Stories by Edward Farrell

When to pentest, when to scan and when to put a bounty out

Following on from one of my previous posts, the relevance of penetration testing is undergoing alot of scrutiny with the rise of bugbounty programs. I agree with these programs based on a single premise- I have a very specific method or mindset of performing activities and testing, the limitations of which will not meet the needs of larger organisations with very well matured applications or a large attack surface. Using a number of high quality resources will only increase the assurance process. As an occasional participant in bug bounties the learning opportunity is massive; I am exposed to applications and sites that I would otherwise be unable to interact with. Having stated this, bug bounties are not for everyone.

Edward Farrell | 30 Oct | Read more

Heartbleed: Lessons learnt from first contact

One thing I insist on in any security testing or activity is the need for continuous learning or understanding. When the Heartbleed vulnerability exploded, I had the opportunity to go through such a process.

Edward Farrell | 19 Aug | Read more

Is penetration testing still effective?

This article was inspired by a mix of recent events and a discussion with a client that asked the question ‘has testing now become so artificial that it is no longer real?’ Having recently started a new business and witnessed the evolution of the security market in Sydney, I find myself as a seasoned tester questioning the value of penetration testing in its current form.

Edward Farrell | 17 Aug | Read more