Praca Jako Programista Jest Tylko Dla Wybrańców I Pasjonatów

Każdego kto mówi o tym, że do IT nie powinno się zabierać bez pasji i bez miłości, zapraszam do podjęcia pracy wykonywanej przez większość społeczeństwa. A jest to praca ciężka, z niskim wynagrodzeniem i bez szansy na sensowny rozwój czy zmianę.

Wtedy można porównać to z jakimi problemami spotykają się ludzie na świecie, i zrozumieć że świat nie kręci się wokół IT-arystokracji.
Dla większości ludzi już szansa, że “będą nienawidzić swoje życia MNIEJ” jest sukcesem i drogą do szczęścia.

Więc trzeba nabrać trochę pokory i perspektywy, bo na świecie naprawdę są większe problemy niż to, że ktoś jest programistą bez pasji.

Corporate Meetings Should Involve Everyone To Actually Find The Best Solution To A Problem

Don’t waste yours and other’s people time, by inviting them on meeting where you don’t pay attention to their solutions anyways.

Whether it’s personal or professional life, you should always start a meeting or discussion with expected outcome in mind. Start talking to someone about problems, and state early on that you want to find a solution, not just talk the problem thru.

You wouldn’t believe it, if you’ve taken a look at how many discussions you’ve had yet without achieving any outcome. Time is all we’ve got in our lives, and wasting it just sucks.

 

Plan, brainstorm, don’t complain, keep your focus on problem’s resolution and execute. That’s how you get it.

Czy Warto Odejść Z Dobrej Pracy I Zaryzykować Swoich Sił Na Nowym Stanowisku

Czy warto odejść z pracy, której nie lubisz? Warto, ale nie zawsze się opłaca. Oto kilka wskazówek jak zrobić to w sposób praktyczny.

W życiu zawodowym jak i prywatnym wszystko sprowadza się do sensownego balansu i analizy ryzyka. Życie jest zbyt krótkie na strach przed zmianą pracy, więc niektóre ryzyka warto podejmować.

Najpierw postaraj się polubić pracę którą wykonujesz bo trawa po drugiej stronie często tylko pozornie wydaje się być zieleńsza.

Ale jeśli postanowiłeś już, że odchodzisz, to zrób to mądrze i wyciągnij z obecnego stanowiska jak najwięcej, tak żeby przygotować się do kolejnej pracy. Świat należy do ludzi kompetentnych i przygotowanych.

Jak najbardziej szukaj dla siebie idealnego miejsca, ale jednocześnie staraj się wykorzystać to co masz do granic możliwości, bo często zmiana nastawienia otwiera wiele drzwi w obecnym miejscu pracy.

PS. Nigdy nie pal mostów, bo dobrzy ludzie to jedna z najcenniejszych rzeczy, które w życiu mieć możemy.

3 Największe Błędy Które Zwolniły Rozwój Mojej Kariery W Security

Niektórych rzeczy nie da się przeskoczyć i czasu nie cofnę, ale mogę się tym podzielić, żebyś Ty na te błędy uważał.

Czyli kontynuacja serii “chciałbym mieć kogoś kto powiedziałby mi o tym wszystkim gdy ja zaczynałem. Oszczędziłbym sobie zdrowia, czasu a przede wszystkim relacji z ludźmi, które zepsułem przez brak wiedzy”.

Jak Znaleźć Pasję? A Co Jeśli Nie Lubisz Żadnej Pracy i Nic Ci Się Nie Podoba?

Gdy słyszę, że ktoś nie ma pasji, to wiem, że nie testował wystarczajaco wiele razy i nie spędził wystarczajacej ilości czasu szukajac swojego miejsca.

Można narzekać, że się nie ma pasji i szczęścia, a można też wziać się za robotę i nadać swojemu życiu produktywny bieg.

 

Be brave enough to stand for your truth

“For if society lacks the unity that derives from the fact that the relationships between its parts are exactly regulated, that unity resulting from the harmonious articulation of its various functions assured by effective discipline and if, in addition, society lacks the unity based upon the commitment of men’s wills to a common objective, then it is no more than a pile of sand that the least jolt or the slightest puff will suffice to scatter.” ~ Émile Durkheim

If you stand for something in your life then go after it. Find other likeminded people, unite and do great things together for yourself and the humanity as a whole.

A message directed especially towards my InfoSec friends who have lost hope lately and turned into idle complainers.  Get back to your greatness and fight, ’cause the next generations need us to take action now.

Your future self will thank you for the legacy you’ve had built.

Don’t let the noise of others drown out your inner calling. There is more of us – the troublemakers – than you think, so don’t lose hope. You’re not alone. H

ave a great weekend, and if you dream of a better world, get your hands dirty and build something that will contribute to the bigger picture.

Be the change you want to see in the world Y’all.

A gut check video for security professionals who have forgotten mission of InfoSec industry

This is a must watch for every single security professional. Especially for the freshers who think their bug bounties and hax00ring is the most important thing in the world.

I can’t express how satisfied I am seeing legends such as Chris Roberts talking the truth and sharing very alike observations I’ve been sharing in my little echo chamber! 

Penetration Testing and Vulnerability Assessments Are NOT Going Anywhere Anytime Soon. We Still Suck at Basics

I’ve seen following questions pop up very often, so decided to write some brief blogpost about it from my POV.

For how long will the security testers’ work be required?
What is the future of IT security industry and penetration testing?
So pentesting is dead right? Only Bug Bounties and Red Teaming is good now?

This is my bio which adds some context to the whole article

I started my ‘adventure’ in the IT world from the very lowest positions. I’ve worked as a computer technician, network admin, web programmer, system administrator and after many years I started delving into the security related matters

Still working as a programmer, I started educating myself on an offensive security and enjoyed reporting security issues to variety of companies. It’s been over a hundred different companies – both popular, foreign giants as well as large Polish firms. It was all in times when Bug Bounty programs were not a thing yet and just a couple of the biggest corporations had some tiny researcher reward systems.

Even though it took some years before I finally started working in the security industry, I do not regret the time spent in my previous positions. Going through such a long way provided me with a lot of priceless experiences, thanks to which my perspective is now much wider. I understand the problems which employees on different positions have to deal with and by taking them into consideration, I can make more beneficial decisions for the companies and teams I cooperate with.

The long way gives not only more context, but also teaches us humbleness and all about the hardships of work in different roles.

Seeing how complicated the software production and maintenance processes are, we can distance ourselves from the problems and tone down our comments about the found bugs.

The security industry needs patient professionals, who can keep in mind the context specific for each company  and cooperate with others without harsh comments more than ever. We need leaders, who can build and promote the security culture in their companies.

I spent a couple of years as a pro pentester, but I was constantly bothered with my constant search for higher purpose. I just felt that the value we as pentesters bring to the world and that although we’re working our asses off, not that much changes on a scale. Each few months I found the same errors appearing as regressions, I kept finding exactly the same vulnerabilities in new pieces of code and the world was not becoming any safer. Up to this day, trivial XSS bugs are being found in applications produced by companies such as Microsoft, Apple and other tech giants who have all the money in the world to harden their software engineering practices.
After having had reported close to two thousands security bugs, I came to the existentially painful conclusion. Pentesting and bug hunting just do not scale. It’s cool, it’s needed, it pays the bills, but no matter how many vulnerabilities I discover, the impact I make still doesn’t make any difference.

Even though pentesting is an important occupation and penetration tests are a critical element of all security programs themselves, for me, it was a questionable career path, if I wanted to change the global status quo. And the status quo was a very slow progress in appsec improvements among global companies and wasting tons of money on low ROI investments.

I decided to join some solid Silicon Valley based corporation as an internal security engineer tasked with building security systems and programs. I wanted to do stuff that matters and have impact on the whole business. My main goal was to focus not only on finding vulnerabilities, but most importantly, to prevent them from appearing in the future. Which was exactly what I was missing in the external pentesting roles, where most of the time you have 0 chances to influence internal software engineering practices of a company you’re working with. In the meantime, I also kept helping other companies and infosec fellows to build more robust security programs, increase their pentests’ and Bug Bounties’ ROI and just tried to scale myself by sharing my knowledge that can be used to optimize business processes at other places.

After a few years, I slowed down for a while and it was one of the most disappointing experiences of my life.

It’s been over 5 years since I decided to move on from pentesting alone and focus on something “bigger”. On a daily basis, you’ve got so much work and energy that you just push it all in and squeeze every last drop of your time to deliver great work. You learn, consume knowledge and apply it. You develop stuff, improve it, do other bigger things, because there are so many things to be done!
Until you eventually slow down a bit and look around. I was so busy doing stuff, that I went out of sync with the reality around me, and altho I was learning a ton and staying current with what’s up in the industry, I wasn’t keeping an eye on how are others really doing. And when I started looking at others I realized how badly I overestimated our lovely world. How much I overestimated the companies’ ability to implement pragmatic, comprehensive security processes and their ability to think and plan long-term.

Those 5 years ago I was 100% positive that trivial OWASP TOP10 bugs would soon be relicts from the past so I decided to focus on something greater, believing that many companies would follow and most of them would reach a sensible level of security soon. Because how much time can humanity waste on all those dull activities that can be effectively mitigated and automated?

It appeared however, that the sector I had just left, had its best years ahead.
Pentests, bug bounty programs and everything related to the offensive approach to security became more popular than ever before. Despite the huge industry’s investments in aforementioned activities, enormous amount of companies still can’t get the basics right and pentesters(+ malicious hackers obviously) keep discovering identical errors over and over again.  We have a lot of shiny and pretty toys, however many of the initiatives undertaken by companies are not as effective, as they can and should be.

Most of these bugs can be so easily avoided in programmatic way that they simply should not have a right to exist in 2018. You can still see many companies wasting hundreds of thousands of dollars on incompetently managed external pentests and bug bounty programs. Also we as an industry are very myopic and happy to spend tens/hundreds of millions of dollars on short-term offensive initiatives that don’t really contribute to the bigger picture. Because the offensive side of ‘hacking’ is so fancy and praised everywhere, there are very few incentives for blue teamers to spend their lives on building things the world would not appreciate anyways. Altho the obsession about offensive side of security is great – especially for companies and peeps who make easy cash offering those services – we’re moved far away from playing the right game.
It seems like the security industry forgotten what our goal was and they have it completely mixed up. Our goal and mission was to make world a safer place, and hacking was meant to be just a tool to improve the defenses which contributes to the long-term strategy. Yet along the way, most of security PROs got distracted by money, hype, fun and dopamine shots, which caused our mission to be burried way below our core values, ethics and missions. The noble virtues have been mixed up with trivial tactics and strategies. That’s how online privacy ceased to exist. Not because of some evil companies that are after our personal data – FYI, those evil companies are nothing but a group of people, you know that, right? – but by lack of strong people who should’ve been guardians of things that matter.
But that’s a whole different story so let’s leave it for another sleepless night.

And for most folks what I’m saying above is some different level philosophical ranting, and maybe that’s what it is. But if you want to be a pentester and what you’ve read above put you in low energy state, then it absolutely shouldn’t! For you, an aspiring pentester, the whole shit-show in the security industry means that you’ve got a really entertaining and high paying job for the next decade or so! Hurra!

It’s not to say things aren’t getting better, because they absolutely are. But that’s not the pace we’d expect it to be and if world made a progress of this magnitude over the past 5 years, we can be pretty sure that there are still many years of frustration ahead of us.

So if you’re worrying if the pentesting career is still fine, then stop worrying and start doing what you feel is right for you. Pentesting, or even primitive vuln assessments are here to stay for the next decade or so. I wish world moved as fast as we want it to, but the reality is that we’re often blindfolded by watching only the biggest brands.
But that’s not who’s going to pay your bills really. There is a per mille of companies – those huge brands everyone uses on daily basis – that have effective security right and are moving fast. But that’s it. >90% of companies still have ugly software engineering processes, let alone security assurance, so trust me – you’ll have a lot of work for a very long time.

That’s it. Now go and change the world for better.

Książki Biznesowe Warto Czytać, Ale W Sumie Jak i Po Co? [vlog]

Istnieje wiele książek, które mogą zmienić całe Twoje życie, jednak zadziałają one tylko wtedy, gdy włożysz wysiłek w implementację nowo zdobytej wiedzy.

Właśnie dlatego ogromna ilość ludzi uznaje książki za niepraktyczne i przestaje je czytać. Bo oczekują, że teoria, jak za pstryknięciem palcami, zmieni ich życie.
Rzeczywistość jest jednak taka, że to nie wina książek, lecz czytelników którzy oczekują od książki, że ta sama wstanie i zrobi za nich wszystko. Książki pisane przez praktyków mają ogromny potencjał i mogą wnieść ogromną wartość w Twoje życie, jednak trzeba wiedzieć jak z tym narzędziem pracować.

Nie istnieje materiał, który poprowadzi Cię za rękę przez życie od A do Z i prawdopodobnie nigdy nie powstanie. O ile można i powinno dzielić się wskazówkami, to trzeba pamiętać że każdy z nas jest inny.
Środowisko jest inne, firma jest inna, współpracownicy są inni czy chociażby lokalne prawo, które sprawia, że niektóre mechanizmy nie mają szans na przebicie się w Twojej sytuacji.

Czytać powinno się jak najwięcej, różnych autorów, pochłaniając różne perspektywy, dzięki czemu możemy zaoszczędzić sobie czasu na próbowanie czegoś co kompletnie nie ma szans na sukces, a także by otworzyć umysł na pomysły bardziej doświadczonych specjalistów.

Ale jeszcze więcej niż na czytaniu, powinno skupiać się na pracy i praktyce zdobytych lekcji, bo niezaaplikowana informacja to teoria, która w żaden sposób nie wyróżnia Cię spośród 8 miliardów ludzi, który też daną książkę mogą przeczytać.
Sukces ogromnej ilości inicjatyw leży w reiteracji podczas której możemy być mądrzejsi ucząc się na błędach swoich i innych.

Test. Rinse. Repeat.

Tak więc cytując tytuł wyśmienitej książki Stevena Pressfielda – Do roboty!