Penetration Testing Profile
- My first steps into penetration testing started with UNRESTRICTED, SIMULATED attack testing with an elite team in APAC in 2000. This position lasted 5 years before Verizon Business acquired Trusecure’s Asia Pacific professional services. I contributed significantly in finding quite often exotic vulnerabilities in customer networks. The Monetary Authority of Singapore mandated our team as penetration testing service providers for any financial institution wishing to do business in Singapore.
- I was the native English speaker in the team and so took on the task of communicating findings to stakeholders of different levels of IT experience.
- My publication (Security De-Engineering Taylor-Francis Publications - ISBN-10: 1439868344) included 3 chapters on penetration testing and the work received rave reviews from some of the most influential people in the field.
- PwC in 2007 was my first step into application security with blind OWASP testing (DAST) for 8 clients in banking and there was one telco. Since that time blind Appsec has featured heavily in internal and external engagements.
- Through the next 15 years, I performed external and internal appsec and vulnerability assessments, developed vulnerability management capabilities (full risk treatment cycles) at the HLD and LLD phases, leading into Security Operations and service management integration.
- The technologies I worked with: multiple assessment tools, many of which are integrated into Kali Linux today. Symantec CCS. Rapid 7 Insight VM, Tenable SC, Qualys, OpenVAS, Nessus (unauthneicated VA scans), Mcafee VM (formerly Foundstone).
- I developed a tool for Oracle Database 10g, 11g, 12c vulnerability assessment with DBA credentials which was used in several larger organisations in Indonesia.
- In small consultancies I was seen as the go-to resource for penetration testing because of good reviews from their clients.
- Of all the security capabilities, vulnerability management is the one with which I had most exposure in 20 years.
- Various public sector agencies - performed pre-cursor tests in lieu of independent 3rd party penetration tests
Security Macromorphosis
Latest Blog Post
BASH cli Scripts for CIS Benchmarks for Azure
Aug. 24, 2023, 11:30 p.m.
Like the catchy title?
Anyway - here's a few cheeky scripts for testing a handful (for now) of aspects of the CIS Benchmarks 2.0 for Azure. You have to populate the subscriptions.txt file for each.
Each subdirectory under the repository root corrresponds with a CIS Benchmark reference for Azure 2.0:
Publication
Security
De-engineering
Security De-engineering, published by Taylor Francis, covers ubiquitous problems in information security and offers a solution in the final chapter
Areas covered: Penetration testing, Hackers, CASEs (Checklists and Standards Evangelists), IDS, Cloud Security, jobs in security, Identity Management, and organisational elements.
Partners
Literatecode
Literatecode was established in 2003 as an informal R&D lab and reorganized to a registered business in 2012.
Literatecode specializes in applied research and experimental development to help companies and individuals defend themselves against security threats.