zlacker

[return to "Ask HN: Any felons successfully found IT work post-release?"]
1. public+l6[view] [source] 2024-01-03 19:17:40
>>public+(OP)
Thank you all for your perspective, and suggestions.

I was on a bad psychedelic trip, accompanied with some other issues at the time and ending up making threatening statements to a very high level official, but no battery occurred whatsoever. Thank goodness, or I would probably not be writing this message

◧◩
2. x0x0+s9[view] [source] 2024-01-03 19:32:31
>>public+l6
You could also consider working as a consultant or external pen tester. When we hired our pen testers, we did not run background checks on them, not least because they have no access to customer data so it's much less of a concern.
◧◩◪
3. zamada+Qb[view] [source] 2024-01-03 19:44:04
>>x0x0+s9
If the people you're paying to find weaknesses in the security system are assuredly never going to find a way to access internal data then how did you conclude you needed a pen tester in the first place? I mean, it's probably the right conclusion but only precisely because they'd find a way to access things they shouldn't be able to.
◧◩◪◨
4. x0x0+Fj[view] [source] 2024-01-03 20:20:52
>>zamada+Qb
We spin up a clone of prod and point them at that.

Certainly if a weakness is found in the clone it's also present in prod, but that's what contracts are for. And we also review logs to make sure.

edit: a clone of prod w/ only test data in it, not prod data.

◧◩◪◨⬒
5. random+xp[view] [source] 2024-01-03 20:46:54
>>x0x0+Fj
How do you know what you are looking for in the logs?

If you have the foresight to be able to recognize a malicious action from the logs, why not have the software block those actions from the start?

◧◩◪◨⬒⬓
6. x0x0+wq[view] [source] 2024-01-03 20:50:57
>>random+xp
We log all accesses and flows. So eg if our pentesters found a vulnerability in an endpoint, we can retrieve every post against that endpoint and (1) verify the pentesters didn't exploit it against prod, and (2) verify that it hasn't been exploited by anyone else.
◧◩◪◨⬒⬓⬔
7. random+0s[view] [source] 2024-01-03 20:57:50
>>x0x0+wq
Of course, that only works if the vulnerability is reported. There is no reason for the malicious actor to report the vulnerability they have chosen to exploit.

What percentage of the vulnerabilities discovered are independently discovered by multiple pen testers?

◧◩◪◨⬒⬓⬔⧯
8. digita+2R[view] [source] 2024-01-03 23:48:35
>>random+0s
>What percentage of the vulnerabilities discovered are independently discovered by multiple pen testers?

I'd warrant nearly all of them, though it may take a while.

If you have ever submitted or worked with a bug bounty program you will run into dozens of duplicates.

I've personally performed and overseen assessments in which the company had already done a complete blackbox pentest and wanted a second whitebox review to make sure the first company knew their stuff and validate they found the same bugs. Also did a few of the honeypot assessments in which companies put purposely vulnerable code in to make sure 'we are doing our job', I hate those most.

Depending on the testers speciality of course, the reports often found the same or similar issues.

Source: 15 years as a pentester, offensive security engineer, and now security architect.

◧◩◪◨⬒⬓⬔⧯▣
9. random+yX[view] [source] 2024-01-04 00:48:07
>>digita+2R
> I'd warrant nearly all of them, though it may take a while.

Why guess when the other commenter has the actual data...?

◧◩◪◨⬒⬓⬔⧯▣▦
10. lazyas+qM1[view] [source] 2024-01-04 09:23:45
>>random+yX
What commenter had data?
◧◩◪◨⬒⬓⬔⧯▣▦▧
11. random+ds2[view] [source] 2024-01-04 14:39:43
>>lazyas+qM1
The one we were originally talking to before others started randomly interjecting with gobbledygook.

His eventual response was 0, by the way.

[go to top]