Posted on 2020-03-24 by Volkis in Volkis News
Since the start we’ve had a remote-first philosophy and even with these troubled times we’re up and running providing penetration testing, security consulting, and strategy work. There are obviously a few things we can’t do for now such as internal penetration testing, physical intrusion, and onsite debriefs, but most of our services including external and web app penetration testing, red team, security strategy, and compliance are still running.
Given internal penetration testing is out we do have gaps in our schedule now, so if you have urgent penetration testing work please let us know.
In this post we thought we might give some updates on what we’ve been up to and some of our future plans.
We’re trying to help people through this new journey of remote work for organisations. Last week we talked about quick wins to enable remote work and why remote working isn’t the security nightmare you think it is.
As a remote-first organisation, we’ve already fully gone down the path of remote working with all our services hosted online in a secure manner. This means we also know how hard it is and some of the challenges you may face moving to a remote workflow.
We’re happy to answer any questions you might have about remote working, just get in touch with us and we’ll help you through. We’re also still doing price reductions for work that relates to facilitating remote working. No matter if you’re a small business or an enterprise, we’ve got you covered!
The Volkis Handbook
This week, we released our Handbook. You can find it here: https://handbook.volkis.com.au. The handbook is aimed at our customers, friends, employees, infosec colleagues and really anyone interested in the inner workings of Volkis.
It’s a bit empty for now, but we plan to add a lot more content to the handbook in the coming weeks such as service methodologies, sample reports, welcome packs, information on infrastructure, company culture and philosophies and much, much more!
One of those philosophies is to be open and honest about who we are and what we do. Our hope is that, with sharing this information publicly, readers will get to know us better. We endeavour to publish anything that is not confidential. It goes without saying that the privacy of our employees and customers is paramount, so we publish with that in mind.
“But won’t competitors just copy you?” We hear you asking. We certainly hope so! If they do, it means we’re doing something right and their customers are better off for it. It also means we need to push the envelope and develop even better things. Nothing wrong with a bit of friendly competition! 😉
We’re building a new tool called Report Ranger. The tool aims to have a simple way of converting markdown to reports without all the other crud that gets in the way.
The workflow is simple. You have a “bucket” for vulnerabilities and different buckets for things like testing methodologies. Each consultant dumps markdown files into the right bucket. For example, the vulnerabilities bucket will have 1 markdown file per vuln. The tool will grab all the markdown, sort it all, and put it into the right format for a report. Things like vulnerability lists are done for you and there are a bunch of helper functions to make your life easier. No more wrangling of word documents!
The tool also allows full templating of the markdown with Jinja2. You can put variables (like “client”) in the headers of the markdown file and it will update the file using those variables. This means that you can have a vulnerability database of standard vulnerability writeups, copy and paste in, and update a header with the vulnerable system and you’re done.
In the backend it uses LaTeX to build PDFs and you can also target HTML if you’d like to host the report online.
What does this mean for workflow? It means that projects are completely asynchronous. All participants can simply write their own parts and add them as they go. It encourages better notes/screenshots during the project as well. The “process report” trigger can be called automatically as part of a CI/CD pipeline or manually. Customers requesting a draft report early can get it easily by processing the report “as-is” before its fully finished.
We’re already starting to use it in production and, after a few goes at it to iron out the inevitable bugs, we will look to release it publicly.
This coming Saturday we’ll be having a presentation day. This is something Alexei and Matt have been doing for almost a decade now both at Volkis and previous organisations, where everyone comes together and has what is in effect a mini con.
There’s only one rule: to join in you have to bring something to the table and present on something security related. This means that someone fresh out of uni just starting their own job has to teach people who have been doing security for decades, which they can do because security is a huge area and everyone has more to learn. We’ve also had people do presentations on operations and finance and how they interact with security as well. The only limit is your own imagination!
The last presentation day included a talk on building a secure AWS environment, a rant about the Australian security industry, and what you could do to stuff up a company if you got access to a director’s email.
Usually we would get into a room with a few drinks for a full day, but it looks like we’ll have to be doing this Saturday’s one online. Doesn’t stop us from having a few drinks though!