https://twitter.com/thecybermentor/status/1207559600616161281?s=20
This One link gives a head start about where to start and what to do to enter in to the world of CyberSecurity.
This one is really informative Security Conference. You must check this out.
If you are really into Red Teaming check this one out.
This One link has the most updated Git for all the things that you need to do with App Pentest. Cool Part is that comes with a Guide.
https://github.com/OWASP/owasp-mstg
NIST Introduced free intro cources to get familiarized with the standards.
https://csrc.nist.gov/projects/cybersecurity-framework/filters#/csf/filters
https://csrc.nist.gov/News/2024/online-intro-courses-for-nist-sp-800-53
https://github.com/ChrisJr404/HackerToolkit --- Contains all required Hacker Toolkit
Before you buy your next Web App pentest, please read this...
There are loads of FREE ways to identify most of the vulnerabilities that you pay your penetration tester to find
I'm not talking about complex tools that require months to learn, or dodgy scripts written by god-knows-who
I'm talking about enterprise-grade tools, written by commercial vendors, with long-term support and designed to be used by engineers and developers (they're all also pipeline friendly)
All of these tools produce human-readable findings, with detailed descriptions and steps to remediate
I've personally used these tools for years, and have integrated them all into the Cytix SDLC
1) Let's start with the codebase. I'd like to highlight Semgrep. It's simple, easy to use, has a nice SaaS UI, and supports an insane range of languages. It's also super easy to build into existing CI
2) Now let's talk about DevOps. Two suggestions here; The first is Trivy by Aqua Security, which smashes lightweight container scanning. The second is Amazon Web Services (AWS)/ Microsoft Azure's inbuilt security tooling. Ok, you do pay a small fee for this as part of your subscription, but they're honestly a great option
3) Dynamic Testing... It has to be Zap by Simon Bennetts & co. You've likely heard of it but, if not, check it out. Just load up the UI, and click-to-run. You can customise and tweak it to your hearts content but straight out of the box it'll pick up a lot of low hanging fruit
Sure, tools produce false positives too, and there are vulnerabilities they can't find yet... but even just spending a few hours running through these before your next pentest is going to shrink your report in half
PS: I'm not telling you this to be nice. I'm telling you this because, speaking as someone who's been testing for well over a decade now, I'm bored and I'm tired of reporting the same simple findings over and over
Please find them, please fix them, please don't pay me thousands of pounds to tell you something you can find out at the click of a button. I'd rather be finding cool and interesting stuff, and I'm sure you would rather I was doing that too.