Industry

"Why test what we know is bad?"

Posted on 2023-08-01 by Nathan Jarvie in Industry

“Why bother getting a penetration test when we already know they will compromise us? “

“We already know our security sucks, we don’t need someone to tell us that.”

We occassionally hear this sentiment from our clients. Penetration testing is much, much more than just “getting pwned” by your friendly neighbourhood hacker-man. This article goes through the benefits of getting a network penetration test done even when you know there are problems.

Continue reading

How many vulnerabilities does it take to hack a system?

Posted on 2023-05-23 by Matt Strahan in Industry

If you see penetration testing reports for two different systems, one with 10 vulnerabilities and one with 20, which system has worse security?

Unfortunately in this case, the answer is “I don’t know”. How many vulnerabilities does it take to hack a system? One is usually enough.

Continue reading

Penetration test, red team, vulnerability assessment... what???

Posted on 2023-04-20 by Alexei Doudkine in Industry

You’re probably here because, like many others, you’ve gone out looking for offensive cyber-security services only to be give a bunch of buzz words that don’t really describe what they are or what they mean for you. Fear not; in this post I hope to demystify the most common ones, in simple terms and explain the benefits and shortcomings of each. I’ll also give a few examples of when each one would be useful.

Continue reading

Questions for a certification addict

Posted on 2023-03-01 by Nathan Jarvie in Industry

Recently I have encountered a few people in various channels ask about how to approach certifications. Common questions like:

  • How/Why do you study?
  • Should I do this exam?
  • How long will it take me to study for X exam?
  • How many attempts did it take you to pass?
  • I hear this exam is difficult. How difficult is it?

And other questions that are near impossible to answer in a universally accurate way. I want to address these questions as they are often less helpful than people think.

Continue reading

From SysAdmin to Pentester - Part 3 - How to stand out in a crowd of paper

Posted on 2022-10-17 by Nathan Jarvie in Industry

Part 3 of the Sysadmin-to-Pentester series is all about how to make your CV stand out from the crowd. Junior roles are rare with many many applications. Additionally, hacking skills don’t translate well to text. So how do we show we have more skill and drive to be a penetration tester than the other candidates, on paper? Well…

Continue reading

From SysAdmin to Pentester - Part 2 - Great expectations

Posted on 2022-10-10 by Nathan Jarvie in Industry

Part 2 of the Sysadmin-to-Pentester series is discusses the differences between the idea and the reality of being a penetration tester. The certifications and the industry paint a picture a little different from the reality. A better understanding and more preparation towards the roles requirements will help you to decide if this is the role for you and how to ace the interviews.

Continue reading

From SysAdmin to Pentester - Part 1 - The hard way

Posted on 2022-10-05 by Nathan Jarvie in Industry

This is the first part of a 5 part series in which I will walk through the decision making process and the steps involved in transitioning from a system administrator to a penetration tester. The certifications taken and the the issues and obstacles that I faced along the way.

This is my story, and I hope it helps to inspire people who are considering a mid-life career change that it is possible to do so and to take the leap.

Continue reading

The Volkis independence policy

Posted on 2021-02-16 by Matt Strahan in Industry

When setting up Volkis, we wanted to set up a team the way we perceive that it should be set up. With quality, skill, effectiveness, ethics, and transparency. We didn’t only look at the security industry for inspiration, though. Instead of just looking in we looked around at other industries as well. Cyber security is barely a child, only having really been around for a few decades. Other industries have centuries if not millenia on us.

We looked over at finance and found that what their auditors do is in essence similar to what we do, but their processes and standards have a maturity that we don’t have. After all, cyber security isn’t known for being mature in processes, standards, personality…

Let’s take a look at one standard in the finance industry but practically unheard of in cyber security: the independence policy.

Continue reading

Three crazy ideas for reforming the penetration testing industry

Posted on 2020-10-02 by Matt Strahan in Industry

In two posts I looked at how it’s almost impossible to validate penetration testing results and where an Evilfirm penetration testing firm might cut costs and invest.

As much as we like to think we’re unique, there are other industries that have exactly the same issues as we do. In other industries there’s the situation where you can’t really verify the results because you’re after the skills of the other party. Some do it badly (I still don’t quite trust my mechanic), but others have made great strides in solving this problem.

Could we potentially use some of the ideas from other industries to do things better?

Continue reading

Telling whether a pentesting firm is good (and how they might get around it)

Posted on 2020-09-30 by Matt Strahan in Industry

I’ve talked about how it’s almost impossible to validate penetration testing results. Are we done then? Doomed to be left in the dark by ineffective testing?

There are other ways where you could figure out whether or not a penetration tester is good or not. We’ve already talked about things to look for when choosing a penetration testing company. I’d like to be a bit darker in this blog post and put my Evilfirm hat back on. Let’s say you’re a penetration testing firm. How could you present as a good penetration testing company but still deliver shoddy work for cheap?

Continue reading
Older posts