The only time I pen test is before an exam to make sure I have enough ink left

@Karan-ow4wl

Жыл бұрын

Rofl

As a corp pentester, this actually gave me some really great insight to think about appsec and pentesting as separate areas of security. I've recently started teaching myself API which is really fun and trying to subvert obfuscation. I would say I'm mostly a pentester but occasionally dive into appsec for specific webapps and such.

@m1cx657

3 жыл бұрын

Bro I'm curious what do you do everyday as a pentester in a corp.

@codr6934

3 жыл бұрын

the fucc?

This is simply one brilliant channel. He has definitely got his mojo back. I also love his hilarious takes (like when the van pulls up to the building and the red skull lands on the door…like ghostbusters or something.

@yourfellowhumanbeing2323

3 жыл бұрын

True mate!!

i love the drawing/animations in this (0:49 + 1:32), really cool! great breakdown of the different security roles and how the interchange.

This video actually helped me a lot. Thanks a lot for clarifying this two "sides" of IT security. I always been in love with the "pentesting" part, not much with the "appsec", but I think it's better to know and understand both sides :).

@Fahodinho

3 жыл бұрын

it's worth noting that these are not the ONLY sides of IT security. there are many other areas like webapp, netsec, analysis, etc

Thank you very much for helping me clear some of the fog from my mind as I'm heading into the "appsec" world.

The problem nowadays is that every company wants a Jack of all trades when hiring a pentester. I have already 7 years of experience in the field, however I constantly have the feeling that I am not good enough, even though I am constantly learning and gaining certifications. I've reached burnout. Officially. And I am only 28 years old.

@kharbandaumang

3 жыл бұрын

I can understand... I am a soc analyst and kind of expectations my company has ... 😭😭😭

@bagdats6971

3 жыл бұрын

Damn, I feel the same

@ko-Daegu

3 жыл бұрын

Cuz there’s no universal framework like doctors have When I employ a nurse I know exactly what she/he can/should and can’t/should do Not the same for pen tester

This is actually a pretty interesting topic for job searching. In my job(in US) the "networking" red teamy stuff is called pentesting while the appsec stuff is called different things within different regions in the US. In my area what you called "appsec" is called VR (Vulnerability Research). While in other areas (mid west) it's known as security research. Fun note one of my first job interviews was for a "VR" position, i thought we were going be reverse engineering virtual reality equipment.

Love it! Great breakdown here. I’m right there with you, “Appsec Pentester” is how I’ve referred to the application-focused side of “pentesting.”

Really interestesting comparison between the two also helps see what we should be focusing on :D Another summary could be that pentesting is mostly using known vulns and pwning the company while "pentesting" is finding those vulns and also creating new ones on a much deeper level

Thank you for this video, I am a full stack developer developer and I just started learning about cyber security. I have been following a beginner's course but it was mostly about pentesting, focusing on topics like active directory security. I had started to feel unmotived because I'm not that interested in that area. Watching your video helped me release that I should start to look more into resources about appsec. Liked and subbed.

Fully agree with that. In Poland, when we say pentesting, we mean the appsec side of things. The "other pentesting" jobs are rare I think and are usually called red-team member.

@werren894

3 жыл бұрын

first

@niewazneniewazne1890

3 жыл бұрын

Red team member?

@ozz961

3 жыл бұрын

Or red team ops

Amazing video that was long overdue. It seems a lot of people wanting to enter any of these professions often bounce around a bit confused and maybe even focus in the wrong area due to the exact confusions you cleared up here. Well done!

Just got my first security job and we actually do both kinds of pentesting!

Great video - really relatable to me as an appsec tester in europe. Also, I'd like to add that this distinction is the main reason I don't think OSCP is much valuable to anyone looking to get into the AppSec side of things. You're much better off investing your time and money into eWAPTXv2 or OSWE

Finally another masterpiece!

This video really helped me clarify the path I want to take, thank you!

This was really helpful for me in figuring out where I am going in this field. Cybersecurity is an industry in its toddler stages and we are still trying to understand it depths. I gravitate more towards AppSec as well, i am into details and protecting user data. But I also like pentesting because it comes with really fun tools I can use.

Working as soc analyst. Great vid explaining the industry and different sec areas! 👏

Great channel man, your videos keep me motivated

Thank you very much for this video, and explanation of these differences !

Very good video thanks for that! I also like the length of the video cause I almost never have the time to watch the long ones

Almost 1 year ago I could not understand your videos but now after spent 1 year in bug bounty finally I understand 🙂 Thanks for sharing these amazing videos

@UnknownSend3r

2 жыл бұрын

What resources did you use bro ? And have you caught any bugs.

@pinkeyism

2 жыл бұрын

Wow, what was your path/learning tools to learn from scratch?

I like it how you placed the texts where your hands were at the time. It's not 100% but sure works well in terms of visual coherence for me.

great video! this explains a lot , thank you for making such video 👍

Another excellent video . Keep up the good work👍

Even focusing on security since starting college, it wasn't until reaching industry that I realized red teaming/pentesting wasn't the thing I had been going for all along, but rather it was security/vulnerability research.

@UnknownSend3r

2 жыл бұрын

Why, what made you pick that than pentesting. And are you doing vulnerability research now ?

:D hilarious intro edit: and another brilliant video

Great video! Never thought about this!

You just helped me to decide what to do with my life , thank you so much for this video ..

I can't believe after all these years, he is still making "pentester" jokes while spinning his pen mod 😂

Thank you so much for this video! I am currently in the last semesters of my IT security master's degree. I struggle to find what I want to do exactly after university and I am doubting if my current job is the right one for me. I am mainly working a developer's job, but at a security focussed company. Your video encourages me to continue on this job for now, but still focus on the security side. Since now I was always afraid by mostly developing to miss out on the cool security stuff I might do in other jobs, but maybe this just isn't such a big problem as I might think.

Love all of your video!

I use the term "pentesting" to refer to engagements of limited scope. This includes internal and wireless network pentests. When the scope is not well-defined/limited, I would call that "red teaming". I do agree that "appsec" is a good term if you're only taking about reviewing (web) applications that run on a server/workstation.

Amazing Video, I'm an AppSec :) Thanks man to make some clarification on it.

Great man. Cleared all the clouds. Thanks

Very informative, while learning bug bounty, I always don't feel the like doing recon and running tools on various subdomains and prefer main web application. Now I know they are 2 types of security testing.

Penetration Testing or pentesting for short in my opinion can be any kind of security audit. This could for example be simulating what an attacker would do, and going through and testing the code/configs. Also, I've seen some kinds of pentesting where people try to physically break in by tricking lock mechanisms, picking locks, unhinging doors, sniffing RFID badges, tricking guards, etc. (A good video showing this is "Through the Eyes of a Thief" by DeviantOllam) Even this variation of pentesting has variations. For example, you could be simulating an attacker, you could be going through and looking at all they have with them, and explaining what is bad/good, etc.

When it come to this “pentesting” it should always come with the RoE (Rules of Engagement) & SoW (scope of work)

I'm a network security engineer and implement security functions of osi layer 2 and 3, so blue team. Our customers sometimes have network "pentester" on site which then say "hey, I could do this and that", which is awesome, because our team always says how much more we need to implement, but it is never important enough. for some reasons external pentesters have a bigger impact then we, as external blue team. but in the end we all want the customers network to be safer, so it's fine with me ^^

There's blackbox {internal,external} network pentesting (netpen), there's blackbox application pentesting (appsec). There's whitebox pentesting (network or application) where the pentester has access to everything they wish (source code, config files, etc). It all depends on the rules of engagement. Pentesting just means security testing

when he was spinning his pen I got flashbacks to the day in the life of a pentester video

appreciate your knowledge ! Man

awesome. Very well explained. Thanks. :)

So helpful video , thank you :)

I work as a developer, and it is one of if not my favorite hobby, so I think I am already on the appsec side of it all. Learning how all the scanners and tools work may be useful, but it's not a ton of fun compared to my understanding of the appsec side. Also, atm I learn about all this security stuff because it is fun, but also because I want to understand how to make my code more secure.

Developer here. Some of your videos teach me new things about hardening my applications

Good topic, in my place of work we call the corporation part rather red teaming, due to the "pivoting" nature. But yeah, generally we have pentest teams that are really appsec teams. Good video!

One point that I think should be touched on is that in bug bounty, you're not required / obligated to report on the security posture of all assets in scope. You can pick and choose what you want to attack / audit. In bug bounty, you're looking for a payout, which greatly skews how the engagement goes vs a proper pentest.

@LiveOverflow I think you should simply flip the video vertically, because you are pointing to your left side Pentesting but it appears on our right side LOL (like in 7:20)

Yes i also think there is confusion in industry regarding this i also think there is a great intersection between two so it is very difficult to separate both

Best Explanation Ever!

I started out wanting to do corporate pentesting and got a sec+, cysa+, and advanced digital forensics cert. Then became a developer since I found it more challenging and can do more to secure my organization. Also, there are alot more jobs in software development.

yeah, u doing best trick with pens

Great. Do you have a course for appsec or any sources Im really interested

Could u make a video about : "How to land your first job as an 'Appsec' "

And that describes the difference between an IT studies and IT security studies. I think if you want to go for pentesting the IT security one ist the better one. If you want to go for appsec a normal IT studies might be better.

legend come with legend video❤💫🔥

I really love the theme music

Id say im a pentester but I only work with a single corporation and my day to day job looks more on like how you describe bug bounties as we test different parts of the corporation defined in our scope. So we are able to get into the weeds on a single application because our scope is limited to only part of the corp. And we get more visibility like what you get in app sec.

Love you man

i'm from Germany just like you and i do appsec (on my apps, the apps of my friends, the apps of my father, etc.) and i do red team (on the systems of my father), i do CTF too and i like it most 😉

@Konami9999

3 жыл бұрын

was macht dein vater beruflich?

@Minecodes

3 жыл бұрын

@@Konami9999 er ist Entwickler und hat auch eine private Webseite mit selbst programmiertem Webserver (alles in C++ programmiert und ich teste es)

@UnknownSend3r

2 жыл бұрын

How old are you ?

@Minecodes

2 жыл бұрын

@@UnknownSend3r 14 👉👈

@UnknownSend3r

2 жыл бұрын

@@Minecodes I had a feeling. Keep it up, you're going places.

I've always made the distinction Network pentester vs Web App Penteser or Appsec pentester. To me Red teaming is using any technique possible to get into an organisation.

I personally feel that knowing both pentesting and appsec is a nice boon to have. I can actually see both working together. Some companies do rely on their own brand of proprietary software and hardware (Chuck E. Cheese comes to mind courtesy of MDJ Michael's channel), from what I have heard. That makes me think that could cause problems on the corporate scale if the proprietary software and hardware is not secure enough, depending on the software and hardware's respective functions on a corporate network.

To sum up - if I would like to focus on web application penetration testing, which OSCP’s cert should I choose?

Given that you're more on the app side, have you ever considered doing a deep dive into the object-capability model?

kzread.info/dash/bejne/mpeYypOMp5yapdI.html Bug Bounty Program list & how to find bugs

You really hit the point

Do you have videos on how to get into AppSec as a career? I am currently doing soft dev in college.

Fantastic video

I agree ! those two same words are diff

Thank you for the enlightenment, I thought pentest is just pentest

legend

Where do I learn how to be a pentester/appsec?

And I know nothing of these three... But I know sometimes that is repeated in walkthrough ctf

Is there any course or cert that fit specifically for AppSec now?

Great

nice explication

When I first watched this video, I loved the idea behind it, but did not really agree with the categories you chose. This could be due to my personal views on some of these disciplins, but for me it is missing a certain symmetry, so I'll give it a try: Pentesting applications / application security or security/vulnerability research: - code audits, burp, ... - focus on finding software vulns Pentesting networks / network security or pentesting: - nmap, metasploit, ... - typically not covert - focus on inital access methods and reaching as many targets as possible Pentesting corporations (processes, configurations, and people) / red teaming: - bloodhound, cobalt strike, mimikatz, ... - physical or social aspects, depending on the scope - covert af - focus on post breach behaviors and specific objectives Pentesting specific blue team detections / purple teaming: - mitre caldera, scythe, lots of custom scripts - emulation of TTPs - focus on evaluating or developing single detection mechanisms

thankyou :)

Where would incident response and threat hunting come, blue team? Pls do make share resources on any kind of careers related to forensics. malware, threat intelligence,... resources describing in this great detail on all roles in security would be great. Thanks in advance.

so should we call them pentesting and vulnerability assessment/analysis?

Thanks 😍😍

Excellent video! I think the US pentesting view is more how "hacking" is viewed by the public (non-technical people) with crazy tooling and stuff. This is probably also how script kiddies come into the field wanting to pwn some companies rather than auditing application code or reverse engineer some esoteric piece of code. I myself found "hacking" by watching more red team focused channels such as seytonic, but I found that I'm more of an appsec person. I'm happy that I'm now able to classify those different ways of "hacking".

@franciscog7110

3 жыл бұрын

I can't decide what to do. I like redteam and also like appsec. But I'm not sure, how do you decide what is best for you?

@wouterr6063

3 жыл бұрын

@@franciscog7110 I think because I like programming and appsec goes more in detail on how to write applications. I think that by doeing redteam you learn more about what application stacks to use. Also I like CTF's and there the bugs live more on the appsec side rather than an outdated ubuntu version (for example).

2:49 the "customer" / "product" of the company. I see what you did there :P

Someone plz help-me, is there any video about whats heappens in hardware while "execulting C", i saw here analyzing C assembly, but i'ld like to share to some folks lerning C about how it alocates memory and change values there.

How to become product pentester (appsec) what should to start to learn?

If you are the author of the code that has found to have vulnerability? Would you find yourself guilty of not knowing about it? or would you be open to resolution in improving yourself to not do the same mistake again?

I am a newbie in computers. Learning to code. I aspire to get into bug bounty hunting. Where should I start, what should I learn and is it necessary to get a CS Degree for it?

as a CyberSecurity consultant (big team but I am Red Teamer) in my company we do both... it categorizes as External, Internal, Web and Mobile Security assessments... It is true that in External/Internal scopes we do not focus much on Web Applications (lack of time which is usually up to a week), but still we analyze them manually. In my opinion itts kinda anti professional to just run Nessus and give the client the report...

Nice explanation. Now I found the reason I feel bored when learning those courses for pentesting: it relies on the tools to do the magic and loss the fun of finding the bugs myself

@UnknownSend3r

2 жыл бұрын

It's far from it. Just because you're using tools doesn't mean that's all there Is to it. Or that's the "magic"

best explanation

As a customer of application security testers (we can it pentest), I would've never guessed that the general public thought that about "pentest" (European here)

Respect 🖤

Super

hello, i want to get into the cyber security business, i'm brazilian and would like to and i have a lot of affinity with the area, are there really any salaries that go from 100k to 350k per year? is there space to undertake?

where do u practice ur ctf ?

Where I work, we call app sec pen testing And red teaming red teaming. Might be an outlier. But we have both teams.

I thing i do learn from this video is. text and "text" is different 😂

I tried pen spinning a little while back. Nice pen spinner! :3