Pentesting vs. Bug Bounty vs. Pentesting ???
HTML-код
- Опубликовано: 1 июл 2024
- What is the difference between Pentesting and Pentesting? There are different jobs that can be described as "pentesting" and I want to talk a bit about it. This should also help you to better organize your own learning, as you better understand your goal.
Blog: liveoverflow.com/pentesting-v...
00:00 - Intro
00:32 - Pentesting: What most people think
01:19 - Pentesting: What I actually do
01:53 - Pentesting vs. "Pentesting"
03:49 - Better name: Application Security
04:14 - CTFs are Useless/Awesome!
05:21 - Opposite Side of Pentesting and AppSec
06:27 - I prefer being a Developer than Pentester
06:51 - Bug Bounty vs Pentesting
08:36 - Outro
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
The only time I pen test is before an exam to make sure I have enough ink left
Rofl
As a corp pentester, this actually gave me some really great insight to think about appsec and pentesting as separate areas of security. I've recently started teaching myself API which is really fun and trying to subvert obfuscation. I would say I'm mostly a pentester but occasionally dive into appsec for specific webapps and such.
Bro I'm curious what do you do everyday as a pentester in a corp.
the fucc?
This is simply one brilliant channel. He has definitely got his mojo back. I also love his hilarious takes (like when the van pulls up to the building and the red skull lands on the door…like ghostbusters or something.
True mate!!
i love the drawing/animations in this (0:49 + 1:32), really cool! great breakdown of the different security roles and how the interchange.
This is actually a pretty interesting topic for job searching. In my job(in US) the "networking" red teamy stuff is called pentesting while the appsec stuff is called different things within different regions in the US. In my area what you called "appsec" is called VR (Vulnerability Research). While in other areas (mid west) it's known as security research. Fun note one of my first job interviews was for a "VR" position, i thought we were going be reverse engineering virtual reality equipment.
This video actually helped me a lot. Thanks a lot for clarifying this two "sides" of IT security. I always been in love with the "pentesting" part, not much with the "appsec", but I think it's better to know and understand both sides :).
it's worth noting that these are not the ONLY sides of IT security. there are many other areas like webapp, netsec, analysis, etc
Really interestesting comparison between the two also helps see what we should be focusing on :D
Another summary could be that pentesting is mostly using known vulns and pwning the company while "pentesting" is finding those vulns and also creating new ones on a much deeper level
Love it! Great breakdown here. I’m right there with you, “Appsec Pentester” is how I’ve referred to the application-focused side of “pentesting.”
Thank you very much for helping me clear some of the fog from my mind as I'm heading into the "appsec" world.
Thank you for this video, I am a full stack developer developer and I just started learning about cyber security. I have been following a beginner's course but it was mostly about pentesting, focusing on topics like active directory security. I had started to feel unmotived because I'm not that interested in that area. Watching your video helped me release that I should start to look more into resources about appsec. Liked and subbed.
Amazing video that was long overdue. It seems a lot of people wanting to enter any of these professions often bounce around a bit confused and maybe even focus in the wrong area due to the exact confusions you cleared up here. Well done!
This was really helpful for me in figuring out where I am going in this field. Cybersecurity is an industry in its toddler stages and we are still trying to understand it depths. I gravitate more towards AppSec as well, i am into details and protecting user data. But I also like pentesting because it comes with really fun tools I can use.
The problem nowadays is that every company wants a Jack of all trades when hiring a pentester. I have already 7 years of experience in the field, however I constantly have the feeling that I am not good enough, even though I am constantly learning and gaining certifications. I've reached burnout. Officially. And I am only 28 years old.
I can understand... I am a soc analyst and kind of expectations my company has ... 😭😭😭
Damn, I feel the same
Cuz there’s no universal framework like doctors have
When I employ a nurse I know exactly what she/he can/should and can’t/should do
Not the same for pen tester
This video really helped me clarify the path I want to take, thank you!
Working as soc analyst. Great vid explaining the industry and different sec areas! 👏
Very good video thanks for that! I also like the length of the video cause I almost never have the time to watch the long ones
Great channel man, your videos keep me motivated
Thank you very much for this video, and explanation of these differences !
Great video - really relatable to me as an appsec tester in europe.
Also, I'd like to add that this distinction is the main reason I don't think OSCP is much valuable to anyone looking to get into the AppSec side of things. You're much better off investing your time and money into eWAPTXv2 or OSWE
Just got my first security job and we actually do both kinds of pentesting!
Another excellent video . Keep up the good work👍
great video! this explains a lot , thank you for making such video 👍
I like it how you placed the texts where your hands were at the time.
It's not 100% but sure works well in terms of visual coherence for me.
:D hilarious intro
edit: and another brilliant video
Almost 1 year ago I could not understand your videos but now after spent 1 year in bug bounty finally I understand 🙂
Thanks for sharing these amazing videos
What resources did you use bro ? And have you caught any bugs.
Wow, what was your path/learning tools to learn from scratch?
Amazing Video, I'm an AppSec :) Thanks man to make some clarification on it.
Very informative, while learning bug bounty, I always don't feel the like doing recon and running tools on various subdomains and prefer main web application. Now I know they are 2 types of security testing.
Great video! Never thought about this!
Finally another masterpiece!
I use the term "pentesting" to refer to engagements of limited scope. This includes internal and wireless network pentests.
When the scope is not well-defined/limited, I would call that "red teaming".
I do agree that "appsec" is a good term if you're only taking about reviewing (web) applications that run on a server/workstation.
Love all of your video!
Good topic, in my place of work we call the corporation part rather red teaming, due to the "pivoting" nature. But yeah, generally we have pentest teams that are really appsec teams. Good video!
Thank you so much for this video! I am currently in the last semesters of my IT security master's degree. I struggle to find what I want to do exactly after university and I am doubting if my current job is the right one for me. I am mainly working a developer's job, but at a security focussed company. Your video encourages me to continue on this job for now, but still focus on the security side. Since now I was always afraid by mostly developing to miss out on the cool security stuff I might do in other jobs, but maybe this just isn't such a big problem as I might think.
You just helped me to decide what to do with my life , thank you so much for this video ..
I'm a network security engineer and implement security functions of osi layer 2 and 3, so blue team. Our customers sometimes have network "pentester" on site which then say "hey, I could do this and that", which is awesome, because our team always says how much more we need to implement, but it is never important enough. for some reasons external pentesters have a bigger impact then we, as external blue team. but in the end we all want the customers network to be safer, so it's fine with me ^^
Great man. Cleared all the clouds. Thanks
I work as a developer, and it is one of if not my favorite hobby, so I think I am already on the appsec side of it all.
Learning how all the scanners and tools work may be useful, but it's not a ton of fun compared to my understanding of the appsec side.
Also, atm I learn about all this security stuff because it is fun, but also because I want to understand how to make my code more secure.
There's blackbox {internal,external} network pentesting (netpen), there's blackbox application pentesting (appsec). There's whitebox pentesting (network or application) where the pentester has access to everything they wish (source code, config files, etc). It all depends on the rules of engagement. Pentesting just means security testing
Even focusing on security since starting college, it wasn't until reaching industry that I realized red teaming/pentesting wasn't the thing I had been going for all along, but rather it was security/vulnerability research.
Why, what made you pick that than pentesting. And are you doing vulnerability research now ?
awesome. Very well explained. Thanks. :)
Fully agree with that. In Poland, when we say pentesting, we mean the appsec side of things. The "other pentesting" jobs are rare I think and are usually called red-team member.
first
Red team member?
Or red team ops
Penetration Testing or pentesting for short in my opinion can be any kind of security audit. This could for example be simulating what an attacker would do, and going through and testing the code/configs. Also, I've seen some kinds of pentesting where people try to physically break in by tricking lock mechanisms, picking locks, unhinging doors, sniffing RFID badges, tricking guards, etc.
(A good video showing this is "Through the Eyes of a Thief" by DeviantOllam) Even this variation of pentesting has variations. For example, you could be simulating an attacker, you could be going through and looking at all they have with them, and explaining what is bad/good, etc.
appreciate your knowledge ! Man
So helpful video , thank you :)
I can't believe after all these years, he is still making "pentester" jokes while spinning his pen mod 😂
Developer here. Some of your videos teach me new things about hardening my applications
when he was spinning his pen I got flashbacks to the day in the life of a pentester video
Best Explanation Ever!
Great. Do you have a course for appsec or any sources Im really interested
@LiveOverflow I think you should simply flip the video vertically, because you are pointing to your left side Pentesting but it appears on our right side LOL (like in 7:20)
legend come with legend video❤💫🔥
Yes i also think there is confusion in industry regarding this i also think there is a great intersection between two so it is very difficult to separate both
I started out wanting to do corporate pentesting and got a sec+, cysa+, and advanced digital forensics cert. Then became a developer since I found it more challenging and can do more to secure my organization. Also, there are alot more jobs in software development.
When it come to this “pentesting” it should always come with the RoE (Rules of Engagement) & SoW (scope of work)
I really love the theme music
Could u make a video about : "How to land your first job as an 'Appsec' "
To sum up - if I would like to focus on web application penetration testing, which OSCP’s cert should I choose?
i'm from Germany just like you and i do appsec (on my apps, the apps of my friends, the apps of my father, etc.) and i do red team (on the systems of my father), i do CTF too and i like it most 😉
was macht dein vater beruflich?
@@Konami9999 er ist Entwickler und hat auch eine private Webseite mit selbst programmiertem Webserver (alles in C++ programmiert und ich teste es)
How old are you ?
@@UnknownSend3r 14 👉👈
@@Minecodes I had a feeling. Keep it up, you're going places.
One point that I think should be touched on is that in bug bounty, you're not required / obligated to report on the security posture of all assets in scope. You can pick and choose what you want to attack / audit. In bug bounty, you're looking for a payout, which greatly skews how the engagement goes vs a proper pentest.
Melhor relatório que eu já vi (1:51):
"Verificou-se que o site carece de qualquer forma de proteção. Basta enviar 'Por favor, deixe-me entrar' e o site gerará um shell com permissões de root."
Ri muito aqui.
Do you have videos on how to get into AppSec as a career? I am currently doing soft dev in college.
Love you man
I personally feel that knowing both pentesting and appsec is a nice boon to have. I can actually see both working together. Some companies do rely on their own brand of proprietary software and hardware (Chuck E. Cheese comes to mind courtesy of MDJ Michael's channel), from what I have heard. That makes me think that could cause problems on the corporate scale if the proprietary software and hardware is not secure enough, depending on the software and hardware's respective functions on a corporate network.
I've always made the distinction Network pentester vs Web App Penteser or Appsec pentester. To me Red teaming is using any technique possible to get into an organisation.
You really hit the point
Id say im a pentester but I only work with a single corporation and my day to day job looks more on like how you describe bug bounties as we test different parts of the corporation defined in our scope. So we are able to get into the weeds on a single application because our scope is limited to only part of the corp. And we get more visibility like what you get in app sec.
And that describes the difference between an IT studies and IT security studies. I think if you want to go for pentesting the IT security one ist the better one. If you want to go for appsec a normal IT studies might be better.
Fantastic video
Is there any course or cert that fit specifically for AppSec now?
yeah, u doing best trick with pens
Where do I learn how to be a pentester/appsec?
Someone plz help-me, is there any video about whats heappens in hardware while "execulting C", i saw here analyzing C assembly, but i'ld like to share to some folks lerning C about how it alocates memory and change values there.
If you are the author of the code that has found to have vulnerability? Would you find yourself guilty of not knowing about it? or would you be open to resolution in improving yourself to not do the same mistake again?
Excellent video! I think the US pentesting view is more how "hacking" is viewed by the public (non-technical people) with crazy tooling and stuff. This is probably also how script kiddies come into the field wanting to pwn some companies rather than auditing application code or reverse engineer some esoteric piece of code. I myself found "hacking" by watching more red team focused channels such as seytonic, but I found that I'm more of an appsec person. I'm happy that I'm now able to classify those different ways of "hacking".
I can't decide what to do. I like redteam and also like appsec. But I'm not sure, how do you decide what is best for you?
@@franciscog7110 I think because I like programming and appsec goes more in detail on how to write applications. I think that by doeing redteam you learn more about what application stacks to use. Also I like CTF's and there the bugs live more on the appsec side rather than an outdated ubuntu version (for example).
Given that you're more on the app side, have you ever considered doing a deep dive into the object-capability model?
Where would incident response and threat hunting come, blue team? Pls do make share resources on any kind of careers related to forensics. malware, threat intelligence,... resources describing in this great detail on all roles in security would be great. Thanks in advance.
where do u practice ur ctf ?
legend
hello, i want to get into the cyber security business, i'm brazilian and would like to and i have a lot of affinity with the area, are there really any salaries that go from 100k to 350k per year? is there space to undertake?
I am a newbie in computers. Learning to code. I aspire to get into bug bounty hunting.
Where should I start, what should I learn and is it necessary to get a CS Degree for it?
How to become product pentester (appsec) what should to start to learn?
I agree ! those two same words are diff
so should we call them pentesting and vulnerability assessment/analysis?
And I know nothing of these three...
But I know sometimes that is repeated in walkthrough ctf
Respect 🖤
2:49 the "customer" / "product" of the company. I see what you did there :P
nice explication
Thanks 😍😍
Nice explanation. Now I found the reason I feel bored when learning those courses for pentesting:
it relies on the tools to do the magic and loss the fun of finding the bugs myself
It's far from it. Just because you're using tools doesn't mean that's all there Is to it. Or that's the "magic"
When I first watched this video, I loved the idea behind it, but did not really agree with the categories you chose. This could be due to my personal views on some of these disciplins, but for me it is missing a certain symmetry, so I'll give it a try:
Pentesting applications / application security or security/vulnerability research:
- code audits, burp, ...
- focus on finding software vulns
Pentesting networks / network security or pentesting:
- nmap, metasploit, ...
- typically not covert
- focus on inital access methods and reaching as many targets as possible
Pentesting corporations (processes, configurations, and people) / red teaming:
- bloodhound, cobalt strike, mimikatz, ...
- physical or social aspects, depending on the scope
- covert af
- focus on post breach behaviors and specific objectives
Pentesting specific blue team detections / purple teaming:
- mitre caldera, scythe, lots of custom scripts
- emulation of TTPs
- focus on evaluating or developing single detection mechanisms
as a CyberSecurity consultant (big team but I am Red Teamer) in my company we do both... it categorizes as External, Internal, Web and Mobile Security assessments... It is true that in External/Internal scopes we do not focus much on Web Applications (lack of time which is usually up to a week), but still we analyze them manually. In my opinion itts kinda anti professional to just run Nessus and give the client the report...
Thank you for the enlightenment, I thought pentest is just pentest
best explanation
For appsec what CTF categories they should focus on..and how much better you should get at it?
web & mobile, definitely not pwn or crypto much. i don't know answer to second question.
Where I work, we call app sec pen testing And red teaming red teaming. Might be an outlier. But we have both teams.
I thought you said that you will not make any other videos in your previous video
No I did not?
I tried pen spinning a little while back. Nice pen spinner! :3
thankyou :)
Great
As a customer of application security testers (we can it pentest), I would've never guessed that the general public thought that about "pentest"
(European here)