BugBounties changed InfoSec world for better

Graphic from tripwire.com

Just four years ago, before that Bug Bounty madness started off for real, many companies had pathetic security posture. Okay, let’s be real here, most organizations, because many isn’t emphasizing enough. In just 4 years the raise of security awareness and general improvements of organisations security posture are really prominent.

I’ll show you proofs one day, I’m just lazy and can’t push myself to migrate bug reports in high profile companies from mail archive to the blogposts. But I promise to do it, so everyone can get a sense of how webapps world looked like just 3–4 years ago and how vulnerable everything was to anyone willing to spend a fifteen minutes looking for bugs. Continue reading “BugBounties changed InfoSec world for better”

Root cause analysis haters, obedience lovers and myopic players

Oh, throwing money and people at a problem doesn’t solve it for good?
We’ve all been there and seen that. If you haven’t yet, then sooner or later you’ll find yourself(or someone else) in that position.
By the way, I get it that sometimes you just need more people to put in more working hours and get shit done. However, I want to talk about situations in which quantity doesn’t help and when you should think different.

During my consulting career I’ve seen countless number of times managers putting more people to work on a specific problem because it was still there or coming back after a while(regression). So they usually fell on a terrific idea, that they need to hire more people to work on it. So they had and have told new-hires to do the same thing all over again, but they were so close-minded that they didn’t even think that the problem may just not be there. It didn’t come as a surprise, that after a few months when checking something else,  I’ve noticed that the problem was still recurring. Continue reading “Root cause analysis haters, obedience lovers and myopic players”

Pentests vs BugBounty for startups and SMBs

I’ve been thinking quite a lot about coming up with a series of articles on how to secure small and medium organizations from the ground up. It was waiting for the right moment and it’s time to start it out, especially that very recently this question appeared on Peerlyst where I’ve put my $0.02 on that subject. So as there is a need for decent guidance, let me welcome you to first article from series “Securing the business from the ground up”. Expect more articles on subject similar to this.

I’ve seen many companies struggling with a choice between penetration tests and bug bounties, and in the era of overhyped BugBounty programs this is a big question, both for PR/marketing and security teams.
There are as many answers to “pentest or bugbounty” as many people you ask. Everyone has slightly different POV on this, so I suggest you to gather opinions from many people and decide yourself what works best for your business.
I want to approach this from a bit different angle than I’ve seen so far, so this should be an interesting read for you. Continue reading “Pentests vs BugBounty for startups and SMBs”

Don’t stress about being the next Zuck

… maybe just work for him? Being a number two, three, or four in someone else’s organization is really fine.
I want to share with you something that may appear trivial but I wish someone had told me this years back. That would have saved me all that stress and anxiety trying to achieve something that just isn’t for me at this point in life.
It’s not that I’ve set a bar too high, I just set it in the wrong place. Continue reading “Don’t stress about being the next Zuck”