How to maximize ROI of Bug Bounties and penetration tests

I’ve been doing security bug hunting, penetration tests and managing in-house bug bounty programs for various companies, for over half a decade already. During that time I learnt that it doesn’t really happen too often that hiring company knows exactly what to do with security engagements results. I’d like to help and suggest what you … Continue reading How to maximize ROI of Bug Bounties and penetration tests →

Peerlyst ebook: Essentials of Cybersecurity

Essentials of CyberSecurity is a crowdsourced ebook written by @Peerlyst community. I wrote the chapter ‘Building corporate security culture’ with following preface, which should give you a solid context for the message I tried to convey in my article. All those years in InfoSec taught me that for security initiatives to be effective, security must … Continue reading Peerlyst ebook: Essentials of Cybersecurity →

Care – the most powerful quality in a workplace

Care drives everything I don't know a single person who would put 100% of his abilities into a work if he's there only for a paycheck. But I do know plenty of people who really care about the job they do, and whenever needed they'll make themselves better educated, learn new skills, adjust personality, and … Continue reading Care – the most powerful quality in a workplace →

Employment expectations’ mismatch and recruitment pitfalls in InfoSec

This article is considered to be a follow-up to the “Hiring your first security professional”, so if you haven’t yet, I recommend you to read it before you continue with this one. For a last few years there wasn’t a month when I haven’t read about InfoSec professionals shortage, security skills gap and what not. … Continue reading Employment expectations’ mismatch and recruitment pitfalls in InfoSec →

Hiring your first security professional

I really enjoy attending security/business conferences. But it’s not that I’m going there to learn how to do security, because if that would be the case then I’d go for DEFCON or Derbycon and learn from top hackers on the planet. I go to business conferences because I want to listen to the problems others … Continue reading Hiring your first security professional →

BugBounties changed InfoSec world for better

Graphic from tripwire.comJust four years ago, before that Bug Bounty madness started off for real, many companies had pathetic security posture. Okay, let’s be real here, most organizations, because many isn’t emphasizing enough. In just 4 years the raise of security awareness and general improvements of organisations security posture are really prominent. I’ll show you … Continue reading BugBounties changed InfoSec world for better →

Pentests vs BugBounty for startups and SMBs

I’ve been thinking quite a lot about coming up with a series of articles on how to secure small and medium organizations from the ground up. It was waiting for the right moment and it’s time to start it out, especially that very recently this question appeared on Peerlyst where I’ve put my $0.02 on … Continue reading Pentests vs BugBounty for startups and SMBs →

Software complexity as an enemy of security

Graphic from pautasso.infoThese days it’s unlikely for a company to not use 3rd party online products. Each day we are heavily relying on messaging apps, online data storage, team collaboration tools like issue tracking systems and many other apps. This is fine, we need all these to boost our productivity, but in my experience it … Continue reading Software complexity as an enemy of security →