In Episode 07 of Secrets of AppSec Champions, PenTesting with Nat Shere, Chris Lindsey hosts seasoned penetration tester Nathaniel Shere, who currently serves as the Technical Services Director at Craft Compliance. Nathaniel shares his journey into penetration testing, starting from his master's in cybersecurity and leading to over a decade of experience in the field. The duo delves into the pressing issues within the security industry, such as the high levels of stress, the pressure to remain updated, and the often exaggerated emphasis on industry certifications. They both agree that certifications, while useful for exposure, can sometimes be blown out of proportion, potentially watering down the actual requirements.
The discussion extends to technical aspects, highlighting the importance of error handling, visibility of dependencies, and the complexity of exploiting vulnerabilities like SQL injection. Nathaniel recounts memorable experiences, including the development of a Python script that uncovered critical security issues, and stresses the value of detecting and monitoring potential threats. The episode provides an in-depth look at the various penetration testing methodologies—white box, black box, and gray box—and the necessity of using accurate environments that mirror production settings. Both speakers emphasize the hacker's perspective in revealing security flaws and the role of secure coding practices and multi-factor authentication in strengthening security postures.
Chris and Nathaniel also touch on the ethical implications and collaborative benefits of penetration testing. Nathaniel highlights the importance of providing prioritized information to developers and the value of pen testing in offering true risk assessments. They agree on the need for external penetration testing for unbiased evaluations and recommend internal pen testers collaborate with external experts for broader exposure. Altogether, this episode offers listeners a balanced view of the technical and human elements crucial to successful penetration testing.

❇️ Key Topics with Timestamps
00:00 Career Progression in Cybersecurity Consultancy
05:03 Unexpected Access: Default Credentials and Security Breach
08:52 The Value of Penetration Testing in Development
12:19 Burp Suite: Demonstrating Data Theft Capabilities
14:59 Developers Overlooking Security Vulnerabilities: Common Mindset Mistakes
19:06 The Efficiency of Whitebox Testing in Application Assessment
21:52 Penetration Testing Reports and Web-Based Security Issues: An Internship Anecdote
26:12 The Importance of Internal and External Pen Testing
30:18 Managing Stress in Cybersecurity Career
32:50 The Value of Certifications in Security Learning
34:19 Promoting Shows: A Guide to Engaging Audiences

For more amazing application security information, please visit the following LinkedIn communities:
https://www.linkedin.com/company/appsec-hive

Provided by Mend.io (https://mend.io)