January 9, 2024 • 72 mins
In this episode of the podcast, I'm interviewing Cristi Vlad about bug bounty and pentesting - the differences, ways to build your network of clients, continuous learning and more.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
The mix of unpredictable bug bounty with stable pentesting can give you a really good balance
(00:08):
and while I talk about bug bounty a lot, in this video we'll talk about pentesting, how
to become a pentester, how to find clients for pentesting and of course the pentest methodology.
My guest today is Christy Vlad, enjoy.
So hello Christy, thank you so much for joining me in today's podcast.
(00:30):
For those of you who don't know you, can you please tell us a bit about your background
and where are you currently at?
Sure, definitely.
Hi Greg.
So I'm going to probably try to be short because and I'm trying to catch the essence.
So formally or by education I haven't followed like or I don't think that most of or a lot
(00:58):
of the people in cyber security have not started via an educational or an education in cyber
security background and I actually I'm a civil engineer by education so I did a bachelor's
and a master's in civil engineering, construction engineering and about eight or nine years
(01:25):
ago so I didn't actually work in the field because as I was still studying my interests
have changed.
So while I was doing my master's my interests have changed so about eight or nine years
ago I started getting into Python and that also a little after that I became interested
(01:49):
in cyber security.
So that's how it all started, Python cyber security then I started doing some for a very
short period of time I did some challenges.
There was there was VulnHub back then you had to I guess it probably is you had to you
(02:16):
had to install the Vulnerable Machine on your system and actually try to get into it.
Yeah, it was a very difficult part when you had to install the machine and configure the
network properly to access it from Verve.
Yeah that was a very short period for me.
And then another very short period was when Hack the Box started all out so I was on Hack
(02:40):
the Box ever since it started but I was there only for a short period of time maybe a couple
of months did a bunch of machines there and then I tried as I can remember now I believe
I tried to get into the field like into the real world as soon as possible I didn't want
(03:03):
to waste not necessarily waste I didn't want to spend time in in the theoretical realm
like on the side I wanted I wanted to actually see how things work in the real world so yeah
I guess I guess this is a very short intro but you can ask whatever follow-up questions
(03:25):
you have.
Yeah so tell me how did you start with with bug bounty and pentesting what was first?
It was pentesting yeah pentesting.
I think I started with that more on there was an opportunity locally here and I actually
(03:48):
followed that opportunity I worked with the company with the local company here doing
their cybersecurity thing and that was in in their offices that was for a couple of
months back in 2018 I guess 2017-2018 and that's that's how it all started I saw how
(04:13):
things work in the real world and after that became after that came other opportunities
most of them have been online so yeah most of them
100% of them have been online as far as I can tell.
Yeah and how did you then get interested in bug bounties?
(04:40):
I guess I started hearing about about bug bounties 2019-2020 I don't even actually
remember exactly I think I think that when I took my OSCP yeah so I can look at that
certificate it's 2019 as I got the OSCP the very same month I believe it was August 2019
(05:08):
the very same month I started doing some some program online I learned about the platforms I
learned about back then HackerOne and BugRoute were the the go-to but I didn't spend time on
those platforms and I think I focused as far as I can remember I focused finding programs on
(05:35):
Google using the self-hosted ones yeah and then then I focused on getting into SYNAC and that's
actually how I believe it was 2020 or 2019 when I got into SYNAC that that's where my focus went
(05:58):
but I didn't do a lot of bounties and I'm not doing I don't spend a lot of time on bug bounties
yeah for right now from what I know you you focus much more on on pentesting these days
yeah I mean it could be 90% pentesting so that's that's the majority of my working time 90%
(06:22):
pentesting and maybe 10% or less in bug bounties and I mean I'm focusing on only one program and
one platform right now I'm I'm solely on integrity like 99% of my bug bounty time is on integrity
one program and then the rest of one percent is divided into all other programs on all other
(06:48):
platforms so it's non-significant and it's not a bad it's not a bad deal that you just have one
program that you come back to you're probably the expert of it and I imagine you just like
like hacking there yeah so looking back in I started looking into this program in 2023
(07:08):
and I actually have a have a list where I keep all my submissions and I sent about
70 or 80 70 something 70 submissions to the program this year a lot must be huge
yeah and I mean I love it I love I love their product it's um it's I don't know it it just
(07:36):
feels right yeah yeah that's great and about pentesting are you are you employed are you a
freelancer how do you how do you do pentests so I operate as a business I'm not employed
um I'm not a freelancer so it's uh I actually have collaborators I have other businesses that
(07:56):
I work with I have main collaborators that I've been working with for about two or three years
now so they they bring all the most of the I mean the majority of the pentests are brought by them
so I don't have to worry about going to people but there are people that approach me so those are the
(08:19):
the majority of as I said the majority of my pentests come from my main collaborators but
there are others that people approach me okay on on twitter on linkedin and then those are
those are also part of the of my main work okay so isn't this freelancing because you said you're
(08:39):
not a freelancer to me it sounds a bit like freelancing well I don't like to maybe that
part of it but I don't like to call myself a freelancer because I think the the long-term
collaboration that I have with this uh with these businesses and the fact that they actually
in freelancing you don't know when you have I think that in freelancing you don't know
(09:02):
when you have the next project how long is it going to last but in what I do I have sort of a
certain certainty that I'm going to have ongoing work so I don't have to worry about that okay
okay fair enough um so you told me yeah I'm indeed naming I'm not not really strict about
(09:28):
naming things uh anyway but you also told me that people approach you on linkedin on on twitter
uh why do people approach you and and how can people how other pentesters can also attract
people to approach them about pentests well there's a very from my perspective I think
(09:48):
it's a very clear answer to this people approach when they see that you know something
so oftentimes I post about stuff I'm quite active on twitter and also on linkedin basically posting
the same things on both platforms so I actually post about stuff that I'm doing so other people
(10:11):
actually see maybe connections on linkedin that are managers or own companies they see
that I post stuff about pentesting findings um all that stuff and they actually approach me if
if I want to look into their um their assets for example their apps their infrastructure
(10:38):
so it's about sort of like
establishing presence establishing solid presence on platforms I that's also due to my youtube
channel back in the days I used to post my videos on these platforms and people will look at the
videos and approach me due to the videos they saw that I know something and they wanted to
(11:04):
see if I can help them in one way or another yeah so so basically you just put yourself out there
and you show people that uh basically what you do so if if someone watches us who maybe just
starts learning cyber security and they feel like they would like to be out there and show
(11:28):
show things to people but they they kind of feel that they cannot do it because they cannot
they do not know enough in this case if someone is actually you know just learning cyber security
do you think they can still put something out there to the internet to see
yeah definitely let's take for example I don't know maybe their learning journey
(11:53):
maybe they're at the very beginning of their learning journey they're using a platform like
try hack me hack the box or whatever other platform web security academy they could simply
post about hey look I went through this challenge on I went through this uh learning path on web
security academy I did this exercise and I learned this they could do a short post maybe on linkedin
(12:20):
or on twitter or they could write something on medium or substack or whatever other platform
write about their experience and then post it out there do that multiple times and people are
going to start coming to you yeah and you also mentioned here a lot of platforms you mentioned
(12:40):
twitter the substack the blog post how do you think they should choose on which platform to
post up or maybe they should also do a youtube video definitely I mean youtube brought me a lot
of opportunities so but you know most people are actually more comfortable writing something
(13:03):
than starting to put themselves out there when I first started doing youtube videos back in 2015
I did videos on python and on AI and only afterwards I began doing cybersecurity videos so
it's it's not easy to start on youtube you it's it's and a significant portion of people in
(13:26):
cybersecurity are geared towards introversion so I don't think it's easy especially if you
account for that but to get back to your question doing posting on one of these
blog platforms I'd say medium but you have to be careful because on medium if you want to reach a
(13:54):
broader audience you should not be tempted on choosing their monetization for your for your
writings because if you do that most people or a lot of people from my experience as a reader on
medium are not actually going to be able to read your stuff because it's only going to show a short
(14:15):
chunk from the video and if you want to read more you'll have to pay one dollar on medium per month
and a lot of people aren't willing to pay one or ten or however their subscription is make sure you
opt out of their monetization. Even if it was one cent people will just not add their credit card
(14:38):
it's not worth it. Paywalling is paywalling. Yeah it's not worth it. For now Substack is free
from what I know. Medium is also so I actually opted out of the the monetization on medium
and whatever I post on there it's anyone can read right now maybe they'll change this in the future
(15:03):
but yeah put yourself out there and do it frequently that's probably the gist of the question.
Yeah and speaking maybe more specific about the resources what do you think would be a good
learning path if you wanted to get into cyber security today as a 20 something year old computer
(15:27):
science student? Depending on what you want to focus on so you mean as a bug bounty hunter?
Well the problem is that the hypothetical person we are talking about doesn't know this yet.
Exactly so that's when you have platforms like for example TriHackMe with their very introductory
(15:52):
paths learning paths there's pre-security I guess there's a intro to cyber security
that's where you get exposure with the multitude of careers or subfields in cyber security that
you could pursue. I would go with that to actually get a bit of clarity on where I want to move
(16:13):
because cyber security is a very very large field today so it's not it's not all about pen testing or
bug bounty hunting there's there's a lot of stuff that you can do so start with getting clarity on
who you want to be in the field afterwards it's afterwards I mean it's more simple.
(16:35):
Yeah that's a that's a great answer and let's let's come back a little bit to to pen testing
and to finding clients so let's say that all the clients that you have that you are working with
just leave you today from just write you an email today you didn't work together anymore
how do you find clients for 2024?
(16:57):
Well exactly how I told you a few moments ago so I would actually maybe I would focus a little bit
more on bug bounties not maybe probably I'll probably focus a little bit more on bug bounties
and actually post about my findings and I'm pretty sure that if I if I grow a network on LinkedIn
(17:23):
if I grow a network on LinkedIn and on on mostly on LinkedIn probably
people are actually going to start asking me questions not only so it's very likely that I'm
only going that I'm going to be approached by other people who want to become or become better
(17:44):
in cyber security so other pen testers but I'm also going to be approached by by potential
businesses potential interest potential interesting or interested clients that's
what I would do I would actually do bug bounties and then have an ongoing stream of posts about my
(18:12):
findings. Yeah that definitely seems like a like a winning strategy have you tried
I wouldn't go about the formal route such as applying to companies applying to I wouldn't do
that I would not apply or send jobs or send resumes on on LinkedIn because it's very likely that you're
(18:40):
it's very unlikely that you're gonna get in in front of the person that makes decisions
you want the person that makes decisions approaching you not you trying to approach
them because if you try to approach them if you try to approach a business that's
hiring pen testers you're first probably gonna encounter HR people a lot of them are not very
(19:06):
experienced in cyber security and cannot actually assess or evaluate what you can do afterwards if
you pass the HR you're gonna have multiple rounds of interviews it's probably not the best
it's possible but it's probably not the best the path that you want to to follow you want people
(19:31):
to come to you that's that's because you're in a position of good negotiation if people come to you
you can operate on your terms let me let me know know your your your thoughts about this because
you're you're from Romania I'm from Poland these are countries with relatively lower cost of living
(19:55):
and also lower earnings than for example US and from I'm obviously not actively pursuing a job
now but when I did I felt like when you just send a resume to a company even if it's like
even if it's like a global remote company like GitLab the salary they're going to offer you
will be comparable with other salaries in the same country so let's say a Polish salary which
(20:22):
is probably like twice to half of this which what you can get in US and if you want to get a salary
from a country like US or Germany or whatever I feel like the only way to do it is by networking
and by by approaching people directly definitely so I can see this it's probably normal and common
(20:49):
sense for for companies to offer salaries based on your position but like I said earlier it's
since you're in the negotiations you want first of all you want to position yourself you want to
see yourself as a global player here yeah so you you you should probably see yourself as a
(21:13):
global entity global person and maybe maybe you want to set yourself or maybe you want to have
expectations of course depending on your skills because if your skills are good if you have good
skills you can ask whatever you want it this doesn't mean that you're going to get whatever
(21:37):
you want you have to have some common sense because if like the median global range for a
pentester starting could a good one would be $50 an hour you wouldn't want to ask $250 an hour
(21:59):
because nobody's going to give that to you you have to know first of all you have to know the
industry and I believe that a very large portion of cyber security people aspiring and actual
pentesters don't know their worth and don't know the exact industry right now this could be probably
(22:20):
due to the fact that not everyone is transparent on how much they make numbers are not quite public
some of them are but you do get a feel for for how much a certain person with a certain
year of experience is worth so if someone comes to me if a company approaches me and
(22:43):
asks or says that they can pay $30 an hour or $20 an hour because they know that would be a good
money so I'm hypothetically speaking because they know that would be good money for Romania
I'm just going to say no thank you and it depends on how the conversation goes afterwards
(23:04):
if if they're just looking for someone to fill a position they're actually going to keep looking
but if there's someone who's actually interested in me personally and there is that situation as
well we've seen examples of of companies that want a certain type of person on them like for example
(23:25):
I think moving a bit from cyber security I think that and most people are not going to
know the name I think that OpenAI pursued Andrew Karpathy who's who's a very big name in in AI
to to go back to OpenAI after it had left a couple of years ago because
(23:53):
they knew he this person was worth whatever he was worth so the company pursued a specific person
an individual into their company so it depends it's very contextual
yeah yeah I also didn't didn't know this name I admit and uh I suspect a lot of our audience
(24:16):
as well but but yeah that's true and that's that's a really good position like sometimes
we talk about maybe negotiation strategies and things like this but it always starts from a point
where you position yourself before the negotiation even even begins and and as I said like the
differences here in your positioning can have much greater impact than you you know negotiating
(24:39):
10 percent more than than someone else with worse negotiation skills can get exactly so you have to
know where you stand what is your skill level and what are your expectations what are your real
expectations and also what are the expectations that could be
(25:01):
seem or deemed as reasonable by the other party so you could say that you're worth hundred dollars
an hour for example for a pen tester but the majority of the companies approaching you think
that you're only worth 40 an hour so you have to actually understand whether or not they are right
(25:22):
or you are right or where or whether or not the truth is somewhere in the middle so very contextual
yeah yeah so let's assume we already have a client for a pen test uh can you talk me
through the whole process from the initial contact to the to what happens after the pen test
yeah so of course you have the scope the client tells you exactly what they want most of them know
(25:52):
because you're not actually talking to um or in my experience i'm not actually talking to the owner
of the business unless the owner approaches me it's a small company or the owner approaches
me on linkedin and wants me to look into their stuff but for the majority of pen testers
you're actually interacting with another person and not another cyber security people person from
(26:19):
their company or maybe a technical manager or maybe a developer or someone who actually has
an idea of what they want they give you the scope they tell you we want to test this app strictly
and you you want to make sure that you specifically understand the scope
(26:40):
so that you're always on the target afterwards once you establish the scope of course there's
contract there's the contract there's all the paperwork that needs to be done which in most
cases i don't deal with uh with all the papers my collaborators do my collaborators and the client
(27:04):
okay but there are there are a significant number of situations when i have to deal with everything
especially when clients actually approach me so this regarding the paperwork once you have the
scope you're actually the scope and the duration of the pen test of course you have established
the pricing for the pen test you usually i mean this is very this is very customizable
(27:33):
there are many situations with when companies say we only have this budget for pen testing
what can we do with it and you having experience from other pen tests knowing how much your time
is worth you can say well look we could do this for that amount of money so it often goes like
(28:00):
that because not all the companies have unlimited budgets for cyber security even though that even
though i feel that it's still an overlooked area and we can see leaks data breaches happening every
day we can see ransomware every day going rampant so people companies businesses are not paying
(28:22):
enough attention to to cyber security but to get back to the main point you establish the price
the scope the duration you test you write a report you deliver it to the client you actually
it often involves ongoing back and forth clarifications oftentimes check their fixes
(28:47):
and of course if you have a business oriented perspective you want to over deliver
and under promise so that the client comes back to you at a later time
okay and how to make the process before when the appendix is already when you're already talking
(29:11):
with a client how to make this process smooth of like giving credentials creating the environment
because from my experience back back when i worked it was always a problem with credentials
and everything and it caused delays and it was always very difficult yeah exactly
so that's uh that's still a problem um whenever we get new clients um
(29:40):
that's one of our first requirements is this i mean are we talking about an application with
multiple roles with accounts with can we uh get the accounts ourselves uh can we self-register
do we need to pay to actually test everything thoroughly you need to provide us with the
(30:02):
premium plan with an account on the premium plan on the enterprise plan you you have to provide us
with multiple roles give us everything that we need to test that's probably one of the first
requirements that we have for everyone so accounts working accounts a lot of times
(30:25):
not maybe not a lot of times but oftentimes we are provided with accounts that are not working
or not have been set up properly so there's a little bit of back and forth in the beginning
when it comes to testing roles and permissions but that's one of the first things that that you
(30:47):
have to to establish do you use some templates some checklists for this part of the process
well actually yes so um
um first off is the web security testing guide by oas the checklist i actually i recently
(31:12):
um made a version of it made what i think it's an optimized version of it and i posted it on github
is a checklist it's a checklist with about 130 items on it it's as its name says web security
testing guide it's actually quite comprehensive oas are very quite on point with uh their their
(31:40):
stuff with the api security with the web security uh these are go-to so for someone who's starting
in pentesting and doesn't have any colleagues to actually guide them how it all works um
these are starting points these are documents that you want to have with you at all times for
all the pentests that are specific to web apps and api stuff um but of course throughout the years i
(32:07):
have my own i've developed alongside these i have my own methodology where i actually
usually know where to look for and what types of vulnerabilities are most encountered
and are of quite high impact okay and so we have oas testing guide that's definitely
(32:33):
something to recommend for people do you also use other checklist or other documents by oas
no so it's just the web security testing guide i don't actually they might have methodologies for
i don't know maybe infrastructure testing they also have the mobile application the mspg the
(32:56):
mobile security testing guide i do know of it i i actually referenced it or reference i'm
referencing it a lot uh when i test mobile apps but uh it's not as a first-hand reference document
as vstgs for example and the one involving api security and of course there are also there's the
(33:24):
the the cheat sheet series by oas which is really really good all in one website these are very good
uh go-to um references of course there's also the hack tricks book which is really good
so as as a as someone who's working in in pen testing as a pen tester
(33:48):
um these are some of the documents that i use myself okay okay these are great people
save these because these are really really good resources for me also when i'm testing uh some
vulnerability one of the first resources that i go to is is hack tricks to to see copy the basic
payload see other references and stuff like this so it's really really really good and and really
(34:14):
big as well like the amount of of information that's there on different uh different topics
because it's not only web vulnerabilities i think there's now also cloud there are different ports
described is really really extensive it's all in one place yeah yeah okay so what are the most
common findings that you encounter during pentests okay so um probably the most encountered are low
(34:44):
hanging fruits such as
user enumeration um
issues with cookies
um session tokens not being invalidated overexposure of information these are the low
(35:07):
hanging fruits like server headers and all that stuff these are i mean you could put these in a
pentest in a report but you nobody's going to accept this as a finding in a bug bounty program
these are all out of scope unless you somehow show impact that they they could negatively affect
(35:30):
the asset or the company or the business so but these are actually relatively valid findings
on pentests but of course these are the most common findings you don't want to focus
on these because you want to deliver good work so most of the the findings most of the impact
(35:51):
findings that i have have to do with broken access control authorization authentication issues um
authentication bypass other bypasses these that impact people that actually have an impact on the
underlying infrastructure there's also i see a lot of um ssrf there's there's a lot of i see a lot of
(36:20):
ssrf in my findings i also see there's still xss i don't actually at in bug bounty hunting i don't
look for xss but in pentesting i find xss and i also find xss even in apps that actually use
(36:41):
frameworks so it's hard to explain i cannot even explain to myself why i why this was there for
example so xss is still present i don't like it but it's still there um injection other injection
issues a lot of stuff that has to do with business logic business logic is um where you actually have
(37:08):
to understand what the application is meant to do and how can you make it do something that is not
been meant to do with an impact with a security impact this is probably one of the types of
vulnerabilities that's gonna be long there even in the age of ai because it's you cannot find it
(37:32):
with scanners you cannot find it with automation you have to think through the entire process
for example the authentication flow something might be disrupted there um and if you actually
look at it closely try to understand it you you you'll probably find something that's
not working as intended also rate um rate limiting stuff these are these could be high or low impact
(38:01):
i've seen instances where we're bypassing rate limits has had high impacts for example when
there's a multi-factor authentication you get a code and that code is brute forcible that's high
impact issue because if you're able to brute force uh the mfa for any account it's account takeover
(38:26):
so it's it's still the wild west there yeah it's something that as a
inex inexperienced pentester i thought about the rate limiting bug as a lame vulnerability class
but but yeah in the context of otp it's basically an account takeover so we also
have seen bounties of i don't know 20 or maybe even 50 000 for for those and i'm not surprised
(38:52):
and i also definitely agree with the thing you said about the business logic bugs
like many vulnerability classes will probably be fixed with time with better scanners because i
don't know sql injection is very easy to fix by look just spots by looking at the code and then
by fix even automatically uh but xss i think has many contexts and that's probably the reason why
(39:17):
it's still so prevalent but still the number of of context is limited and scanners do get better
over time but i think authorization bugs eidos business logic bugs they do require the context
and it's very difficult to for a scanner to understand this context so i think these are
vulnerabilities that that if people learn they will just uh be more and more impactful over time
(39:44):
as the general number of vulnerabilities i hope will will go down
yeah i mean but we still we also still hope that we will have some work to do in the future as well
so if the number goes down we have to find other ways that we can position ourselves
(40:09):
valid as valued assets in the entire ecosystem of the business for example i don't think that
over the long term um all cyber security issues are going to be fixed by ai or by something else
because there's also there's always the human component where things go wrong we can see this
(40:32):
with all the breaches that occur on an ongoing basis where credentials are leaked
high impact credentials are leaked for example from a developer or from
from someone even in the context of for example github having all sorts of
checks and implementations on their platform when when people deploy code there are still
(40:56):
leaks occurring and i think this is going to be quite hard to prevent unless we put everything in
in the hands of ai which i don't think that's actually doable in the near
at least in the near future yeah probably not
speaking of uh do you use ai during your your hacking
(41:19):
yeah so i used it a lot i actually use it quite extensively when it comes to
minute stuff such as scripting prepping one-liners uh i used to before chad gpt4
because i don't think chad gpt 3.5 is decent i don't think it is decent but chad gpt4 is quite
(41:44):
good and it actually understands what you want even if you cannot express it yeah exactly what
you want you put in some you put in something there half a request and it actually understands
what you want or at least that's what my version of chad gpt4 with my system prompt
uh is actually doing for me so i use it a lot when it comes to scripting one-liners bash stuff
(42:12):
um it's saving me tremendous amount of time because it actually took maybe one two three
hours for example in the past when i had to do something custom and i would actually have to
look into stack overflow see what other people did adapted to my own personal situation and uh
(42:32):
so now it's it's a matter of 30 seconds to two minutes maybe at most until i get the answer
yeah yeah it definitely saves a lot of time how about regular tools uh normally in when
when we're talking about bug bounties i don't even ask about automatic scanners because i don't
(42:53):
believe that that they are worth uh even if they can find something i it's probably a duplicate
but in context of of pentesting uh do you use any scanners
scanners no i don't use scanners nothing no so uh i mean the go-to i used to be the bug i used to
be the recon guy back in when i started looking into bug bounties but i'm actually doing maybe
(43:21):
for example specifically for bug bounties maybe i do 10 percent of my scanning is recon
and only with the purpose of increasing the attack surface this should be i just had this
thought a few days ago the whole purpose of recon and i have a recon course that it's free on
youtube now uh the whole purpose of recon should be to increase the attack surface and not actually
(43:46):
to find bugs there might be people who actually keep finding bugs with recon but the majority of
them are not so the whole purpose of recon i think it should be to increase the attack surface
now when it comes to pentesting uh i mean the tool that i use the most is burp suite so
(44:10):
for example web stuff web apps that's burp suite that's uh
probably paid it's burp suite probably paid or my findings with burp suite probably paid
its investment it's pro version multiple times over so it's probably is one of the
(44:32):
best investments ever so it's all burp suite yeah what are your favorite burp extensions
authorize what else own fox what's that it's a colorizer for sessions for example if you're
(44:53):
using firefox with multiple containers each container has its own color in burp history
and it's actually it's very useful when you're testing for different roles and permissions
so authorizing combination with own fox and uh multi containers in firefox
this is this is a very good combination i i tested other um
(45:18):
extensions but i usually spend my time in the repeater and analyzing uh
the stuff with these three with this uh this environment of the three the three extensions or
the two extensions that that i told you about i looked into minor plugins for example jazz miners
(45:45):
that actually grab endpoints but but i rather actually spend my time um looking into the code
myself instead of having a parser go through the jazz file because if i'm looking into the code
myself i can actually understand stuff i can actually maybe understand the logic behind a
(46:07):
function and it's that's something that no extension or tool is going to unless you plug the
entire uh the entire code into chat gpt or some ai uh but i don't think it still can it can still
keep the entire context and give you good findings for example an ai tool that's that's
why i choose to do it manually going back to the extensions i think that there's also the graph ql
(46:34):
um there's a graph ql extension you can remember from the top maybe right there
it i think so which adds uh adds a tab to to all the requests where you can actually
better edit
uh better edit the graph ql request for example
(47:01):
yeah these are this is the cream so to speak of uh extensions yeah yeah okay and you also told
me before that you do some mobile hacking mobile hacking or mobile pandas thing what's your setup
for this yeah well the setup is a bit more complex so you have to have a
(47:27):
i do so in the in in the bug bounty program that i'm working on that i've been working on in 2023
they also have an app a mobile app and luckily i can test it on my own device
uh because it doesn't have um it's made for testing it it doesn't have ssl pinning
(47:49):
and i can test it on my non uh rooted phone okay but it usually involves having an emulator for
example i also have an iphone for testing uh iphone apps i've tested iphone apps uh in the past
um so the testing usually involves an emulator for example like it used to be jenny motion but
(48:15):
i think it's very heavy in terms of and non-convenient for example right now it's nox
so nox it's um it's really good really easy to set up nox you have to have installed adb
um to be able to bridge between uh your laptop there's of course there's frida
(48:48):
so the setup is comprised of nox frida
your laptop of course and bird suite this is for dynamic testing
so when you're testing actually the communication
of the app with the api because it usually involves the communication with an api
(49:14):
of course there's also uh looking into the code itself decompiling the app for this
for example you can use apk studio which is a gui graphical user interface tool that you can
decompile the app try to get the sources and look into the code itself sometimes the the
(49:34):
app is obfuscated and it's not as straightforward but it usually works um so then you have that
component you also have to look into the device security itself so how is the um how is the
information or the data stored on the device itself where is it stored is it stored in plain
(50:00):
text you usually look into the data folder the name of the app you look into the shared preferences
inside the shared preferences there's also leak stuff there's also the cache folder in in the
app folder there is also the database folder the files folder that has to do with uh
(50:24):
uh if you look into mstg mobile security testing guide it's gonna give you more insights on um
um on the device itself or the data that's on the device um the security of that of course there's
also quirks like if you are able so let's say a company wouldn't accept your submission because
(50:50):
they don't accept rooted devices
uh as part of the scope so they say that if you're able to extract solid information from the app or
from the user or from the phone without having the phone to be without having a rooted phone
then your submission is valid but there's also the situation when the where the manifest file
(51:14):
allows backups so if you're able to um if you're dealing with a non-rooted device
and you're able to backup the app move the backup onto another device
the backup usually is going to include the data folder which is only accessible by root
(51:36):
so when you're actually extracting the backup from a non-rooted device you're getting the
information that's only available to the root so if there's sensitive information in there
um that's a valid impactful finding and there are a lot of situations where the manifest
(52:01):
allows where you can see the manifest that allow backup is set to true and that's a security issue
okay for the context of bug bounty what how can back hunters use mobile apps to to get bounties
is it mostly listening to the web traffic using the mobile app and maybe the app uses some apis
(52:25):
that the web application doesn't use or is there also a lot of like mobile attack surface that
that is severe enough for a bounty finding okay so yeah there is um there is mobile attack surface
that's not readily available readily available to most testers because that attack surface often
(52:49):
involves coding your own uh exploit app for example to exploit intents to exploit components
of the android system that would actually um compromise the application um ecosystem itself
so if you're able to actually trigger something in the app from another app due to
(53:18):
not well configured permissions due to bad intent uh that's something that's not readily
available readily available to most pen testers but or most bug bounty hunters for example
but yes of course listening to the traffic looking at the communication that's probably
(53:40):
in the context of bug bounties that's probably where a lot of the findings are going to be even
if it's a little bit um not easy to set up once you have set it up it actually it's quite convenient
to look into the communication of course stuff that's on the device itself or stuff that
(54:00):
most people can do with the click of a button like for example decompiling the app and looking
for strings that's probably not gonna um you won't have good findings in programs and solid programs
because most of them know that they shouldn't share their secret keys their api keys their
(54:21):
credentials inside the apps most of them have already been found most of that stuff has already
been found by pen testers usually companies with bug bounty programs with solid established bug
bounty programs um have harder to find static related vulnerabilities when it comes to mobile
(54:48):
apps so communication api the communication the traffic analyzing that is probably one of the best
ways to go okay okay and uh in the context of of regular web website hacking web hacking web
security uh how is your hacking style different when pentesting versus doing bug bounty
(55:13):
well in pentesting it's much easier because in pentesting you often have the exclusivity
um most often than not you have the exclusivity you have the first eyes first privy eyes first
security oriented glasses on on the infrastructure itself so um you often find permissions where
(55:39):
a normal user can do admin stuff
and this is a common find in the pentests but in in bug bounties you have to you often have to look
deeper especially if you're if you're hunting on programs um that a lot of hunters are all already
(56:05):
hunting on as well like for example public programs or
i think right now it's most mostly about uh private programs everybody everybody is invited
to private programs but still in private programs uh from my experience i know that companies
uh have already done their due diligence in their public programs because most of
(56:31):
not most but a large portion of private programs they also have a public program
the public program is often used as a funnel to get people into the um into the into the
private programs as well um so not only that but also the fact that those companies have also had
(56:54):
multiple rounds of pentests on their assets so it's not going to be as easy you have to have a
you have to have a little bit different approach often involving going deeper
going deeper into the functions going deeper into the uh features going deeper into permissions
(57:16):
that's where the bread and butter is and of course looking into the business logic i think business
logic is is um probably one of the best ways that you would go when you're competing with others
(57:37):
okay that's a that's a good tip i like to think about pentesting versus bug bounty as
short distance and long distance running like from the from the outside like both
pentesters and bug bounty hunters hack web applications both marathon runners and
sprinters run but in reality there are a lot of difference in in both of these activities
(58:03):
and probably a person with better endurance will be better off in in long distance running
a stronger taller person will be better for sprint and my question is what feature people
with what features will feel better doing pentesting and people with what features will be
better off in doing bug bounty hunting
(58:28):
i'm not sure if i understand completely so
you're actually asking what are the features that are actually most certain to get a to get you
into a vulnerability so okay i will give you an example when bug bounty you don't have a boss
so naturally people that are more more self-organized and can organize the type
(58:53):
themselves they will do better in bug bounty a person that needs a boss will do better in
pentesting that's that's one of the obvious things that so specifically for um specifically
for features or specifically for for what exactly um because of course let's say that
(59:19):
in pentest you have you also have as you said you can view this as a sprinter or a marathoner
for example you often act as a sprinter in pentesting because you have a timeline
and it's best if you can deliver something impactful in that timeline because even though
(59:44):
some customers might actually be um on it just for the paperwork just for their uh compliance
testing and they don't actually care about their findings there are a lot of companies that don't
care about this their their pentesting findings you have to deliver something if you want that
customer or that client to come back to you so it's it's it's a matter of time there now when
(01:00:09):
it comes to of course when it comes to bug bounties um you have the luxury of doing
doing it for how long you want but then there's also the component of losing motivation
which is often the case so uh
(01:00:30):
in the context of bug bounties you probably have to
think try to think a little bit differently than everybody else because as bad as it sounds
there's a tendency there's a group think not only in cyber security in pentesting in bug bounty
(01:00:54):
hunting but in most of the fields there's this concept of group think group think everybody
using the same tools the same tactics the same one-liners so in bug bounties you have to if you
go slightly differently chances are that
(01:01:15):
you're going to find something yeah yeah that's a good one i'm not sure if this answers your
question yeah okay we'll be we'll be uh we're closing into to the end of our interview so
but let's talk before we end about some non-technical stuff because i saw on twitter
(01:01:36):
you have an amazingly impressive streak of 1100 days on Duolingo how on earth do you keep this up
for so long um well it's simple i mean it's on my to-do list for every day so that's that's one of
(01:01:58):
the things that's one of the streaks that i have to take care of every day and there are days when
i just do the streak do the the work that counts for the streak and there are other days when i
have more time and spend more time on the platform um it's i think it all boils down to consistency
(01:02:20):
consistency you can ensure consistency by having
checks for example in this case a simple checklist maintains the consistency
a very simple to-do list today i must do Duolingo brilliant try hack me web security academy
(01:02:44):
for whatever amount of time through time doing this for two or three weeks or one month
i can understand how long does it take me to actually do these in a in any given day and then
adapt accordingly whether or not i want to focus more on one than to another so it's just
(01:03:07):
simple checklist it's a matter of checklist to maintain consistency and of course as you see
results through time you're going to be more motivated to to maintain that consistency or
streak in this case and now it would be really painful to break this streak well sometimes the
(01:03:28):
the apps are actually make it easier for you to lose a day for example if i lose a day on Duolingo
i'm not actually gonna lose everything because they have streak freeze so you can lose your
streak for two or three or four and in my case right now for five days in a row and they're
(01:03:49):
actually going to maintain my streak due to my five-day streak freeze but there are situations
where that's not the case like for example when it comes to the kindle with reading yeah if you
lose your your streak it's hard to actually get it back it's possible but it's hard i think that
(01:04:12):
trihag me also has a let's you lose your streak for one day or something okay okay this one i
didn't know do you always do these habits at a particular time of the day or do you group them
together or how does it look like uh yeah so if i look back in the recent past i i can see that
(01:04:36):
i i usually do them in the first part of the day so up until noon i actually do trihag me
then i also do upon waking i think i do duolingo and brilliant and the reading in the second part
(01:04:56):
of the day first off i'm doing the reading i have to read a couple of pages on kindle just to get
streak and the streak uh is um is better if you if i read on kindle at 9 a.m chances are that
they're not going to count that day for me because i think their timer is their base time is in san
(01:05:25):
francisco or in la where my 9 a.m is the previous day there so i have to make sure that i read later
in the day so that i have the streak that's interesting and this is actually i've seen this
through trials and errors for example through losing my streak okay what happens when you have
(01:05:47):
a really bad day like i don't know a hangover you're really tired you don't feel like doing
anything how do you keep those habits then um well first off luckily thank god i didn't have
a bad day in a long time i didn't have a hangover
(01:06:11):
i don't know how many years it's been okay i do drink alcohol like very infrequently
extremely infrequently have a glass or two of wine but when i have a bad day for example due to
other reasons it's not taking me long to do my work for the day in an hour i can do all the
(01:06:36):
necessaries that i have to do in the day and whatever else is after that it's optional so i
can just take in the bad day as it is or try to fight it and actually try to win over it because
(01:06:58):
it often happens that you have a bad day starting but with efficient struggle you can get over it
and win win the day by the end of the day this this can happen as well okay okay that's great
(01:07:18):
and my final question is what are you looking forward to achieve in 2024
2024 depends i mean i actually depends on what area of life because it's not all about
i try to pursue objectives in all areas of my life when it comes to career when it comes to
(01:07:46):
relationships when it comes to health when it comes to emotional well-being for example
so if we're strictly speaking about career wise expertise wise cyber security oriented
i want to at least achieve the performance of this year which has been
(01:08:11):
it's going to be hard to beat so it's going to be hard to what my personal performance this
year is going to be hard to beat so hopefully i can if i get to 70 of it
i'm going to say okay it was a good year but my goal is to go over it so i'm shooting for
(01:08:35):
going over my performance in terms of in terms of first off the quality and the number of pen tests
the number of clients that i have so my focus is going to be specifically on numbers here and
specifically on numbers here and numbers plus the quality and this also has to do with my level of
(01:09:00):
expertise and i'm actually going to try to get better into some areas that i see that i'm most
interested in such as authorization authentication broken access controls these are my favorites but
when when you're dealing with the pen test you have to include everything that has so you're
(01:09:20):
testing but through a methodology i cannot just deliver authorization issues to a pen test
because that that's against the methodology i'm testing against oasp top 10 usually if you're
dealing with mobile with uh with banking applications with fintech stuff you're also
using other methodologies but um where actually i don't want to diverge too much from the main
(01:09:48):
subject so i want to get better in terms of my expertise so that i can maybe get more clients
and do as many pen tests this is strictly speaking for pentest when it comes to bug bounty hunting
i think i i'm taking this i want to keep focusing on the same program
(01:10:14):
and actually try to become specialized in um
in the area that that company actually operates so okay i don't want to be
um i know what i don't want to be i don't want to be shooting for the leaderboards
(01:10:38):
i don't want to be in the top 10 i want to actually become very good at one thing
specifically in this case for that program and if i get interest in other programs but
but i i saw that if i focus on one program alone i can find vulnerabilities that their team of
(01:11:00):
dozens of security engineers didn't find in the years their assets are on so that that's a very
strong point for me that that's a very strong motivator for me if i can find stuff that their
teams of security engineers didn't find i'm all in for that yeah yeah that's a good one that's a
(01:11:22):
very good one and also if you're aiming for 70 of what you achieved this year it means you had a
really really good year so congratulations on that and thank you so much for for joining me in
today's chat uh if viewers are interested in following you for more stuff where do they go
on twitter you are on twitter christie vlad 25 christie vlad 25 okay that's perfect we will also
(01:11:50):
link this down in the description and once again thank you so much for joining me today thank you
brian thank you for listening to this episode if you're hungry for more i recommend you this one
with shops about source code review which is helpful both for pentesting and for bug bounty
The mix of unpredictable bug bounty with stable pentesting can give you a really good balance
(00:08):
and while I talk about bug bounty a lot, in this video we'll talk about pentesting, how
to become a pentester, how to find clients for pentesting and of course the pentest methodology.
My guest today is Christy Vlad, enjoy.
So hello Christy, thank you so much for joining me in today's podcast.
(00:30):
For those of you who don't know you, can you please tell us a bit about your background
and where are you currently at?
Sure, definitely.
Hi Greg.
So I'm going to probably try to be short because and I'm trying to catch the essence.
So formally or by education I haven't followed like or I don't think that most of or a lot
(00:58):
of the people in cyber security have not started via an educational or an education in cyber
security background and I actually I'm a civil engineer by education so I did a bachelor's
and a master's in civil engineering, construction engineering and about eight or nine years
(01:25):
ago so I didn't actually work in the field because as I was still studying my interests
have changed.
So while I was doing my master's my interests have changed so about eight or nine years
ago I started getting into Python and that also a little after that I became interested
(01:49):
in cyber security.
So that's how it all started, Python cyber security then I started doing some for a very
short period of time I did some challenges.
There was there was VulnHub back then you had to I guess it probably is you had to you
(02:16):
had to install the Vulnerable Machine on your system and actually try to get into it.
Yeah, it was a very difficult part when you had to install the machine and configure the
network properly to access it from Verve.
Yeah that was a very short period for me.
And then another very short period was when Hack the Box started all out so I was on Hack
(02:40):
the Box ever since it started but I was there only for a short period of time maybe a couple
of months did a bunch of machines there and then I tried as I can remember now I believe
I tried to get into the field like into the real world as soon as possible I didn't want
(03:03):
to waste not necessarily waste I didn't want to spend time in in the theoretical realm
like on the side I wanted I wanted to actually see how things work in the real world so yeah
I guess I guess this is a very short intro but you can ask whatever follow-up questions
(03:25):
you have.
Yeah so tell me how did you start with with bug bounty and pentesting what was first?
It was pentesting yeah pentesting.
I think I started with that more on there was an opportunity locally here and I actually
(03:48):
followed that opportunity I worked with the company with the local company here doing
their cybersecurity thing and that was in in their offices that was for a couple of
months back in 2018 I guess 2017-2018 and that's that's how it all started I saw how
(04:13):
things work in the real world and after that became after that came other opportunities
most of them have been online so yeah most of them
100% of them have been online as far as I can tell.
Yeah and how did you then get interested in bug bounties?
(04:40):
I guess I started hearing about about bug bounties 2019-2020 I don't even actually
remember exactly I think I think that when I took my OSCP yeah so I can look at that
certificate it's 2019 as I got the OSCP the very same month I believe it was August 2019
(05:08):
the very same month I started doing some some program online I learned about the platforms I
learned about back then HackerOne and BugRoute were the the go-to but I didn't spend time on
those platforms and I think I focused as far as I can remember I focused finding programs on
(05:35):
Google using the self-hosted ones yeah and then then I focused on getting into SYNAC and that's
actually how I believe it was 2020 or 2019 when I got into SYNAC that that's where my focus went
(05:58):
but I didn't do a lot of bounties and I'm not doing I don't spend a lot of time on bug bounties
yeah for right now from what I know you you focus much more on on pentesting these days
yeah I mean it could be 90% pentesting so that's that's the majority of my working time 90%
(06:22):
pentesting and maybe 10% or less in bug bounties and I mean I'm focusing on only one program and
one platform right now I'm I'm solely on integrity like 99% of my bug bounty time is on integrity
one program and then the rest of one percent is divided into all other programs on all other
(06:48):
platforms so it's non-significant and it's not a bad it's not a bad deal that you just have one
program that you come back to you're probably the expert of it and I imagine you just like
like hacking there yeah so looking back in I started looking into this program in 2023
(07:08):
and I actually have a have a list where I keep all my submissions and I sent about
70 or 80 70 something 70 submissions to the program this year a lot must be huge
yeah and I mean I love it I love I love their product it's um it's I don't know it it just
(07:36):
feels right yeah yeah that's great and about pentesting are you are you employed are you a
freelancer how do you how do you do pentests so I operate as a business I'm not employed
um I'm not a freelancer so it's uh I actually have collaborators I have other businesses that
(07:56):
I work with I have main collaborators that I've been working with for about two or three years
now so they they bring all the most of the I mean the majority of the pentests are brought by them
so I don't have to worry about going to people but there are people that approach me so those are the
(08:19):
the majority of as I said the majority of my pentests come from my main collaborators but
there are others that people approach me okay on on twitter on linkedin and then those are
those are also part of the of my main work okay so isn't this freelancing because you said you're
(08:39):
not a freelancer to me it sounds a bit like freelancing well I don't like to maybe that
part of it but I don't like to call myself a freelancer because I think the the long-term
collaboration that I have with this uh with these businesses and the fact that they actually
in freelancing you don't know when you have I think that in freelancing you don't know
(09:02):
when you have the next project how long is it going to last but in what I do I have sort of a
certain certainty that I'm going to have ongoing work so I don't have to worry about that okay
okay fair enough um so you told me yeah I'm indeed naming I'm not not really strict about
(09:28):
naming things uh anyway but you also told me that people approach you on linkedin on on twitter
uh why do people approach you and and how can people how other pentesters can also attract
people to approach them about pentests well there's a very from my perspective I think
(09:48):
it's a very clear answer to this people approach when they see that you know something
so oftentimes I post about stuff I'm quite active on twitter and also on linkedin basically posting
the same things on both platforms so I actually post about stuff that I'm doing so other people
(10:11):
actually see maybe connections on linkedin that are managers or own companies they see
that I post stuff about pentesting findings um all that stuff and they actually approach me if
if I want to look into their um their assets for example their apps their infrastructure
(10:38):
so it's about sort of like
establishing presence establishing solid presence on platforms I that's also due to my youtube
channel back in the days I used to post my videos on these platforms and people will look at the
videos and approach me due to the videos they saw that I know something and they wanted to
(11:04):
see if I can help them in one way or another yeah so so basically you just put yourself out there
and you show people that uh basically what you do so if if someone watches us who maybe just
starts learning cyber security and they feel like they would like to be out there and show
(11:28):
show things to people but they they kind of feel that they cannot do it because they cannot
they do not know enough in this case if someone is actually you know just learning cyber security
do you think they can still put something out there to the internet to see
yeah definitely let's take for example I don't know maybe their learning journey
(11:53):
maybe they're at the very beginning of their learning journey they're using a platform like
try hack me hack the box or whatever other platform web security academy they could simply
post about hey look I went through this challenge on I went through this uh learning path on web
security academy I did this exercise and I learned this they could do a short post maybe on linkedin
(12:20):
or on twitter or they could write something on medium or substack or whatever other platform
write about their experience and then post it out there do that multiple times and people are
going to start coming to you yeah and you also mentioned here a lot of platforms you mentioned
(12:40):
twitter the substack the blog post how do you think they should choose on which platform to
post up or maybe they should also do a youtube video definitely I mean youtube brought me a lot
of opportunities so but you know most people are actually more comfortable writing something
(13:03):
than starting to put themselves out there when I first started doing youtube videos back in 2015
I did videos on python and on AI and only afterwards I began doing cybersecurity videos so
it's it's not easy to start on youtube you it's it's and a significant portion of people in
(13:26):
cybersecurity are geared towards introversion so I don't think it's easy especially if you
account for that but to get back to your question doing posting on one of these
blog platforms I'd say medium but you have to be careful because on medium if you want to reach a
(13:54):
broader audience you should not be tempted on choosing their monetization for your for your
writings because if you do that most people or a lot of people from my experience as a reader on
medium are not actually going to be able to read your stuff because it's only going to show a short
(14:15):
chunk from the video and if you want to read more you'll have to pay one dollar on medium per month
and a lot of people aren't willing to pay one or ten or however their subscription is make sure you
opt out of their monetization. Even if it was one cent people will just not add their credit card
(14:38):
it's not worth it. Paywalling is paywalling. Yeah it's not worth it. For now Substack is free
from what I know. Medium is also so I actually opted out of the the monetization on medium
and whatever I post on there it's anyone can read right now maybe they'll change this in the future
(15:03):
but yeah put yourself out there and do it frequently that's probably the gist of the question.
Yeah and speaking maybe more specific about the resources what do you think would be a good
learning path if you wanted to get into cyber security today as a 20 something year old computer
(15:27):
science student? Depending on what you want to focus on so you mean as a bug bounty hunter?
Well the problem is that the hypothetical person we are talking about doesn't know this yet.
Exactly so that's when you have platforms like for example TriHackMe with their very introductory
(15:52):
paths learning paths there's pre-security I guess there's a intro to cyber security
that's where you get exposure with the multitude of careers or subfields in cyber security that
you could pursue. I would go with that to actually get a bit of clarity on where I want to move
(16:13):
because cyber security is a very very large field today so it's not it's not all about pen testing or
bug bounty hunting there's there's a lot of stuff that you can do so start with getting clarity on
who you want to be in the field afterwards it's afterwards I mean it's more simple.
(16:35):
Yeah that's a that's a great answer and let's let's come back a little bit to to pen testing
and to finding clients so let's say that all the clients that you have that you are working with
just leave you today from just write you an email today you didn't work together anymore
how do you find clients for 2024?
(16:57):
Well exactly how I told you a few moments ago so I would actually maybe I would focus a little bit
more on bug bounties not maybe probably I'll probably focus a little bit more on bug bounties
and actually post about my findings and I'm pretty sure that if I if I grow a network on LinkedIn
(17:23):
if I grow a network on LinkedIn and on on mostly on LinkedIn probably
people are actually going to start asking me questions not only so it's very likely that I'm
only going that I'm going to be approached by other people who want to become or become better
(17:44):
in cyber security so other pen testers but I'm also going to be approached by by potential
businesses potential interest potential interesting or interested clients that's
what I would do I would actually do bug bounties and then have an ongoing stream of posts about my
(18:12):
findings. Yeah that definitely seems like a like a winning strategy have you tried
I wouldn't go about the formal route such as applying to companies applying to I wouldn't do
that I would not apply or send jobs or send resumes on on LinkedIn because it's very likely that you're
(18:40):
it's very unlikely that you're gonna get in in front of the person that makes decisions
you want the person that makes decisions approaching you not you trying to approach
them because if you try to approach them if you try to approach a business that's
hiring pen testers you're first probably gonna encounter HR people a lot of them are not very
(19:06):
experienced in cyber security and cannot actually assess or evaluate what you can do afterwards if
you pass the HR you're gonna have multiple rounds of interviews it's probably not the best
it's possible but it's probably not the best the path that you want to to follow you want people
(19:31):
to come to you that's that's because you're in a position of good negotiation if people come to you
you can operate on your terms let me let me know know your your your thoughts about this because
you're you're from Romania I'm from Poland these are countries with relatively lower cost of living
(19:55):
and also lower earnings than for example US and from I'm obviously not actively pursuing a job
now but when I did I felt like when you just send a resume to a company even if it's like
even if it's like a global remote company like GitLab the salary they're going to offer you
will be comparable with other salaries in the same country so let's say a Polish salary which
(20:22):
is probably like twice to half of this which what you can get in US and if you want to get a salary
from a country like US or Germany or whatever I feel like the only way to do it is by networking
and by by approaching people directly definitely so I can see this it's probably normal and common
(20:49):
sense for for companies to offer salaries based on your position but like I said earlier it's
since you're in the negotiations you want first of all you want to position yourself you want to
see yourself as a global player here yeah so you you you should probably see yourself as a
(21:13):
global entity global person and maybe maybe you want to set yourself or maybe you want to have
expectations of course depending on your skills because if your skills are good if you have good
skills you can ask whatever you want it this doesn't mean that you're going to get whatever
(21:37):
you want you have to have some common sense because if like the median global range for a
pentester starting could a good one would be $50 an hour you wouldn't want to ask $250 an hour
(21:59):
because nobody's going to give that to you you have to know first of all you have to know the
industry and I believe that a very large portion of cyber security people aspiring and actual
pentesters don't know their worth and don't know the exact industry right now this could be probably
(22:20):
due to the fact that not everyone is transparent on how much they make numbers are not quite public
some of them are but you do get a feel for for how much a certain person with a certain
year of experience is worth so if someone comes to me if a company approaches me and
(22:43):
asks or says that they can pay $30 an hour or $20 an hour because they know that would be a good
money so I'm hypothetically speaking because they know that would be good money for Romania
I'm just going to say no thank you and it depends on how the conversation goes afterwards
(23:04):
if if they're just looking for someone to fill a position they're actually going to keep looking
but if there's someone who's actually interested in me personally and there is that situation as
well we've seen examples of of companies that want a certain type of person on them like for example
(23:25):
I think moving a bit from cyber security I think that and most people are not going to
know the name I think that OpenAI pursued Andrew Karpathy who's who's a very big name in in AI
to to go back to OpenAI after it had left a couple of years ago because
(23:53):
they knew he this person was worth whatever he was worth so the company pursued a specific person
an individual into their company so it depends it's very contextual
yeah yeah I also didn't didn't know this name I admit and uh I suspect a lot of our audience
(24:16):
as well but but yeah that's true and that's that's a really good position like sometimes
we talk about maybe negotiation strategies and things like this but it always starts from a point
where you position yourself before the negotiation even even begins and and as I said like the
differences here in your positioning can have much greater impact than you you know negotiating
(24:39):
10 percent more than than someone else with worse negotiation skills can get exactly so you have to
know where you stand what is your skill level and what are your expectations what are your real
expectations and also what are the expectations that could be
(25:01):
seem or deemed as reasonable by the other party so you could say that you're worth hundred dollars
an hour for example for a pen tester but the majority of the companies approaching you think
that you're only worth 40 an hour so you have to actually understand whether or not they are right
(25:22):
or you are right or where or whether or not the truth is somewhere in the middle so very contextual
yeah yeah so let's assume we already have a client for a pen test uh can you talk me
through the whole process from the initial contact to the to what happens after the pen test
yeah so of course you have the scope the client tells you exactly what they want most of them know
(25:52):
because you're not actually talking to um or in my experience i'm not actually talking to the owner
of the business unless the owner approaches me it's a small company or the owner approaches
me on linkedin and wants me to look into their stuff but for the majority of pen testers
you're actually interacting with another person and not another cyber security people person from
(26:19):
their company or maybe a technical manager or maybe a developer or someone who actually has
an idea of what they want they give you the scope they tell you we want to test this app strictly
and you you want to make sure that you specifically understand the scope
(26:40):
so that you're always on the target afterwards once you establish the scope of course there's
contract there's the contract there's all the paperwork that needs to be done which in most
cases i don't deal with uh with all the papers my collaborators do my collaborators and the client
(27:04):
okay but there are there are a significant number of situations when i have to deal with everything
especially when clients actually approach me so this regarding the paperwork once you have the
scope you're actually the scope and the duration of the pen test of course you have established
the pricing for the pen test you usually i mean this is very this is very customizable
(27:33):
there are many situations with when companies say we only have this budget for pen testing
what can we do with it and you having experience from other pen tests knowing how much your time
is worth you can say well look we could do this for that amount of money so it often goes like
(28:00):
that because not all the companies have unlimited budgets for cyber security even though that even
though i feel that it's still an overlooked area and we can see leaks data breaches happening every
day we can see ransomware every day going rampant so people companies businesses are not paying
(28:22):
enough attention to to cyber security but to get back to the main point you establish the price
the scope the duration you test you write a report you deliver it to the client you actually
it often involves ongoing back and forth clarifications oftentimes check their fixes
(28:47):
and of course if you have a business oriented perspective you want to over deliver
and under promise so that the client comes back to you at a later time
okay and how to make the process before when the appendix is already when you're already talking
(29:11):
with a client how to make this process smooth of like giving credentials creating the environment
because from my experience back back when i worked it was always a problem with credentials
and everything and it caused delays and it was always very difficult yeah exactly
so that's uh that's still a problem um whenever we get new clients um
(29:40):
that's one of our first requirements is this i mean are we talking about an application with
multiple roles with accounts with can we uh get the accounts ourselves uh can we self-register
do we need to pay to actually test everything thoroughly you need to provide us with the
(30:02):
premium plan with an account on the premium plan on the enterprise plan you you have to provide us
with multiple roles give us everything that we need to test that's probably one of the first
requirements that we have for everyone so accounts working accounts a lot of times
(30:25):
not maybe not a lot of times but oftentimes we are provided with accounts that are not working
or not have been set up properly so there's a little bit of back and forth in the beginning
when it comes to testing roles and permissions but that's one of the first things that that you
(30:47):
have to to establish do you use some templates some checklists for this part of the process
well actually yes so um
um first off is the web security testing guide by oas the checklist i actually i recently
(31:12):
um made a version of it made what i think it's an optimized version of it and i posted it on github
is a checklist it's a checklist with about 130 items on it it's as its name says web security
testing guide it's actually quite comprehensive oas are very quite on point with uh their their
(31:40):
stuff with the api security with the web security uh these are go-to so for someone who's starting
in pentesting and doesn't have any colleagues to actually guide them how it all works um
these are starting points these are documents that you want to have with you at all times for
all the pentests that are specific to web apps and api stuff um but of course throughout the years i
(32:07):
have my own i've developed alongside these i have my own methodology where i actually
usually know where to look for and what types of vulnerabilities are most encountered
and are of quite high impact okay and so we have oas testing guide that's definitely
(32:33):
something to recommend for people do you also use other checklist or other documents by oas
no so it's just the web security testing guide i don't actually they might have methodologies for
i don't know maybe infrastructure testing they also have the mobile application the mspg the
(32:56):
mobile security testing guide i do know of it i i actually referenced it or reference i'm
referencing it a lot uh when i test mobile apps but uh it's not as a first-hand reference document
as vstgs for example and the one involving api security and of course there are also there's the
(33:24):
the the cheat sheet series by oas which is really really good all in one website these are very good
uh go-to um references of course there's also the hack tricks book which is really good
so as as a as someone who's working in in pen testing as a pen tester
(33:48):
um these are some of the documents that i use myself okay okay these are great people
save these because these are really really good resources for me also when i'm testing uh some
vulnerability one of the first resources that i go to is is hack tricks to to see copy the basic
payload see other references and stuff like this so it's really really really good and and really
(34:14):
big as well like the amount of of information that's there on different uh different topics
because it's not only web vulnerabilities i think there's now also cloud there are different ports
described is really really extensive it's all in one place yeah yeah okay so what are the most
common findings that you encounter during pentests okay so um probably the most encountered are low
(34:44):
hanging fruits such as
user enumeration um
issues with cookies
um session tokens not being invalidated overexposure of information these are the low
(35:07):
hanging fruits like server headers and all that stuff these are i mean you could put these in a
pentest in a report but you nobody's going to accept this as a finding in a bug bounty program
these are all out of scope unless you somehow show impact that they they could negatively affect
(35:30):
the asset or the company or the business so but these are actually relatively valid findings
on pentests but of course these are the most common findings you don't want to focus
on these because you want to deliver good work so most of the the findings most of the impact
(35:51):
findings that i have have to do with broken access control authorization authentication issues um
authentication bypass other bypasses these that impact people that actually have an impact on the
underlying infrastructure there's also i see a lot of um ssrf there's there's a lot of i see a lot of
(36:20):
ssrf in my findings i also see there's still xss i don't actually at in bug bounty hunting i don't
look for xss but in pentesting i find xss and i also find xss even in apps that actually use
(36:41):
frameworks so it's hard to explain i cannot even explain to myself why i why this was there for
example so xss is still present i don't like it but it's still there um injection other injection
issues a lot of stuff that has to do with business logic business logic is um where you actually have
(37:08):
to understand what the application is meant to do and how can you make it do something that is not
been meant to do with an impact with a security impact this is probably one of the types of
vulnerabilities that's gonna be long there even in the age of ai because it's you cannot find it
(37:32):
with scanners you cannot find it with automation you have to think through the entire process
for example the authentication flow something might be disrupted there um and if you actually
look at it closely try to understand it you you you'll probably find something that's
not working as intended also rate um rate limiting stuff these are these could be high or low impact
(38:01):
i've seen instances where we're bypassing rate limits has had high impacts for example when
there's a multi-factor authentication you get a code and that code is brute forcible that's high
impact issue because if you're able to brute force uh the mfa for any account it's account takeover
(38:26):
so it's it's still the wild west there yeah it's something that as a
inex inexperienced pentester i thought about the rate limiting bug as a lame vulnerability class
but but yeah in the context of otp it's basically an account takeover so we also
have seen bounties of i don't know 20 or maybe even 50 000 for for those and i'm not surprised
(38:52):
and i also definitely agree with the thing you said about the business logic bugs
like many vulnerability classes will probably be fixed with time with better scanners because i
don't know sql injection is very easy to fix by look just spots by looking at the code and then
by fix even automatically uh but xss i think has many contexts and that's probably the reason why
(39:17):
it's still so prevalent but still the number of of context is limited and scanners do get better
over time but i think authorization bugs eidos business logic bugs they do require the context
and it's very difficult to for a scanner to understand this context so i think these are
vulnerabilities that that if people learn they will just uh be more and more impactful over time
(39:44):
as the general number of vulnerabilities i hope will will go down
yeah i mean but we still we also still hope that we will have some work to do in the future as well
so if the number goes down we have to find other ways that we can position ourselves
(40:09):
valid as valued assets in the entire ecosystem of the business for example i don't think that
over the long term um all cyber security issues are going to be fixed by ai or by something else
because there's also there's always the human component where things go wrong we can see this
(40:32):
with all the breaches that occur on an ongoing basis where credentials are leaked
high impact credentials are leaked for example from a developer or from
from someone even in the context of for example github having all sorts of
checks and implementations on their platform when when people deploy code there are still
(40:56):
leaks occurring and i think this is going to be quite hard to prevent unless we put everything in
in the hands of ai which i don't think that's actually doable in the near
at least in the near future yeah probably not
speaking of uh do you use ai during your your hacking
(41:19):
yeah so i used it a lot i actually use it quite extensively when it comes to
minute stuff such as scripting prepping one-liners uh i used to before chad gpt4
because i don't think chad gpt 3.5 is decent i don't think it is decent but chad gpt4 is quite
(41:44):
good and it actually understands what you want even if you cannot express it yeah exactly what
you want you put in some you put in something there half a request and it actually understands
what you want or at least that's what my version of chad gpt4 with my system prompt
uh is actually doing for me so i use it a lot when it comes to scripting one-liners bash stuff
(42:12):
um it's saving me tremendous amount of time because it actually took maybe one two three
hours for example in the past when i had to do something custom and i would actually have to
look into stack overflow see what other people did adapted to my own personal situation and uh
(42:32):
so now it's it's a matter of 30 seconds to two minutes maybe at most until i get the answer
yeah yeah it definitely saves a lot of time how about regular tools uh normally in when
when we're talking about bug bounties i don't even ask about automatic scanners because i don't
(42:53):
believe that that they are worth uh even if they can find something i it's probably a duplicate
but in context of of pentesting uh do you use any scanners
scanners no i don't use scanners nothing no so uh i mean the go-to i used to be the bug i used to
be the recon guy back in when i started looking into bug bounties but i'm actually doing maybe
(43:21):
for example specifically for bug bounties maybe i do 10 percent of my scanning is recon
and only with the purpose of increasing the attack surface this should be i just had this
thought a few days ago the whole purpose of recon and i have a recon course that it's free on
youtube now uh the whole purpose of recon should be to increase the attack surface and not actually
(43:46):
to find bugs there might be people who actually keep finding bugs with recon but the majority of
them are not so the whole purpose of recon i think it should be to increase the attack surface
now when it comes to pentesting uh i mean the tool that i use the most is burp suite so
(44:10):
for example web stuff web apps that's burp suite that's uh
probably paid it's burp suite probably paid or my findings with burp suite probably paid
its investment it's pro version multiple times over so it's probably is one of the
(44:32):
best investments ever so it's all burp suite yeah what are your favorite burp extensions
authorize what else own fox what's that it's a colorizer for sessions for example if you're
(44:53):
using firefox with multiple containers each container has its own color in burp history
and it's actually it's very useful when you're testing for different roles and permissions
so authorizing combination with own fox and uh multi containers in firefox
this is this is a very good combination i i tested other um
(45:18):
extensions but i usually spend my time in the repeater and analyzing uh
the stuff with these three with this uh this environment of the three the three extensions or
the two extensions that that i told you about i looked into minor plugins for example jazz miners
(45:45):
that actually grab endpoints but but i rather actually spend my time um looking into the code
myself instead of having a parser go through the jazz file because if i'm looking into the code
myself i can actually understand stuff i can actually maybe understand the logic behind a
(46:07):
function and it's that's something that no extension or tool is going to unless you plug the
entire uh the entire code into chat gpt or some ai uh but i don't think it still can it can still
keep the entire context and give you good findings for example an ai tool that's that's
why i choose to do it manually going back to the extensions i think that there's also the graph ql
(46:34):
um there's a graph ql extension you can remember from the top maybe right there
it i think so which adds uh adds a tab to to all the requests where you can actually
better edit
uh better edit the graph ql request for example
(47:01):
yeah these are this is the cream so to speak of uh extensions yeah yeah okay and you also told
me before that you do some mobile hacking mobile hacking or mobile pandas thing what's your setup
for this yeah well the setup is a bit more complex so you have to have a
(47:27):
i do so in the in in the bug bounty program that i'm working on that i've been working on in 2023
they also have an app a mobile app and luckily i can test it on my own device
uh because it doesn't have um it's made for testing it it doesn't have ssl pinning
(47:49):
and i can test it on my non uh rooted phone okay but it usually involves having an emulator for
example i also have an iphone for testing uh iphone apps i've tested iphone apps uh in the past
um so the testing usually involves an emulator for example like it used to be jenny motion but
(48:15):
i think it's very heavy in terms of and non-convenient for example right now it's nox
so nox it's um it's really good really easy to set up nox you have to have installed adb
um to be able to bridge between uh your laptop there's of course there's frida
(48:48):
so the setup is comprised of nox frida
your laptop of course and bird suite this is for dynamic testing
so when you're testing actually the communication
of the app with the api because it usually involves the communication with an api
(49:14):
of course there's also uh looking into the code itself decompiling the app for this
for example you can use apk studio which is a gui graphical user interface tool that you can
decompile the app try to get the sources and look into the code itself sometimes the the
(49:34):
app is obfuscated and it's not as straightforward but it usually works um so then you have that
component you also have to look into the device security itself so how is the um how is the
information or the data stored on the device itself where is it stored is it stored in plain
(50:00):
text you usually look into the data folder the name of the app you look into the shared preferences
inside the shared preferences there's also leak stuff there's also the cache folder in in the
app folder there is also the database folder the files folder that has to do with uh
(50:24):
uh if you look into mstg mobile security testing guide it's gonna give you more insights on um
um on the device itself or the data that's on the device um the security of that of course there's
also quirks like if you are able so let's say a company wouldn't accept your submission because
(50:50):
they don't accept rooted devices
uh as part of the scope so they say that if you're able to extract solid information from the app or
from the user or from the phone without having the phone to be without having a rooted phone
then your submission is valid but there's also the situation when the where the manifest file
(51:14):
allows backups so if you're able to um if you're dealing with a non-rooted device
and you're able to backup the app move the backup onto another device
the backup usually is going to include the data folder which is only accessible by root
(51:36):
so when you're actually extracting the backup from a non-rooted device you're getting the
information that's only available to the root so if there's sensitive information in there
um that's a valid impactful finding and there are a lot of situations where the manifest
(52:01):
allows where you can see the manifest that allow backup is set to true and that's a security issue
okay for the context of bug bounty what how can back hunters use mobile apps to to get bounties
is it mostly listening to the web traffic using the mobile app and maybe the app uses some apis
(52:25):
that the web application doesn't use or is there also a lot of like mobile attack surface that
that is severe enough for a bounty finding okay so yeah there is um there is mobile attack surface
that's not readily available readily available to most testers because that attack surface often
(52:49):
involves coding your own uh exploit app for example to exploit intents to exploit components
of the android system that would actually um compromise the application um ecosystem itself
so if you're able to actually trigger something in the app from another app due to
(53:18):
not well configured permissions due to bad intent uh that's something that's not readily
available readily available to most pen testers but or most bug bounty hunters for example
but yes of course listening to the traffic looking at the communication that's probably
(53:40):
in the context of bug bounties that's probably where a lot of the findings are going to be even
if it's a little bit um not easy to set up once you have set it up it actually it's quite convenient
to look into the communication of course stuff that's on the device itself or stuff that
(54:00):
most people can do with the click of a button like for example decompiling the app and looking
for strings that's probably not gonna um you won't have good findings in programs and solid programs
because most of them know that they shouldn't share their secret keys their api keys their
(54:21):
credentials inside the apps most of them have already been found most of that stuff has already
been found by pen testers usually companies with bug bounty programs with solid established bug
bounty programs um have harder to find static related vulnerabilities when it comes to mobile
(54:48):
apps so communication api the communication the traffic analyzing that is probably one of the best
ways to go okay okay and uh in the context of of regular web website hacking web hacking web
security uh how is your hacking style different when pentesting versus doing bug bounty
(55:13):
well in pentesting it's much easier because in pentesting you often have the exclusivity
um most often than not you have the exclusivity you have the first eyes first privy eyes first
security oriented glasses on on the infrastructure itself so um you often find permissions where
(55:39):
a normal user can do admin stuff
and this is a common find in the pentests but in in bug bounties you have to you often have to look
deeper especially if you're if you're hunting on programs um that a lot of hunters are all already
(56:05):
hunting on as well like for example public programs or
i think right now it's most mostly about uh private programs everybody everybody is invited
to private programs but still in private programs uh from my experience i know that companies
uh have already done their due diligence in their public programs because most of
(56:31):
not most but a large portion of private programs they also have a public program
the public program is often used as a funnel to get people into the um into the into the
private programs as well um so not only that but also the fact that those companies have also had
(56:54):
multiple rounds of pentests on their assets so it's not going to be as easy you have to have a
you have to have a little bit different approach often involving going deeper
going deeper into the functions going deeper into the uh features going deeper into permissions
(57:16):
that's where the bread and butter is and of course looking into the business logic i think business
logic is is um probably one of the best ways that you would go when you're competing with others
(57:37):
okay that's a that's a good tip i like to think about pentesting versus bug bounty as
short distance and long distance running like from the from the outside like both
pentesters and bug bounty hunters hack web applications both marathon runners and
sprinters run but in reality there are a lot of difference in in both of these activities
(58:03):
and probably a person with better endurance will be better off in in long distance running
a stronger taller person will be better for sprint and my question is what feature people
with what features will feel better doing pentesting and people with what features will be
better off in doing bug bounty hunting
(58:28):
i'm not sure if i understand completely so
you're actually asking what are the features that are actually most certain to get a to get you
into a vulnerability so okay i will give you an example when bug bounty you don't have a boss
so naturally people that are more more self-organized and can organize the type
(58:53):
themselves they will do better in bug bounty a person that needs a boss will do better in
pentesting that's that's one of the obvious things that so specifically for um specifically
for features or specifically for for what exactly um because of course let's say that
(59:19):
in pentest you have you also have as you said you can view this as a sprinter or a marathoner
for example you often act as a sprinter in pentesting because you have a timeline
and it's best if you can deliver something impactful in that timeline because even though
(59:44):
some customers might actually be um on it just for the paperwork just for their uh compliance
testing and they don't actually care about their findings there are a lot of companies that don't
care about this their their pentesting findings you have to deliver something if you want that
customer or that client to come back to you so it's it's it's a matter of time there now when
(01:00:09):
it comes to of course when it comes to bug bounties um you have the luxury of doing
doing it for how long you want but then there's also the component of losing motivation
which is often the case so uh
(01:00:30):
in the context of bug bounties you probably have to
think try to think a little bit differently than everybody else because as bad as it sounds
there's a tendency there's a group think not only in cyber security in pentesting in bug bounty
(01:00:54):
hunting but in most of the fields there's this concept of group think group think everybody
using the same tools the same tactics the same one-liners so in bug bounties you have to if you
go slightly differently chances are that
(01:01:15):
you're going to find something yeah yeah that's a good one i'm not sure if this answers your
question yeah okay we'll be we'll be uh we're closing into to the end of our interview so
but let's talk before we end about some non-technical stuff because i saw on twitter
(01:01:36):
you have an amazingly impressive streak of 1100 days on Duolingo how on earth do you keep this up
for so long um well it's simple i mean it's on my to-do list for every day so that's that's one of
(01:01:58):
the things that's one of the streaks that i have to take care of every day and there are days when
i just do the streak do the the work that counts for the streak and there are other days when i
have more time and spend more time on the platform um it's i think it all boils down to consistency
(01:02:20):
consistency you can ensure consistency by having
checks for example in this case a simple checklist maintains the consistency
a very simple to-do list today i must do Duolingo brilliant try hack me web security academy
(01:02:44):
for whatever amount of time through time doing this for two or three weeks or one month
i can understand how long does it take me to actually do these in a in any given day and then
adapt accordingly whether or not i want to focus more on one than to another so it's just
(01:03:07):
simple checklist it's a matter of checklist to maintain consistency and of course as you see
results through time you're going to be more motivated to to maintain that consistency or
streak in this case and now it would be really painful to break this streak well sometimes the
(01:03:28):
the apps are actually make it easier for you to lose a day for example if i lose a day on Duolingo
i'm not actually gonna lose everything because they have streak freeze so you can lose your
streak for two or three or four and in my case right now for five days in a row and they're
(01:03:49):
actually going to maintain my streak due to my five-day streak freeze but there are situations
where that's not the case like for example when it comes to the kindle with reading yeah if you
lose your your streak it's hard to actually get it back it's possible but it's hard i think that
(01:04:12):
trihag me also has a let's you lose your streak for one day or something okay okay this one i
didn't know do you always do these habits at a particular time of the day or do you group them
together or how does it look like uh yeah so if i look back in the recent past i i can see that
(01:04:36):
i i usually do them in the first part of the day so up until noon i actually do trihag me
then i also do upon waking i think i do duolingo and brilliant and the reading in the second part
(01:04:56):
of the day first off i'm doing the reading i have to read a couple of pages on kindle just to get
streak and the streak uh is um is better if you if i read on kindle at 9 a.m chances are that
they're not going to count that day for me because i think their timer is their base time is in san
(01:05:25):
francisco or in la where my 9 a.m is the previous day there so i have to make sure that i read later
in the day so that i have the streak that's interesting and this is actually i've seen this
through trials and errors for example through losing my streak okay what happens when you have
(01:05:47):
a really bad day like i don't know a hangover you're really tired you don't feel like doing
anything how do you keep those habits then um well first off luckily thank god i didn't have
a bad day in a long time i didn't have a hangover
(01:06:11):
i don't know how many years it's been okay i do drink alcohol like very infrequently
extremely infrequently have a glass or two of wine but when i have a bad day for example due to
other reasons it's not taking me long to do my work for the day in an hour i can do all the
(01:06:36):
necessaries that i have to do in the day and whatever else is after that it's optional so i
can just take in the bad day as it is or try to fight it and actually try to win over it because
(01:06:58):
it often happens that you have a bad day starting but with efficient struggle you can get over it
and win win the day by the end of the day this this can happen as well okay okay that's great
(01:07:18):
and my final question is what are you looking forward to achieve in 2024
2024 depends i mean i actually depends on what area of life because it's not all about
i try to pursue objectives in all areas of my life when it comes to career when it comes to
(01:07:46):
relationships when it comes to health when it comes to emotional well-being for example
so if we're strictly speaking about career wise expertise wise cyber security oriented
i want to at least achieve the performance of this year which has been
(01:08:11):
it's going to be hard to beat so it's going to be hard to what my personal performance this
year is going to be hard to beat so hopefully i can if i get to 70 of it
i'm going to say okay it was a good year but my goal is to go over it so i'm shooting for
(01:08:35):
going over my performance in terms of in terms of first off the quality and the number of pen tests
the number of clients that i have so my focus is going to be specifically on numbers here and
specifically on numbers here and numbers plus the quality and this also has to do with my level of
(01:09:00):
expertise and i'm actually going to try to get better into some areas that i see that i'm most
interested in such as authorization authentication broken access controls these are my favorites but
when when you're dealing with the pen test you have to include everything that has so you're
(01:09:20):
testing but through a methodology i cannot just deliver authorization issues to a pen test
because that that's against the methodology i'm testing against oasp top 10 usually if you're
dealing with mobile with uh with banking applications with fintech stuff you're also
using other methodologies but um where actually i don't want to diverge too much from the main
(01:09:48):
subject so i want to get better in terms of my expertise so that i can maybe get more clients
and do as many pen tests this is strictly speaking for pentest when it comes to bug bounty hunting
i think i i'm taking this i want to keep focusing on the same program
(01:10:14):
and actually try to become specialized in um
in the area that that company actually operates so okay i don't want to be
um i know what i don't want to be i don't want to be shooting for the leaderboards
(01:10:38):
i don't want to be in the top 10 i want to actually become very good at one thing
specifically in this case for that program and if i get interest in other programs but
but i i saw that if i focus on one program alone i can find vulnerabilities that their team of
(01:11:00):
dozens of security engineers didn't find in the years their assets are on so that that's a very
strong point for me that that's a very strong motivator for me if i can find stuff that their
teams of security engineers didn't find i'm all in for that yeah yeah that's a good one that's a
(01:11:22):
very good one and also if you're aiming for 70 of what you achieved this year it means you had a
really really good year so congratulations on that and thank you so much for for joining me in
today's chat uh if viewers are interested in following you for more stuff where do they go
on twitter you are on twitter christie vlad 25 christie vlad 25 okay that's perfect we will also
(01:11:50):
link this down in the description and once again thank you so much for joining me today thank you
brian thank you for listening to this episode if you're hungry for more i recommend you this one
with shops about source code review which is helpful both for pentesting and for bug bounty
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com