Pentesting: What I should have done

If had the luxury of talking to my past self, these are things I whished I would have done differently during the years that I performed pentesting. Some of these I eventually learned before I finished pentesting, others well, let’s just say they are much more recent. If I think of more items I’ll attempt to update the blog.

If you are a pentester and you are reading this, I hope you can benefit from them. Just make sure you evaluate if they are applicable to your situation and adjust them as required. If you are in a rush, here is the list, details can be found in the rest of this article:

  • Don’t be afraid of talking to clients
  • Always ask for equivalent access
  • Avoid blackbox tests
  • Write the report while you pentest
  • Images, images & images
  • Provide detection advice & POCs
  • Provide reproducible POCs for your attacks (security regression tests)
  • Provide scripts to fix the issue (when possible)
  • Publish more
  • Grasp the bigger picture
  • Include what you didn’t do
  • Don’t be afraid to say something was good

I’ve also included some crazy fantasies of mine, which I’ll always be wondering if they would’ve made a difference.

  • Re-use reports and label them as such
  • Provide the report upfront
Continue reading “Pentesting: What I should have done”

Into the void: ramblings and thoughts

Lately I’ve been shifting from offensive red team type of activities towards management and then towards blue team type of activities. During these transitions I’ve been more and more asking myself is infosec making a difference? I have to admit I got no clue what the answer to that question is, not even remotely. So I’ve decided to put my thoughts and ramblings into a blog post. Any particular reason? I’ve read multiple time that writing out thoughts, helps to organise them and also I just needed to orden my thoughts, maybe in doing so it will help me answer the question for my own specific context. If you continue reading you might experience a decent amount of emotions telling you ‘the guy that wrote this blog is WRONG!’, that’s ok. Feel free to correct me in the comments, it will aid me in finding new perspectives. I’ll try to stick to technical content next time ;)

Continue reading “Into the void: ramblings and thoughts”