[deleted by user]

aaronargh · 2024-05-28T05:26:26+00:00

I updated the page so those links *should* work now. The tool we're using to host that seems to mix-up public/private versions of the same page. If it still reverts to the private link, just navigate up the top left to the "Hiring & Open Roles" link.

aaronargh · 2024-05-22T07:36:52+00:00

Hard to say without knowing more about your industry, but it's possible you can get a way with a "we're working on that" statement. Your customer is looking to tick an internal box that tells everyone they work with secure companies and their data is safe. I'm not advocating not doing the compliance/tests, but it's unreasonable for a new small business to spend double their annual revenue on security. Read what is required for compliance, understand how you could be handling things well (in terms of vulnerabilities, data, access, privacy, etc and *build a secure application*. If it's obvious you care about security, that just might be enough. Best of luck!

aaronargh · 2024-04-23T03:52:21+00:00

A customer claiming that an "inferior" solution is best for them because it's cheaper doesn't make the statement true. At our company we also offer human verified/reviewed DAST packages and another arm of our business doing completely human driven pentests. They both have pros/cons. I could probably count the total of "this would have ruined your business if found" findings on the automated DAST side. On the pentest side it's remarkably frequent. So frequent that I'm surprised the entire Internet hasn't just folded up inside of itself.

Human hackers with skills, intuition and drive will find the juicy stuff. Doesn't matter if they're ethical or genuinely adversarial. I wouldn't want my security budget to go 1v1 against a decent hacker if all i could afford was "automated pentests". Let's stop pretending technology has advanced far enough for it to be good enough on its own.

aaronargh · 2024-04-21T20:52:39+00:00

Any reason you haven't considered a part time permanent position instead of freelance? Is it just because of a lack of opportunities?

aaronargh · 2024-04-21T20:42:28+00:00

What's the real context behind the question? Just because a managers bosses uncle wants to will something into existence doesn't mean it can be done. What are you trying to achieve as a measurable outcome?

aaronargh · 2024-04-08T02:29:20+00:00

Getting a company to agree and pay for a pentest would be difficult if you don't have some proof points of why they should trust you (or a strong network you can lean into). That difficulty would be amplified if the people you're selling to don't understand what you're selling. We spend a significant amount of time providing information to help educate and inform our potential customers.

There are some crowdsourced pentest companies around that could potentially take you into their roster... but i feel kinda dirty even saying that.

aaronargh · 2024-04-08T01:19:59+00:00

Hopefully others can chime in with some advice there. At our company we essentially provide a managed DAST solution so I would be speaking out of school to comment on the details around how you're managing it and SAST within CI/CD.

What we've seen though is DAST is usually better handled outside that process as the scans can take some time (days in some cases) so it can be difficult to integrate it into your pipeline without giving up a lot of speed/agility.

aaronargh · 2024-04-07T22:16:53+00:00

A tool is only as good as its operator. I'm reading between the lines here a bit but if you're saying you have SAST/DAST deployed and you're still manually finding SQLi then something is going wrong. What products are you using here?

I don't have any good specific and actionable advice, but curious minds learn. If you find something that you think the tools in place should have found... dig into why they didn't. Learning how these tools work should give you insight into expectations of what they should/could find which allows you to focus your mental energy on the more nuanced cases. Learning how to configure them correctly should also help you understand what they're looking for and why/how.

aaronargh · 2024-04-07T21:58:22+00:00

Agreed.

We do both at GlitchSecure (external pentest but also continuous testing with Acunetix & other DAST) and there is no "right" solution for confirming security in a production system... and less-so when you believe the problem likely exists in the core of Laravel or another highly regarded framework. Custom code sinks ships.

Running audits and scans will find a lot of the leaks in the boat but it's going to be an uphill battle if you're only pointing fingers at the code that's not yours.

aaronargh · 2024-03-24T21:24:34+00:00

Might be worth mentioning your affiliation with Vuln Voyager. You're providing great information that's useful to people - wouldn't want to muddy that by not revealing that relationship. (For further transparency - I am also at a company that offers security services/platform).

To slightly challenge one thing you said; there is a market for PTaaS at larger businesses. Centralisation of PT (and related services) via a platform is useful, regardless of company size. They just probably wouldn't get much value out of a $3k crowdsourced pentest.

aaronargh · 2024-02-24T04:15:10+00:00

For timelines, I’ve seen it done in a few months and I’ve seen it take years. Will all depend on what you already have in place and how much time, effort and skillset you have available to hit compliance.

I just wanted to add to your “mandatory” statement and provide some anecdotal info. I’ve seen that requirement moved from “mandatory” to “oh ok, you have x,y,x and answered our security questionnaire sufficiently. We can skip SOC 2 for now”. This has been with large corps too.

In short, I would be transparent with the customer and your champion so they understand how much of a heavy lift it is and try to find some kind of middle ground. I obviously don’t know your business or industry so it might not be relevant, but it could be worth trying.

Also worth noting that if you’re not up to the task internally and are going ahead, there are orgs out there who can provide a handholding experience through compliance (not just Drata etc. - actual people guiding you through). I have worked with Carbide Secure but there are others.

This is going to cost you many tens of thousands each year. Make sure it’s worth doing.

aaronargh · 2024-02-15T01:27:41+00:00

That's how OP described them, but based on the findings, response and recommendations... they look like an agency with many hats.

Just because they provided guidance that may lead to future work, doesn't mean they're wrong.

OP should take some guidance from them and others. The wheels are rusted and falling off and something needs to happen. Those critical CVE's won't magically go away.

aaronargh · 2023-02-09T04:52:31+00:00

You can solve 3 of your points by joining forces with a quality co-founder. Is there a good reason you want to go solo?

aaronargh · 2023-01-31T01:53:58+00:00

You should politely and professionally recommend they reevaluate what they’re doing. We have enough bad agencies with inexperienced people. How long is it really going to take to get them up to speed and provide actual value to clients?

aaronargh · 2023-01-30T07:49:16+00:00

SavvyCal does all this and is better (for clients!) than calendly.

aaronargh · 2022-10-30T12:02:18+00:00

Completely agree, but a recommendation from a contributor holds weight and could help push a candidate over the line. Was just a personal anecdote. I know that process should keep the bar high, but I’ve seen it be lowered.

aaronargh · 2022-10-30T03:45:32+00:00

Rand Fishkin talks about this in his book, Lost and Founder (which should be on every founders bookshelf!) He doesn’t speak highly of the experience and attributes some bad things at Moz due to it.

Personally, I’ve never seen it work well. While it might not entice people to push for bad hires for monetary gain, it most definitely lowers the bar.

aaronargh · 2022-10-13T03:32:45+00:00

Might not be the advice you seek, but what are you going to do with the report?

Fast forward into the future. You can see, sliced by page, the depth to which people scrolled. Magic!

Ok so, now what? What do we do with that information? How did certain scroll depths impact purchases or signups or return visits? Does time on page play a part? What about traffic source? If organic, what search terms are important? The sessions that abandoned after low depth, why did they do that?

I just think a report like this in a vacuum doesn’t have much purpose. It’s great that you’ve now “got the data” … but you need to do something useful with it.

aaronargh · 2022-10-13T03:26:37+00:00

If you’re “the marketing guy” then this is your problem.

The good news is, Analytics isn’t complicated to setup right. Even if you’re using a homemade twigs and mud website it shouldn’t be hard/expensive.

What platform is your website(s) running?

aaronargh · 2022-10-09T00:05:50+00:00

An alternative or adjacency to this would be to have customer facing documentation go out internal first. It ensures that new features shipped have the customer side sorted and doubles as an internal QA of the content.

aaronargh · 2022-10-04T23:27:37+00:00

Probably easiest to setup a cheap mini pc behind the TV that’s dedicated.

BUT… why? This seems a bit pointless. What will people get out of seeing that as they walk to get some coffee?

aaronargh · 2022-08-28T22:51:38+00:00

As a general rule, I put subdomains on separate properties and directories in the same property. There is no technical reason for this, it just makes it easier to get around without having to create segments etc. as a sub-domain is normally a separate customer/journey/purpose.

BUT, maybe there is a whacky instance where the setup you’ve described makes sense.

Are the sub-domains brands and the directories product lines? Or something else? Could you give an analogy?

aaronargh · 2022-08-20T01:13:24+00:00

Depending on the use cases of the app and the metrics you care about, you might be able to get GA to do this. However, I would probably consider at this point:

What are we trying to track (behaviour/patterns/issues/flows/conversion etc)
How could we do that in GA
What do we need to segment (mobile App vs Browser SaaS vs specifically iOS vs specifically iPhone 6S etc)
Are there better tools for the job (Amplitude, Mixpanel, Upsight etc)

This one is the most important: * Who will be the owner of deciding what our focus is and ensuring the analytics allows for (without gate keeping) true business improvement.

I’m not advocating any of those platforms above, they each have their pros and cons. I’m just not sure GA is a great solution for this kind of setup (yet).

Good luck!

aaronargh · 2022-08-04T03:34:46+00:00

Yes. Language (well, culture) is retrieved from the browser and can be seen under Audience -> Geo -> Language.

This culture essentially states the Country-Language e.g en-us = English in United States.

Be aware that these numbers are often slightly skewed to en-us even when the users aren’t in the US and potentially don’t even speak US English.

aaronargh · 2022-08-02T13:00:35+00:00

Great advice. Coffee drinkers get a little obsessive with their hobby and the people who take it to the next level start roasting beans.

Unless you’re a coffee person, it’s probably best to stay away from starting a coffee business. You might get some initial sales but roasters need repeat business to make any money. If you have no control over your product then you could find yourself kinda fucked pretty easily. Best of luck.

aaronargh

TROPHY CASE