DEV Community

RobertB
RobertB

Posted on

You do not know, what you do not know.

This can be enlightening to those who want to pursue knowledge on varying levels. Also, it can help you expose your weaknesses. I have always believed that there are two types of people in this world. Those who have been hacked and those who do not know they have been hacked. It is a good method in consistently checking your environment for security holes. Red team your environment(s) as much as you can. As often as you can to expose what might be an issue for you. Blue team your environment(s) after you find your security holes. You can then purple team to evaluate your testing.

We utilize a tool called intruder.io. This is an automated pentest tool. This tool automatically integrates with your cloud environment and allows you to specify targets to check. You can set up checks to be weekly, monthly, or quarterly. It also allows for scans on emerging threats https://help.intruder.io/en/articles/2068984-emerging-threat-scans-explained. We have this running against our environment alongside some other scanning tools in our cloud environment and DataDog.

This method of automated testing is great and can help discover a lot of issues in the environment. Yet, there is still a benefit to a manual pentest. We utilize the data from intruder for SOC 2 compliance. We have fixed every issue and have a cyber hygiene score of A+ - Excellent. One of our clients requested that we do a manual pentest and the thought of doing something manual when automation exists seems counter-productive. The results found during the manual pentest were enlightening.

We found ten issues that the automated tool did not pick up. Granted the issues were mainly low or informational, they were still issues that were not caught. For example of a low issue we found out that there were cookies on our site that did not have a secure flag. Pretty quick fix, at the same time a good thing to know.

Sometimes we can miss things without going just a bit further. Thanks to the client who wanted more of us than an automated pentest. Without them we would… not know what we did not know.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more

Top comments (0)

Postmark Image

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up