Priceless braindump resources from Chris Roberts. Truly inspiring.

InfoSec folks, I’ve got a rare gem for you!
Priceless braindump resources from Chris Roberts. Including Data Security Maturity Model + beautiful and deep articles from a man on a mission.

Check this out:
https://www.dropbox.com/sh/8wuc9szpiuv8ir6/AACcLVcVBHRgI7hA5uNehIsfa?dl=0

Some serious goodness shared today by legendary Chris Roberts !

Most notable docs IMO:

  •  2017 stuff/ Blogs 2017 catalog
  •  Blogs catalog

^ extremely mission driven articles. Made me feel much more comfortable and safe with my approach with >90% renders Chris’ approach to infosec as a whole

  •  Data Security Maturity Model!!!
  • Black Report
  • list of great books and articles

 

True gems, I’ve read it all and loved every single minute spent on it!
Thank you once again for sharing Chris. I’m truly delighted!

Do you really believe you are in control of your online privacy and data?

In most cases, your data is NEITHER safe NOR private if you’ve ever put it on the Internet.

Most of us blindly believe that if we pay extra money for a product from reputable brand, then we’ll receive a high quality and secure thing.

It doesn’t work this way. Not at all. Most companies don’t give a damn about your #safety, your #privacy or security of your data as long as they can rock’n’roll thanks to the money you gave them.

We make these exchanges on daily basis without consciously realizing the hidden costs on our side.

Application security, especially on this level, for a company with revenue of 19 billion dollars is NOT hard by any means. There is no excuse or explanation for this. They just don’t care and it doesn’t make them much more different from 90% of companies you use on daily basis.

What can be done? Not much, online privacy and safety are myths and legends we can tell our kids as a bed time story. Like most bedtime stories, it’s something we would believe, yet we do believe in this one.

It would require a society who understands and publicly shames companies with bad security practices, but that’s not going to happen.
Most people don’t want to care and even tho they’re terrified and nod their heads to Orwell’s “1984”, they won’t take any action.

Rant’s igniter: https://www.techspot.com/news/72612-western-digital-cloud-drives-have-built-backdoor.html

Align your actions with your belief system

The real effectiveness in InfoSec begins when you realize you’re not in hacking industry, but in the money-saving industry. Your job is to minimize business’ operations costs and decrease the risks of potential financial losses. It ain’t a bit about flashy tools and empty phrases.

You want to be treated seriously at the workplace and have #executives finally respect you for your greatness? Demonstrate your business awareness and prove them by actions that you really understand why you’re getting your paycheck.

It’s not just a preach to help businesses do their stuff. It’s deeply important, because if you finally understand that, you’ll save yourself a ton of resentment, social anxiety and may be you can save yourself even from depression. It’s easy to become a nihilist in InfoSec, so change the way you think about your role in the organisation and see yourself flourish. Your life and your work matters.

But don’t let things overwhelm you, just because you’ve failed to set a proper context for your life and actions.

Kompendium wiedzy o bezpieczeństwie dla małych i średnich przedsiębiorców

Ta seria ma dla mnie personalnie bardzo dużą wartość. Dzięki współpracy agencji “Marketing i Biznes” i “TestArmy Group “stworzyliśmy dla polskich firm biznesowe kompendium wiedzy o bezpieczeństwie.
Dużo to dla mnie znaczy, dlatego, że zależy mi na stworzeniu w Polsce bazy wiedzy z konkretną i wartościową wiedzą dla czytelnika.
Chcę skupiać się na konkretach dla właścicieli firm którzy potrzebują tej wiedzy. Chcę żeby czytelnicy po skonsumowaniu naszych treści, mieli uzasadnione poczucie, że zainwestowali swój czas w coś, co wnosi namacalną wartość do ich życia i biznesu.

Stworzyliśmy coś, co mam nadzieję zostanie wykorzystane przez wiele polskich firm(choć sukcesem będzie i jeden człowiek wyciągający coś z naszej treści), które ochronią swój biznes przed stratami finansowymi – czy czasem nawet bankructwem.
Dzięki temu będą mogli tworzyć genialne miejsca pracy dla swoich pracowników i tworzyć produkty które polepszają życie naszego społeczeństwa.

Zapraszam do czytania i podsyłania znajomym, którzy prowadzą swój biznes i chcieliby nauczyć się odrobinę więcej na temat efektywnego zabezpieczania swoich organizacji.

Cyberbezpieczeństwo dla przedsiębiorców: Nowa era zagrożeń

 

 

One of the most effective manager, all leaders should learn from

Let me tell you something. If you’re sitting in a leadership role and you haven’t learnt from lessons shared by Jack Welch, you’re missing out a lot. Not only you, but the people you lead. They are the ultimate victims of not fully competent leaders, so work your ass off to create a better life for yourself, your family and foremost important – all the people who trust and follow your lead.

Take an extreme ownership and do things the way they should be done. Being an empathetic creature that really cares about others and honestly helps them solve their problems is priceless quality that will put your life on a completely different level of joy and fulfillment.

Here is a link to the great 5minutes preach by Jack:

https://dms.licdn.com/playback/C4D05AQFKfW3XmbP61g/9eae8fbea13f45178ae23754bd32f3b6/feedshare-mp4_500/1479932728445-v0ch3x?e=1524358800&v=beta&t=Kh0Zbqo9bYbb71t3FLpjwpVkUbHIIae7f28iKRtPHXg

 

The most important lesson for aspiring Penetration Testers and junior Security Professionals

Lots of people asking me recently about how to find a job as a pentester or a security professional.

So listen up girls and boys – if you want a legendary piece of content which has the highest concentration of integrity and wisdom, then you must thoroughly read this magnificient piece created years ago by Corelan Team.

Yes, it’s as valid as it was back in the good old days, so don’t seek an excuse and easy path – read the whole thing and if this doesn’t kickstart your passion and career and nothing else will.

Ending with a classy quote:

“Being a pentester does not mean being good at using tools either. It’s about being able to understand how things work, how things are configured, what mistakes people make and how to find those weaknesses by being creative. Being a pentester is not about launching Metasploit against the internet.”

And sending you to this immense piece of content: https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/

Free Web Application Security Training. 5 Hours of WorkShops Covering OWASP TOP 10 In Polish

I’ve created a 5h 17m long online training for polish software engineers, testers and pretty much anyone that wants to learn web application security.

There are practical examples and I’ve tried to explain everything in such a way that anyone working in devops, programming, QA or management was able to consume the knowledge without much of a hassle.

 

Before becoming an infosec pro I’ve had been working as a programmer for a good couple of years, so I remember how hard it was to learn from security folks, who use sophisticated jargon and go too hardcore. So I’ve used the language programmers use and the language I think I’d easily understand back in the old days.

 

Why in polish and when english version?
That is one of the reasons why the course in polish language. I want to help my colleagues, and the whole nation learn concepts that may appear too heavy and complicated. I realize that language barrier is a true barrier and it takes a lot of courage to leave the comfort zone and not only learn new things(security) but also consume it in not a native language.
I want to support every single person who’s courageous and want to change the world for better, by leveling up their competences and delivering higher quality work. So the polish version is done, now I’ll work on the same workshop in english language.

Why do I share commercial-grade training for free?
The course is completely free, no strings attached, below you can even find a link to download the whole 14GB course for offline usage.
I’m opensourcing it, because I know that for most startups and SMBs, investing in security training for employees is out of the discussion because they simply can’t afford it. I want to help changing the world for better, by adding a little piece of myself which is helping businesses all over the world, improving security of their products, networks, services and by minimizing their costs while maximizing ROI of every single investment in security.
So the requirement for training used to be a significant budget and time. Now, it’s just time.

I also think that it’s all on us, security professionals to improve our little world, and the most practical thing we can do is create high quality resources so people can use them to improve their day to day work.

 

The course can also be used for personal, commercial any any purpose.There is no license, no limitations, nothing. Really, take it and do whatever you want with this material as long as you aim to make world a better and safer place. Spread the awareness, knowledge, positivity and noble virtues. .

 

First time seeing in Poland such comprehensive training released completely free online. No bragging just yeah, it’s been a lot of work and I’m proud of myself. Following the mantra “be the leader you wish you had”, I know how tough it was when I was learning appsec, so I want to do all I’m capable of, to make it easier for others to enter the field.

Why do I post a note about it in english?
I know I have directors, managers, leaders and other business people here, who recruit polish software engineers and create R&D centers in Poland.
So if you’ve got a polish office with Poles, then send it over to them. It’s in their native language, approachable and can bring you some value without you having to spend a dime.

I want to also thank testuj.pl/TestArmy group, which is a company I’m working with, and thanks to which I can spend more time developing free trainings and other resources for people.

References:

The full blogpost in polish is here:

https://dawidbalut.com/2018/04/08/darmowe-szkolenie-z-testowania-bezpieczenstwa-aplikacji-webowych-5-godzin-praktycznego-testowania-owasp-top-10/
Online video is here:

And if you wish to download the training in Full HD, here are 14GB of goodness:
https://mega.nz/#!syJl3QaZ!fHbIXQPW8F8bp3C52lmu6ShxT7AX8il_afvd-titGHs