Re: She's missing the most fundamental step
It doesn't assume that. She's referring to managed bug bounty programmes where Hacker One, Bugcrowd et al, triage the incoming issues. More real issues means more money made by the bug management platform.
Posts by MarkItZer0
7 publicly visible posts • joined 23 Oct 2015
Before you high-five yourselves for setting up that bug bounty, you've got the staff in place to actually deal with security, right?
Pupil mental health monitor promises app rewrite after hardcoded login creds discovered
Sunday 29th September 2019 08:13 GMT
Re: Every company after a data leak
Of course never on purpose... However, you will probably know that pentesting engagements are extremely limited in time and scope. Therefore, if we find say xss in a few locations we report those with examples, but won't go around the site finding every single instance. The client with access to their own code base is better positioned to do that.
Time is better spent finding other vulnerabilities imo. Better a report that finds 10 different things than 1 thing but highlights every instance. Often these vulnerabilities are found manually rather than by automated scanners.
Pentesting engagements are on average 4 days including report, so not everything can be uncovered in that time, especially on a system resembling Swiss Cheese. We don't know how much we'll find until the testing window starts you see.
Friday 27th September 2019 14:05 GMT
Re: Every company after a data leak
If privacy and security were absolute priorities, then this wouldn't have happened.
I'm a pentester and it reminds me of a client that believed it wasn't possible to develop secure software, and the only possible method of making something secure was to give it to the pentesters once complete. He was moaning at the fact we kept finding things on each retest, therefore we should only test the exact things found last time so that they could get a clean report.
Breach at UK.gov's Cyber Essentials scheme exposes users to phishing attacks
Two years ago, 123-Reg and NamesCo decided to register millions of .uk domains for customers without asking them. They just got the renewal reminders...
Monday 16th September 2019 11:43 GMT
Total scum
Just like when they charge extra for "domain registration privacy" (and also automatically at renewal), which is now a given due to GDPR so is free.
I had to contact GoDaddy for each domain to get them to remove it, but even still they played the FUD card and pretended that it still offered privacy above and beyond that of the current GDPR requirements. After persisting I got them to remove it from my accounts and refund what they'd already taken.
How the HTTPS-snooping, email addy and SSN-raiding HEIST JavaScript code works
Chaos at TalkTalk: Data was 'secure', not all encrypted, we took site down, were DDoSed
Friday 23rd October 2015 12:08 GMT
As secure as possible != encrypted
Encryption is not a magic, all securing operation - it doesn't mean that data retrieved from the database is automatically rendered unusable. If the data was encrypted at database server or OS level (which is fine under PCI DSS), and there was an application exploit used to extract it (say SQL injection), then the database and OS would dutifully decrypt the data for the application's use, therefore the security flaw would mean the hacker gets the decrypted data anyway.
The focus should be on application security rather than on encryption. It is possible to encrypt database rows and columns using a key from the application server. However, again as the application server needs to encrypt/decrypt per query, a SQLi attack will probably succeed. It is possible, although very difficult in practise, to implement row encryption in a web application. Complexity is the enemy of security - keep things simple and concentrate on security testing and plugging those vulnerabilities rather than adding unnecessary encryption to stored data.
Biting the hand that feeds IT
