Of course Amazon still compels a human review.
By contrast, Google App Engine and Microsoft Azure are fine with you doing it on your own provided you're not a moron.
(I deal with AWS, Azure, and GAE across multiple companies. heh)
I once talked to a firm doing pen testing and the figures they paid were the same as any other firm would pay a midlevel developer working in a regular software dept in a corporation in that city.
Assuming pen testing requires a skill level a notch or two above the 'average' developer, I would have normally assumed that ideally they would be paid significantly better.
What is probably scary is just how many commercial sites can be compromised by those standard well-known techniques.
... and the thought that there's an army of underpaid, underappreciated folks who spend all day every day honing the craft to perfection.
People are incredibly oblivious to how easy they are to break and how tempting a target they are.
If you’re in a major tech hub in the US, 75k for a junior, 150 for a senior, and upwards from there for someone with decent experience. $300k isn’t crazy for someone really good. Those are technical roles outside of management.
But those figures are skewed toward better orgs; some companies will take a fresh grad, throw them at some junk automated tools, and call them a pentester. This area of the industry is booming with the increase of compliance mandated testing.
Can someone explain how the enumeration of subdomains on a hostname works?
I know that zone transfers is one way, but I looked up one of my domains and it includes a private subdomain I've never published anywhere.
I checked and my DNS provider does not allow zone transfers (as far as I can tell) so I'm curious how this information is obtainable.
And I mean through ordinary means, let's ignore the "your account/ISP/Registrar may be compromised" scenarios. Are there everyday scanning tools that allow for this?
So probably CT logs.
Also, if you've ever sent a cold-cache query to a recursive resolver that didn't employ QNAME minimization (few do), it was likely harvested by pDNS replication at the TLD nameserver level and shared with a number of commercial and research parties' databases to which DNSDumpster may subscribe.
Thank you for the insights!
I'd love to see web devs use something like the procedures outlined as a final check before going for sign off. When testing your own stuff, do the heavy scanning stuff "internally". You can always deploy a throwaway Kali Linux box on the same VLAN if its justified.
Now as to your question: Remember that the site itself may not be the actual target. For me, an awful lot of pen testing involves perusing Facebook, Twitter and the like and obviously peruse the site itself as a user. Customer testimonies, web dev links and their site's customer testimonies and proud stories are useful. I always spider for docs and look at metadata in them. Companies House and similar registries (in the UK, other countries may have similar) is handy to help join dots. A little imagination and publicly available information can inform a decent social scam.
My top advice here is pretend to be a baddie and look at your stuff from the outside. Once you discover just how exposed everyone is, then evaluate it and then start the staff/partner/whatever training. If applicable, your telephone reception should have a human firewall on it - mine does. I'm an MD of a small company and I defy anyone to get past them. They take great pride in making calls to me from ahem friends/colleagues/etc not get through but get a request to send an email to sales@<firm>.co.uk and yet I still get the calls I want. When they are uncertain they check with me first. Make it a challenge and part of the culture and deploy honest praise for a good job done. Gatewaying all of your calls via your experts rather than a DDI to all staff is a good idea.
Notice how most of the stuff I've gone into depth about doesn't really involve anything fancy technologically. If I was a real general purpose baddie, I wouldn't be fussed about your user accounts and passwords or even your company secrets. I'd be wanting to make your accounts department send me a few thousand quid to some random account. However, the industry or purpose of your ... system ... will inform your approach to pen testing and securing. I have had to pen test a few schools and I took a rather different approach than I would for a firm of accountants.
There's no right or wrong answer and remember that a web site is not in isolation. People use them.
And it's important to remember that these are the basics. I was able to perform a privilege escalation on a site (that I was supposed to be pen testing, nothing nefarious) by using a password of something like ' admin="true" password="'. This isn't something that an automated scanner will ever uncover; this list, which is awesome, is a good starting point, but not the ending point.
A few thousand? What's the rationale behind that number?
Minima's the theme you get when you run "jekyll new".
This is just a theme that Jekyll uses. I'm not quite sure it even has a name.
For DIY, then start with Kali Linux - you get the whole suite of tools but be prepared to do some learning and it is non trivial, especially if you are unfamiliar with Unix. You do get a mostly working OpenVAS with the Greenbone webby frontend nearly out of the box, but it needs a bit of config https://www.kali.org/penetration-testing/openvas-vulnerabili... is a bit out of date. Even once you get it working, you have to be prepared to evaluate the output.
Also bear in mind that security means different things to different people and different systems. There is, and never can be, a magic security bullet.
People running these tools are so common that "automated reports" are routinely excluded from public bug bounty programs. The ratio of false findings to true findings is very high.
Had to deal with one of these canned reports a while back to satisfy some enterprise contract. Had a dozen or so JS "vulns" that were only applicable to a Node environment that were being reported for client-side use. We were not a Node shop. I couldn't believe we'd paid money for that garbage report.
You can definitely automate many parts of testing, especially enumeration steps, but any security professional knows that a tool is no substitute for a knowledgeable hacker.