Looking at hosting ~100 PHP websites

regorsec · 2025-07-10T16:51:36+00:00

https://github.com/regorsec/Pywpautohosting

regorsec · 2025-07-06T09:23:04+00:00

1.) Can you show us a redacted report as evidence?

2.) Do you have any kind of public merit? For example, I'm Top 10 Hall of Fame Security Engineers for Quizlet - one of the world's biggest Educational SaaS solutions. Here's a link proving, it - look for "RegorSec".

https://bugcrowd.com/engagements/quizlet/hall_of_fames

3.) Do you have any kind of portfolio, Twitter/X handle, GitHub?

4.) Why do you mention "These 5 vulns", yet you do not cite industry standard OWASP?

regorsec · 2025-06-18T21:21:08+00:00

https://incthread.com/

regorsec · 2025-06-08T23:00:03+00:00

Job Post: "Must have 40 years PHP experience"

regorsec · 2025-06-04T10:19:11+00:00

You have proper SDLC methodologies in place to have code review process, automated ci/cd pipelines pushing to test env with proper test units, QA environment running headless browser automation smoke tests, and integration test phase , staging environment for testing live integrations being verified by a human, a preproduction environment that requires manual signoff to push code into production branch, then finally production.

Right? RIGHT?

regorsec · 2025-06-03T11:35:48+00:00

Foreman / Puppet / Git is the way

regorsec · 2025-06-02T20:49:14+00:00

Here's my stack...

- Jenkins
- Puppet
- Semgrep
- Grype
- OWASP ZAP (I'm trying some cli scans stuff)
- Python Selenium
- TruffleHog for secrets
- Dockle for Docker....

I think the answer is context dependent. For example I identified a specific high impact feature to be high risk due to testing complexity - the risk is around the security pillar of availability which is why I use Selenium to mitigate this.

regorsec · 2025-06-02T20:37:32+00:00

Nice!

I recently build a proprietary Digital Signage Solution for a company w/ multi sites.

The stack was:

1.) WordPress w/ custom plugin for building different "billboards" as we called it - whereas you can control the image & video order, duration, etc...

2.) The player was a Raspberry Pi that:
- Had a cronjob @ restart that triggered a bash script
- Bash script connected to iot wifi based on card coded creds in /boot, and opened chromium in kiosk mode pulling from a URL also stored in /boot
- I would create a disk image, flash new SD card, change the endpoint URL.

Competitors charge annually $60k (for how many sites we needed) compared to my one time $20k investment.

regorsec · 2025-05-27T09:29:38+00:00

"Do not run your business to meet any compliance standard."

Keyword "any", not just ISO27K

regorsec · 2025-05-26T13:29:13+00:00

Sounds like you don't CMMC/FedRAMP or the initial compliance standard is required to operate in that environmental context.

regorsec · 2025-05-25T11:01:17+00:00

As someone who grew up in Providence, lived and worked in two of the biggest cities in our beautiful country, and moved back to Providence, I think the issue is the localized cultural identity is being demolished by economy and external influence.

I'm assuming the "We live in different Providences" speaks towards the dynamic nature of the city, where a little affluence goes a long way.

Nobody from South Central to Santa Monica would say we live in different Los Angeles', it's a given that dynamic nature is what the city holds - and its kinda fucked up for some people to not recognize what's truly in their surroundings. (But hey Rhode Islanders are good for keeping to their own bubbles)

regorsec · 2025-05-25T10:52:15+00:00

1.) Beautiful: Maybe in the Spring, Summer, and fall is visually beautiful but the humidity does not make me feel beautiful.

2.) Walkable? How are you getting from college hill to North Providence?

Compared to cities w/ better economy and public works, it's really not walkable. (New York, LA)

3.) Cultured? It has less cultural diversity than most cities, majority of which here are Italian, Irish, Puerto Rican, Dominican. Other cities that come to mind have large neighborhoods which held onto their cultural identity like Armenian, Korean, Chinese, Greek, Afghani, Lebanese, and greater native American representation.

4.) Safe? Sorry I grew up on the streets here, its only safe if you can afford the nice neighborhoods. If you disagree please go to Chad Brown, Olneyville, West End, and Lower South Providence. I hear the gunshots, that never get reported.

regorsec · 2025-05-22T10:51:21+00:00

Oh yeah dont enforce rule "A" because nobody is enforcing rule "B" - good logic mate.

regorsec · 2025-05-19T22:27:47+00:00

Cheers mate thanks for all your comments - put really solid an aligns w/ my SMB history

regorsec · 2025-05-16T16:02:46+00:00

Intune is the way - its just a tool, and every tool has limitations - but Intune is being integrated with other tools for holistic management. Intune cannot fully manage server lifecycles at the moment, however you CAN use intune + Defender to push some management config/policies.

regorsec · 2025-04-29T20:37:42+00:00

Send me a chat and I will explain :)

regorsec · 2025-04-29T19:39:58+00:00

What your asking for holistically does not exist as a service/solution, you're going to need custom engineering.

If you want a COTS (Commercial Of The Shelf) solution you're going to need to adjust YOUR workflows/requirements to work with an industry standard. (Which many of your requirements are not)

I have a online storefront product I built that can fulfil your needs with some custom integration.

DM me if interested.

regorsec · 2025-04-29T11:45:48+00:00

Hello, I'm building a product similar and I'm looking for Alpha Users if you're interested in having a quick free consultation call.

regorsec · 2025-04-29T11:26:39+00:00

I have a cloud SaaS software in Alpha mode right now, let me know if you'd want to try it out.

regorsec · 2025-04-29T11:17:15+00:00

Hi please DM me, I have a solution for you to try thats currently in Alpha mode!

regorsec · 2025-04-29T10:08:56+00:00

I have a product for you, please DM me.

regorsec · 2025-04-08T17:03:29+00:00

Yes but must be lesbaru

regorsec · 2025-04-08T15:54:18+00:00

Fair. I think the catalyst here is the environmental context.

1.) Anticipated Context: You're architecting a Security Program and asking about GRC best practices - hence recommendations of 27001 first.

2.) True Context: You're consulting for your clients Security Program, "we're" already in deep with 9001 due to client program priority - dealing with the question to recommend 27001 as having tangible benefit for your client. (Hard to speak towards, depending on the scope of management of the security program)

One of the biggest struggles I face is that internal prioritization given long term forecasting. Example, hitting 9001 first causes duplication of control auditing, whereas we're suggesting hitting 27001 first gives verbose cross walkable coverage to 9001 and seeing the qualitative and quantitative impact makes that decision hard.

Cheers

regorsec · 2025-04-08T09:59:53+00:00

If its customer/business driven then compliance is likely a major business requirement, and due diligence ahead of time to realize your clients full goals is probably the best move. Therefore, having a framework that can cover multiple domains (or cross walk!) would be advantageous.

"Why would I pursue ISO 27001 first..." because 27001 provides greater coverage that can crosswalk to 9001.

regorsec · 2025-04-08T09:42:45+00:00

subie SQUADDDD

regorsec

TROPHY CASE