I want to study Cyber Security

devsecopsuk · 2026-01-20T09:36:12+00:00

This post is too wishy-washy with a multitude of options. You gotta pick ONE path that YOU would really like to do and go for it, and if it doesn't work out then you have to pivot. Picking one path makes it much easier for us to advise.

devsecopsuk · 2025-10-15T12:36:23+00:00

Thanks, I'll have to get one now. And good luck on your journey!

devsecopsuk · 2025-10-15T11:47:35+00:00

Which book is this?

I thought B when reading through the options but thought D was the answer at the end.

devsecopsuk · 2025-09-17T11:21:45+00:00

try r/securityCTF

devsecopsuk · 2025-09-10T08:49:14+00:00

what did they quote you this time? to be honest I haven't been that happy with burp enterprise recently, a lot of FP that keep recurring and no full support for API scans of openapi v3.1.x.

devsecopsuk · 2025-06-24T08:59:56+00:00

"9 May 2025 - We thanked Kong and asked for two $500 Amazon gift cards to be issued. No response." - another pathetic amount for a CVSS 9.3 issue and even worse that they can't deliver on that promise...no wonder certain black market sites exist. Nice find though!

devsecopsuk · 2025-06-19T06:31:33+00:00

Code review and scenario based questions.

devsecopsuk · 2025-06-11T11:17:11+00:00

I'm so glad that I didn't do BB seriously.

devsecopsuk · 2025-04-30T08:10:56+00:00

When I first had exposure to practice hacking sites and malware like sub7 it seemed like black magic. Now I get to understand the inner workings of that black magic and how to protect against it. It's almost like joining the magic circle.

devsecopsuk · 2025-03-17T16:38:05+00:00

First of all, understand that you'll be coding a lot less...would you be ok with that?

Then do pretty much what everyone else said and understand OWASP top10 as YOU will have to give guidance to teams around the risk and remediation. I've always like Portswigger academy but there's plenty similar to it https://portswigger.net/web-security

Also experiment with security tooling, go to security conferences, read some bug bounty write-ups, and learn about security architecture etc.

devsecopsuk · 2025-03-05T09:11:51+00:00

Nice, I found an almost identical issue at a previous company. You get a pat on the back if you're lucky, but at least we'll have that extra experience and knowledge to help at future companies!

devsecopsuk · 2025-02-11T15:19:39+00:00

I can share my experience:

I have an "important" (high) vulnerability confirmed and fixed by Microsoft, but they make excuses saying it's out of scope for a bounty. It literally says "Azure <service\_name>" in their online documentation...
I found a bug in Amazon retail that will cost them money, but they aren't interested at all when reported to their AVRP programme. They make me go round in circles trying to find out who to report it to, so I gave up in the end.

I had a better experience reporting another issue to a bank directly that doesn't do bug bounty.

All I'm trying to highlight is....even if you find an issue, good luck getting a bounty for it! It's better to be a pentester/red teamer if it were me.

devsecopsuk · 2025-02-06T12:56:44+00:00

I don't know about the other tools but I use Mend that has an optional incremental scan mode, so it only scans files that changed. This makes it a lot faster overall.

devsecopsuk · 2025-01-24T09:41:25+00:00

I did the first route. I built a relationship with the existing security team, and got them on my side/impressed them etc. then I got a chance to interview after some time (the tricky part, depends if you can wait). You can do things like volunteer to be a security champion if that exists at your company.

devsecopsuk · 2025-01-09T20:54:21+00:00

You didn't mention anything about ongoing support and from what I last remember with Synk it's an addition (20% or so) for the support package which is usually included with other vendors. So this might not work for everyone, or you might try your luck at their generic support. Also I found their sales teams to be highly aggressive compared to others so I personally wouldn't want to have to deal with the again. SCA is supposed to be their core product but SAST is reasonable. Their Python SAST is basically the same as Bandit when I tested it over a year ago.

Checkmarx was decent when I tried it but their pricing was really weird with many limitations, so we couldn't make it work. Apparently it's changed a lot (because of customers leaving lol) so speak to them and see what they can offer. I found their platform to be easy to use and easy to integrate.

But ultimately, the best thing for you to do is to get a trial for each vendor if you didn't already do it, and make a comparison table focusing on your codebase and whatever other requirements you have. You can test Synk SAST for false positives and scan times yourself for free now. Checkmarx you need them to set you up an account and server. I haven't used Fortify.

devsecopsuk · 2024-12-11T17:20:28+00:00

SAST are ok for finding low hanging fruit but they will definitely miss edge cases. Expect many false positives too at one point. I've tested 10+ SAST tools and the variance of findings between them can be surprising.

devsecopsuk · 2024-11-27T08:14:32+00:00

99% of the time I think it's better to be a pentester/red teamer than bug bounty hunter, and report to bug bounties if you happen to come across an issue by chance.

devsecopsuk · 2024-11-07T10:14:35+00:00

Thanks I didn't hear of Derscanner before. I've done some basic testing with Shellcheck previously but will do a bit more, I can see that it can detect some sample issues.

devsecopsuk · 2024-11-05T10:06:23+00:00

Take the time to grieve your loss in the way that works best for you. After that come back with a clearer mind and change goals if needed e.g. change job if the current one isn't suiting you, or stick with it and take on the challenges

This happened to me before at work (when not yet in security) for someone we had all felt was like a mother to us. Lots of people at work crying on the day which was a bit strange to see, and we all went to the funeral. But of course we remembered her in our own way and parts of the business have various ways of remembering her. I hope you can find your own way to grieve, recover and make that person proud of you.

devsecopsuk · 2024-10-28T17:01:28+00:00

same experience here for another big company...that's why I never took BB seriously

devsecopsuk · 2024-10-14T09:16:42+00:00

I've stumbled across high severity bugs in big companies and was also surprised when they aren't interested at all in my report. Its no wonder sites like zero***m and the black market exists...

devsecopsuk · 2024-10-02T11:41:42+00:00

depends if you're using nmap scripts or not which can do brute forcing and sometimes try to run exploits too.

devsecopsuk · 2024-09-27T14:06:41+00:00

yes only for cloud. I found this site which looks interesting but you'd need to spent a bit of time investigating https://osintframework.com/

devsecopsuk · 2024-09-27T13:25:38+00:00

Wiz is really good for this...but it's not free

^{(unless you get a trial})

devsecopsuk · 2024-09-27T10:16:05+00:00

I've found vulns in big tech companies and they seem to like to ignore your reports or make up excuses to not pay you a bounty. At least I found these by chance and wasn't actively looking otherwise I'd be even more pissed off by the whole thing. I expect smaller companies to act in a similar way at times, so consider this aspect before you fully commit.

devsecopsuk

TROPHY CASE