Comment by throwaway81523
4 years ago
I'm fairly good at crypto (not as good as Colin of course) but I think that's not of that much help in general security stuff. Pen testing = knowing all the bugs and code smells in the popular Javascript frameworks, 0 days in a zillion libraries like log4j, etc. I'm basically resigned that the modern web is bloaty buggy crap and so I haven't found it worthwhile to get too familiar with its workings. I have gotten some fairly pure crypto gigs here and there, but I think wider security, especially web security, is a much bigger and messier subject.
much bigger and messier subject
Exactly. I won't touch gigs like that; the closest I'll get is to make a point about "keep your system at minimalist as possible" during general security review.
Heck, I'm unlikely to even take code review gigs any more -- IIRC the last time I did one of those it was reviewing STUD before Bump released it.
The difference is the level of knowledge required. Deep vs wide. To pick a nit, too, customers use the term pen testing very broadly. So, it could just be internals and externals, could be app sec, etc. I haven’t found a ton of changes all that important in the last decade in web app testing.