Saturday, July 12, 2025

Security Testing Journal Entry | w/e Friday July 12, 2025 - "My Nine Months at Secure Ideas" Ed.


Highlights from a career pivot

What we learn from failure, and what we do with that knowledge, is what matters — M. Bloomberg

So here's a quick recap of how it went with my time at Secure Ideas since my last post:

  1. JANUARY

    • THE GOOD:
      • Had just come back from holiday break. Lots of report writing and CISSP. Lot's of constructive feedback and learning.
    • THE BAD:
      • Attempted my first blog and received some feedback regarding the subject. Completely missed the assignment.
    • THE UGLY:
      • My inexperience was showing.
  2. FEBRURARY

    • THE GOOD:
      • Awesome client-facing experience (funny guy!).
      • Documentation for mobile is on-point!
      • First network PT went well.
      • CISSP studying going well.
    • THE BAD:
      • End of month - the project was severly underscoped, had to do way more as a junior; no help from partner (who was a principle).
      • Needed to pull in extra resources to get API test to done
    • THE UGLY:
      • The report for the project was late because we ran into issues early in the project.
  3. MARCH

    • THE GOOD:
      • Learned a lot about passive recon.

        VHosts - 1 server, multiple hosts (IPS / websites).

        PTR Records (reverse DNS look up) A PTR record is a "pointer record" query the name for a given IP address;

      • Be quiet; no actively interacting with the host; recon - learn as much about the external footprint looking for host name, CIDR subnets, and domains

        Following any kind of a scan, be sure you save it and upload the data to Engagements

        Access-Control-Allow-Origin is missing - that its missing is intentional; it keeps the security tight, blocking AJAX calls

    • THE BAD:
      • CISSP Studies - need more practice. Struggling a little bit to keep up.
    • THE UGLY:
      • rookie-mistake no. 1 - Had a report go out where I forgot to update the TOC until late.

        Whenever there are any kind of structural changes to the report, where headers are renamed, always always always update the TOC right before pushing it up for review How it happened? We got hung up in the details of the bigger finding and made sure all pertinent details that mattered were in, and I forgot to update the TOC
  4. APRIL

    • THE GOOD:
      • Holy Week .. lots of reflecting and gratitude for the good job
      • Spent a lot of time with are home-grown Vulnerability labs ... good practice with API testing, CORS, etc.
      • Moving through API training with great succeess; Active Directory home lab completed; Finally got a blog post published.
      • Lots of compliments on the documentation revamp.
    • THE BAD:
      • rookie mistake no. 2 - as mentioned .. not updating the TOC;

        rookie mistake no. 3 - During the meeting with the client a JS vulnerability was recorded with no corresponding CVE.

        It was found during the call (a proper search). How did it happen? not searching diligently enough;

        rookie mistake no. 4 - I reviewed a report I had helped write.

        The feedback was for the new content. Per the process, anyone who collaborates on a report, or helps to write it, cannot be a reviewer

      • Another quiet week not on a billable project.

        Feeling a bit worried / vulnerable / insecure about my work. And with taking off on 6/25, it moved me off a project making me on the bench from the end of May through June and beyond. I've been assured things are going to pick up, but I've heard that before ... it didn't end well.

    • THE UGLY:
      • rookie mistake no. 5 - As I had completed several blog posts, one of them set off alarms.

        The repositories I was referencing were NOT for public use.
      • Mentor has been MIA for quite some time. Without his help/guidance, been feeling like I'm drowning. Truism: No one is coming to save you!
      • Some steps in the client-provided documentation were missed. Somethng to do with sign-up .. can't remember
  5. MAY

    • THE GOOD:
      • Got to see Mom for her birthday!
      • Had a productive week where I got to help
      • New project with my "AWOL mentor" and favorite API wizard
    • THE BAD:
      • Things started to come unglued after the ZERO report.

        rookie mistake no. 6 - I tested the file upload component on the website like QA, not HACKER. In so doing, I uploaded a link from an app that should absolutely NOT have happened. It lead to finding a vulnerability, but becaues of the way this was tested, I presented the likelihood of introducing risk to the client and putting SI in a bind. As it were, the component was inadequately tested. I've corrected this mistake, but this was bad!!

      • rookie mistake no. 7 - failing to follow process.

        . I thought the report was good-to-go, and in my hubris, put it up for review. The report feedback was scathing and the CEO torched it. Although it was collaborative, and it could have been done better, the authorship fell on me as the primary agent responsible for it. NO BUENO!
      • New project the following week, and everything went well until the report. It took several rewrites and a lot of late nights to get it to done. Another situation where I was the author and bore the full responsibility, but it was collaborative and others had issues as well. Can you see the pattern .. things were getting worse for me
    • THE UGLY:
      • Bad became worse as my two blog posts were shredded beyond hope. I completely missed the assignment.
      • Concerns were raised regarding my performance. I was not excellent and had failed on many levels.
      • Beginning of the end for me ...
      • KEY TAKE-AWAYS FROM A BAD MONTH:
        • The client comes first.
        • The report is a reciept of services rendered along with being a statement of competence in the service provider. You cannot fail them.
        • Always follow the process and be transparent about when things are being done; report readiness.
        • Be Humble. You're not as good as you think you are. There's always room for growth.
        • Do better.
        • Ask lots of question; clarifying questions that help you do your job better.
        • Get better with the tools (ie, Burp Suite Pro) and technology (Windows, AD, Networking, etc.).
        • Time is money. Don't waste them.
        • Revisit the Portswigger labs and re-learn.
        • Learn from this and move on. Don't dwell in the failure of the past.
  6. JUNE

    • THE GOOD:
      • Last week in may -- Trip to Jacksonville to meet the CEO, and co-workers.
      • Progressively getting better with report writing, but more work still needed. Manager sees significant improvement. Good job!!
    • THE BAD:
      • The trip was a PIP in disguise. Fell way beind on career progression to the next level.
      • Failed to meet expectations - performance was subpar.
      • First Friday of June - 86d.
    • THE UGLY:
      • I hated having to go to work to hear that I have cultural issues that need attention; my work is in jeopardy ... again!
      • I hated the hotel I was at.
      • Lost the best job I've had in a long while and have only myself to blame. The first two weeks were a nightmare.
      • It's taken me a solid month to process the loss, and from it I finally got to confront the final element of what has been holding me back.
  7. JULY

    • THE GOOD:
      • Nothing good so far.
    • THE BAD:
      • Four weeks and no Unemployment Money yet.
      • 25 jobs applied to so far, 8 rejections, not one phone call.
    • THE UGLY:
      • Job Market for 2025 is without a doubt the worst ever!!

    No question this was a longer recap than I anticipated. I am eternally grateful for the chance at getting to work in pen testing for as long as I did. I learned a metric ton and made some invaluable connections. Met amazing people and I have nothing but the utmost regards for the opportunity. I am strong, smarter, and wiser as a result. Yes, there were a lot of mistakes. The kind of mistakes that could have been avoided with the proper guidance. Sadly, that's been the story of my life: figure it out or fail forward and learn the hard way.

    Wife has been super-supportive, despite calls for divorce, which I half expected. Having a steady paycheck and benefits was awesome. Getting fired from a "prayer's answered" job hurt like hell. Still does. But the experience was immeasurable .. and despite the mistakes, I am better for it.

Sunday, December 22, 2024

Security Testing Journal Entry | w/e Friday December 20, 2024 - "Christmas Holiday" Ed.


Highlights for the week

On paper it should have been a super busy week. In practice, things went well. The client was delayed in providing needed resources, but when they did, testing was efficient and effective. Report write-up was smooth and deliverables are near complete.

That I'm three months in and hearing myself talk about pen testing is such a thrill. I don't know that I'm ever going to come down from that cloud, and I'm super-appreciative of everything and everyone. I am where I belong. And I've never felt more excited about that in a long time.

What We’re Grateful For

  1. I know I said it before, but I'll keep saying it. I'm beyond grateful for everyone I work with.
  2. I'm grateful for the job I have and the opportunities for learning, doing and growing. I don't look at what I don't know, I look at what new thing I get to learn.
  3. I'm eternally grateful for my family and friends, near and far.

What We Loved

  1. LOVED EVERYTHING!!!

What We Learned

  1. Learned how to properly pen test an API. I know there's more I could still learn ... always!
  2. I got the chance to work with MobSF - an automation framework for mobile iOS and Android. Really cool thing to learn.
  3. I got to see how an SDK is tested. There's a lot I wasn't privy too, but there's so much to want to do.
  4. Another successful week of Web App Pen Testing. I'm sure there are scenarios I never tried, but I love getting to keep doing.

What We Longed For

  1. Need more time to practice my tests for CISSP.

What We Loathed

  1. Nothing. Holidays are here and I'm loving every moment of it.

Saturday, December 7, 2024

Security Testing Journal Entry | w/e Friday December 6, 2024 - "Delta, Omni, and IANS" Ed.


Highlights for the week

A very fun 3 day on-site testing engagement with a Cybersecurity company. Tons of fun and lessons learned. Networked with amazing people and got the opportunity to gain new skills and experiences. At the conclusion of it all, gained some insight on how a department is set up, their needs, and left room for continued support.

The flight on Delta was phenomenal. Smooth onboarding, quick flight, and enjoyable experience.

The hotel was posh and elegant. The downtown area was beautiful, but expensive. Same for my lobster roll.

What We’re Grateful For

  1. EVERYTHING!! Grateful for the job, the opportunities presented, and so much more!

What We Loved

  1. EVERYTHING!! The travel, the onsite experience, the new relationships built. All fun!

What We Learned

  1. EVERYTHING!! Lots of fun, testing Mac, and so on.

What We Longed For

  1. Not this time!

What We Loathed

  1. Nothing!

Saturday, November 30, 2024

Security Testing Journal Entry | w/e Friday November 29, 2024 - "Thanksgiving" Ed.


Highlights for the week

This was a short week full of a lot of amazing things. Work has been nothing short of spectacular, learning so much every single day. The most fun I had was writing the test reports and gaining more exposure to the process. Because the holidays are in full swing, I will keep this entry short by expressing what I'm thankful for.

What We’re Thankful For:

  1. I would be remiss if I didn't start my list by saying that I'm eternally thankful for the Lord above and my grandma up in heaven watching down on our family. I believe she's heard my prayers and blessed our family with all the love she could give. Angels are definitely watching over us.
  2. I'm eternally thankful for the job I have. It is nothing but prayers answered, wish fulfilled, and manifestation made real all rolled into one. I smile every day for the experience of working on the career of my dreams and being surrounded by brilliant people.
  3. I'm blessed by having a wonderful family and loved ones. Sure wife and I are not where we should be, but we're not where we could have been .. divorced! Working on our reconnection is definitely a 2025 goal.
  4. I'm also thankful for having a wonderful son who's been the best. Sure, he gets testy at times, but he's got me for a father and I know how I can be at times.
  5. I'm thankful for mom, sister, and the rest of the family abroad. They are forever in my heart.
  6. I'm most proud of myself. Through hardwork and discipline, I had the wherewithal to end the bullshit of hire/fire in a career I that wasn't me. I'm now determined to work my hardest in this new endeavor. No fuck ups! LEARN - DO GROW!

Saturday, November 23, 2024

Security Testing Journal Entry | w/e Friday November 23, 2024 - "Cool, Calm, and Collected" Ed.


Highlights for the week

What a wonderful week it has been. Since last post, I've had tremendous opportunities to work with more co-workers, learn more about network penetration testing, and reporting. It was amazing to do all the things and learn. It never ends. Side note! I need to sign up for my CISSP Cert.

What We’re Grateful For

  1. As always, beyond grateful to have a job that has been nothing short of all prayers answered. I will endeavor to make this the ultimate stop in my journey.
  2. With the holidays around the corner, I'm grateful that I'm in the right mental and financial headspace to enjoy the holidays.
  3. Love the family, at work and at home.

What We Loved

  1. EVERYTHING! Work is awesome! Just saying I have a job is enough for me to be beyond grateful, but to have the right career pivot is immeasurable.

What We Learned

  1. CISSP - Finished the book. Now its on to studying the "problematic" modules, then take another test.
  2. Network Pen Testing - I learned more about tooling and process this week. I really really need to take a course in this.
  3. Pen Test Reporting - Learned so much about the process and writing style. As much as I'm reading the work of others, I want my own voice. Theoretically, it should be the one voice of the company. That will take practice. The feedback was incredible.

What We Longed For

  1. NOTHING! Been really good about time management and project delivery.

What We Loathed

  1. I hated turning my report late. I own the delay based on the feedback given.

Sunday, November 17, 2024

Security Testing Journal Entry | w/e Friday November 15, 2024 - "Extra CISSP-ie" Ed.


Highlights for the week

Had an awesome time this week. Got paired up with another pair of talented individuals who have really taken the time to teach me some things. I have a quick test with my manager that I'm looking forward to and I have been offered the idea of combining what I know with what I've done, mainly in the avenue of training. Intriguing prospect to say the least.

Also, CISSP training is over, but the fun has just begun. I have to circle back to the areas I was weak at and redo them. My goal is to take another test then the modules and if I get consistent 70% or better, I'm going to take the test.

What We’re Grateful For

  1. Holidays are in full swing, and I'm super-grateful that I have a job and the resources to make things happen.
  2. As always, grateful for an awesome family, awesome job, and everything in between.

What We Loved

  1. Everything!

What We Learned

  1. More Network Pen testing things. Picture is getting clearer with each engagement.
  2. CISSP is over, and the cert training is in progress. Need to sign up to get certified.

What We Longed For

  1. Nothing.

What We Loathed

  1. Nothing this week.

Sunday, November 10, 2024

Security Testing Journal Entry | w/e Friday November 8, 2024 - "Get workin' on Network'n" Ed.


Highlights for the week

Had a tremendous week full of learning, writing, and interviewing. Got to conduct my first onsite test, met my manager in person, and learned a lot more about network pentesting.

What We’re Grateful For

  1. Just like I wrote last week, I'll never stop thanking the good lord for the wonderful job with wonderful people.
  2. With the holidays in full swing, I'm ever grateful for having a wonderful family and the means to provide.

What We Loved

  1. Looooved getting to work with my manager and conducting an onsite security assessment. Met some cool nurses too.
  2. Loved working with a co-worker patient enough to teach me a little more about getting network pen testing scans started.
  3. Thrilled that I got to write my first pentest report. The feedback was great.

What We Learned

  1. CISSP is in the final throes. 1 more chapter and I'm done. Need to circle back on the weaker chapters.
  2. Learned how to use recon-ng to perform OSINT on an IP.
  3. Learned how to set up my first internal and external network scan.
  4. Sent my first client communication.

What We Longed For

  1. Nothing!

What We Loathed

  1. Not really a loathe, but my project teammate was missing a bit and the project report is behind schedule by a bit. On a personal level, I don't have much to loathe.