What drew me towards security would probably be my love for computers, paired with my love for breaking things. Taking stuff apart and messing with their internals :D
I sadly, do not have any 0-days/CVEs under my name, but I have made some disclosures. One of them was particularly interesting.
I'd been asked to pentest an incubation centre's website. Essentially, where startups submit their pitch and get funding/materials etc.
Browsing through the site for a while, and I instantly found an SQL injection vulnerability, threw the vulnerable URL into sqlmap and within 15mins, dumped the entire database containing user credentials, personal data, and most importantly, the startup ideas themselves. I reported this to the team behind the website. The devs being the lazy bums they were, figured they'd fix it later and just push the site to prod (the absolute madmen). Within a week of having deployed to public, they got hacked, and the hackers were selling the startup ideas on campus!
It's understandable, because it was management that had asked me to pentest and the devs weren't really prepared. They already had a lot on their plate, as they were getting ready to go live.
They could've taken more time though, and ironed out the issues with the site. Maybe a week extra. Would've saved them all the trouble.
I understand the balance act from the business side, as I work in the real world for large company. But given what happened, it is a go to example of why you shouldn't ignore large and obvious security flaws for any length of time. In the context of the story. The company hired security testers. Found out there was a huge (and relatively simple) problem. Did not fix it and experienced a worse case scenario. Which doesn't help in the "not lose business" side of things. You point is very valid and those business decisions can be difficult at times. But in the context of the story shared it is a prime example of the wrong choice.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Were there any key moments or fun stories that specifically drew you towards security?
Have you made any independent security findings/disclosures that you're able to share?
What drew me towards security would probably be my love for computers, paired with my love for breaking things. Taking stuff apart and messing with their internals :D
I sadly, do not have any 0-days/CVEs under my name, but I have made some disclosures. One of them was particularly interesting.
I'd been asked to pentest an incubation centre's website. Essentially, where startups submit their pitch and get funding/materials etc.
Browsing through the site for a while, and I instantly found an SQL injection vulnerability, threw the vulnerable URL into
sqlmapand within 15mins, dumped the entire database containing user credentials, personal data, and most importantly, the startup ideas themselves. I reported this to the team behind the website. The devs being the lazy bums they were, figured they'd fix it later and just push the site to prod (the absolute madmen). Within a week of having deployed to public, they got hacked, and the hackers were selling the startup ideas on campus!It's incredible that you were asked to pentest the website, and then they ignored your findings! Insane.
It's understandable, because it was management that had asked me to pentest and the devs weren't really prepared. They already had a lot on their plate, as they were getting ready to go live.
They could've taken more time though, and ironed out the issues with the site. Maybe a week extra. Would've saved them all the trouble.
Yeah, but a security vulnerability on that scale should not be ignored no matter what. People just never seem to learn.
Sometimes people choose earlier launching to not lose the business.
I understand the balance act from the business side, as I work in the real world for large company. But given what happened, it is a go to example of why you shouldn't ignore large and obvious security flaws for any length of time. In the context of the story. The company hired security testers. Found out there was a huge (and relatively simple) problem. Did not fix it and experienced a worse case scenario. Which doesn't help in the "not lose business" side of things. You point is very valid and those business decisions can be difficult at times. But in the context of the story shared it is a prime example of the wrong choice.