Embrace DevSecOps | ESM part 6

Concept of purple teaming is something I felt in love with many years ago when I was experimenting with various ways to make myself more effective. Everything has changed — in a good way — when I started embracing culture of collaboration where attackers and defenders work together to create best possible way of securing the products.
We’re out there to help secure business by working with all stakeholders, not to just pwn stuff and laugh at people who made a mistake. Being a pwn-all-the-things rockstar asshole is overrated and while fun in short term, gives terrible results long-term.
Purple teaming for the win and let’s see how this great concept can be applied into day to day business operations that go beyond security red and blue teaming. Continue reading “Embrace DevSecOps | ESM part 6”

How to maximize ROI of Bug Bounties and penetration tests

I’ve been doing security bug hunting, penetration tests and managing in-house bug bounty programs for various companies, for over half a decade already. During that time I learnt that it doesn’t really happen too often that hiring company knows exactly what to do with security engagements results.
I’d like to help and suggest what you can do to fully benefit from what you paid for.

FYI — Later in this post I’ll be using pentester/bug hunter interchangeably. Although I know there is a quite a difference between those professions, in a context of this article it doesn’t matter. Continue reading “How to maximize ROI of Bug Bounties and penetration tests”

BugBounties changed InfoSec world for better

Graphic from tripwire.com

Just four years ago, before that Bug Bounty madness started off for real, many companies had pathetic security posture. Okay, let’s be real here, most organizations, because many isn’t emphasizing enough. In just 4 years the raise of security awareness and general improvements of organisations security posture are really prominent.

I’ll show you proofs one day, I’m just lazy and can’t push myself to migrate bug reports in high profile companies from mail archive to the blogposts. But I promise to do it, so everyone can get a sense of how webapps world looked like just 3–4 years ago and how vulnerable everything was to anyone willing to spend a fifteen minutes looking for bugs. Continue reading “BugBounties changed InfoSec world for better”