Comment by dvtrn
3 years ago
Once got to read a “penetration test report” that a past employer received and paid $30,000 for after badgering the Infosec Director to see it.
The “methodology” was as comprehensive and revealing as a ping test. The doc contained a single screenshot, was riddled with both grammatical and technical errors about the environment they were supposed to be ‘penetrating’.
Made me wonder if I’m in the wrong segment of tech if this is what companies are throwing away for such shitty tests when I know I could do a better job.
On a previous role I decided to open ZAP for a quick debugging, but during it I decided to just edit the user id that was being sent on my request, and to my horror our app sent sent me all the data for whatever user id I would send!
This was a project that had millions of dollars in man hours and where many developers with a lot more experience than me had worked for years…
Bottom line, they had a monkey patch custom framework that wad just Django without documentation and with huge security holes…
I sometimes wonder if that industry exists because if suits don’t see a $30k to fix checking an user id, they couldn’t be bothered to have engineers do “useless” tickets to pen test their own systems