

We will be hosting a workshop at NDC Sydney 2026 titled:
Attack and Secure AI Apps – Wargame Edition

What to expect:

Working through the OWASP LLM Top 10 in a practical, exploit-first format
Exploring MCP security considerations in modern AI application architectures
Exploiting real-world LLM vulnerabilities in guided labs
Implementing robust secure design patterns to harden AI systems

We’ll close with an intense attack and defence wargame that brings everything together, .

Check it out: https://secdim.com/ndc

Furthermore:

We will be hosting a workshop at NDC Sydney 2026 titled:
Attack and Secure AI Apps – Wargame Edition

Come join a fun and educational attack and defence AI wargame. You will be given an AI chatbot. Your chatbot has a secret that should always remain a secret!

Your objective is to secure your chatbot to protect its secret while attacking other players' chatbots and discovering theirs. The winner is the player whose chatbot survives the longest (king of the hill).

All skill levels are welcomed, even if this is your first time seeing code, securing a chatbot, or playing in a wargame.Right at the start, there will be a briefing to show how to play in the wargame.

Knowledge of the OpenAI Python SDK helps but is not a requirement. Each player has access to their chatbot source code repository where they can run, test, debug and push their changes.

Check it out: https://secdim.com/blackhat

(CVE-2026-27489) - Two Incomplete Fixes for a Path Traversal Vulnerability in ONNX

Hamza — Wed, 01 Apr 2026 03:52:02 +0000

We found a zero-day path traversal in ONNX — CVE-2026-27489.

It took three patches to get fixed. We break down how the vulnerability survived each fix and what it takes to actually kill a traversal bug.

👉 Full analysis: https://secdim.com/blog/post/two-incomplete-fixes-for-a-path-traversal-vulnerability-in-onnx-cve-2026-27489-18075/

Github commits to supporting Linux Foundation's Alpha-Omega initiative

Hamza — Thu, 26 Mar 2026 02:40:54 +0000

Github recently joined Anthropic, Amazon Web Services (AWS), Google, and OpenAI with a combined commitment of $12.5 million to support the Linux Foundation's Alpha-Omega initiative, which focuses on improving the security of critical open source projects.

At SecDim, we work with open source. Our tools both use and contribute to the open source ecosystem.

Our open source program provides developers with access to developer security training to help improve the security of their applications.

Are you an open source dev? Get in touch, and we'll help you improve your code security.

👉 https://secdim.com/open-source/

Dangerous by Default: What OpenClaw CVE Record Tells Us About Agentic AI

Hamza — Tue, 24 Mar 2026 04:12:58 +0000

Your AI assistant just received a WhatsApp message. It ran a shell command. Then it wrote new code and executed it. This is how OpenClaw works by design — and why 104 vulnerabilities appeared in 18 days.

OpenClaw (previously known as Clawdbot and Moltbot) is an autonomous local AI agent that can write code, run shell commands, access files, send messages, and control a browser.

It has become the fastest-growing GitHub repository in history. When the pace of development overtakes security scrutiny, bad things start to happen.

NEW Firmware Challenges - Weekly Incidents

Hamza — Thu, 12 Mar 2026 03:14:52 +0000

We just released a new set of Firmware Security challenges focused on common vulnerabilities in embedded and IoT devices, including exposed debug interfaces, hardcoded device credentials, fail-open logic, insecure firmware updates, weak secure boot, and insecure logging.

⚡ Limited-time access
Some of the challenges are free for a limited time in the Weekly Incident.

Check it out now:
👉 https://secdim.com/news/firmware-challenges-weekly-incidents-17968/

LangChain load() is basically eval()

Hamza — Tue, 10 Mar 2026 06:50:26 +0000

In December 2025, CVE-2025-68665, a high-severity vulnerability (CVSS 8.6) was reported on LangChain. The vulnerability was an insecure deserialisation where an adversary could hijack secrets (e.g. OpenAI API keys), and depending on the set of allowed constructors (and their side effects), it could be escalated into arbitrary code execution.

The patch for LangChain vulnerability CVE-2025-68665 disables loading secrets from environment variables by default, and introduces an escape wrapper to prevent injection. This is good, however, the underlying functionality is insecure-by-design and the root-cause has not been addressed.

Read the full text: https://secdim.com/blog/post/langchain-load-is-basically-eval-17661/

Weekly Incident - Exploitation Challenges

Hamza — Thu, 05 Mar 2026 01:53:11 +0000

Some of our new Exploitation challenges are now free for a limited time in the Weekly Incident Game.

If you want a hands-on taste of breaking vulnerable apps and contracts, this is your window.

👉 Go try it now: https://play.secdim.com/game/weekly-incident

New Challenge Category: Exploitation

Hamza — Wed, 04 Mar 2026 03:20:22 +0000

We’ve just launched a brand-new category on SecDim: Exploitation.

These are hands-on hackme challenges.
Your objective isn’t to patch vulnerabilities, it’s to find and exploit them.

From vulnerable JavaScript web apps to insecure smart contracts, this category flips the perspective. You step into the attacker’s role, analyze the application, identify weaknesses, and execute a working exploit.

This is where theory meets offensive execution.

If you want to sharpen your vulnerability discovery and real-world exploitation skills, the Exploitation Game is now live.

Go break things (responsibly) 🥷

Secure Code Learning for Devs

Hamza — Thu, 26 Feb 2026 03:23:08 +0000

Most security training wasn’t built for developers.

It’s compliance-heavy. Slide-driven. Detached from how we actually ship code.

SecDim is different.

SecDim is a developer-first security wargame platform where you practice finding, exploiting, and fixing real vulnerabilities inside actual codebases using workflows that look like your day job.

Developer Security Wargames

Not checkbox-first. Developer-first.

On SecDim, you:

Review vulnerable code
Observe exploitation of said vuln in applications
Patch vulnerabilities directly in code
Work in git-based environments
Think like both the attacker and the engineer fixing the issue

The focus isn’t trivia. It’s applied Secure Coding in practice.

Real-World Vulnerabilities

All our secure coding challenges are inspired by real security incidents and modern CVEs.

You won’t just learn what SQL injection is, you’ll:

Identify it in a live app
Exploit it
Understand impact
Fix it properly in code

The same goes for:

Authentication flaws
Deserialization bugs
Access control issues
CI/CD misconfigurations
AI/LLM security pitfalls
And more

This is security the way developers experience it: in repositories, pipelines, and production systems.

Built for AppSec & DevSecOps

SecDim focuses on:

Secure coding practices
Code review security mindset
Incident-driven learning
Git-based challenge environments
Hands-on remediation

Whether you're a backend engineer, DevOps engineer, or AppSec professional, the goal is the same:

Build the muscle memory to ship secure code.

If you’re a developer who wants practical security skills, SecDim was built for you.

👉 https://secdim.com

Want to skip to the fun part? Check out our challenge catalogue:

👉 https://play.secdim.com