The Hacker's Cache
The show that decrypts the secrets of offensive cybersecurity, one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
The Hacker's Cache
#21 Unpacking AppSec: Lessons and Insights with Jonathon Fuller
Kyser Clark interviews Jonathan Fuller, a seasoned cybersecurity professional with a diverse background in various roles, including penetration testing and application security. Jonathan shares his journey from being a NOC engineer to founding Advict Security, emphasizing the importance of delivering comprehensive information to clients during penetration tests. He discusses the balance between his day job and entrepreneurial efforts, the differences between penetration testing and application security, and his contributions to the PNPT course. The conversation concludes with Jonathan offering insights and advice for aspiring cybersecurity professionals and entrepreneurs.
Connect with Jonathon Fuller on LinkedIn: https://www.linkedin.com/in/jonathon-fuller/
- Penetration testing often leaves out valuable information in reports.
- Balancing a full-time job with entrepreneurship requires dedication.
- AppSec offers a more personal relationship with the applications being secured.
- Automation is key in creating consistent environments for students.
- Finding a need in the market is crucial for starting a business.
- Building a home lab can be done affordably with the right equipment.
Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY
Music by Karl Casey @ White Bat Audio
Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.
The postings on this site are my own and may not represent the positions of ...
[Jonathon Fuller] (0:00 - 0:30)
It's like that one cousin you wish you weren't related to. You get to shape a lot of the company's growth or the website's growth or the mobile application's growth. You can quite literally shape what APIs it has available.
When you're working with AppSec for a web app, you're stuck with there, like for me, two years I'm working with that website and it's never going away. Whack-a-mole moments because they'll always pop up and you always need to whack them back down. AppSec forced my view of cybersecurity to be much more holistic.
[Kyser Clark] (0:30 - 2:54)
Hi, I'm Kyser Clark and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.
Hey, before we dive in, just a quick heads up on the audio quality in this episode. It isn't up to my usual standard. Unfortunately, my recording software picked up my webcam mic instead of my studio mic, so you'll notice a difference on my end.
Luckily, the guest mic is on point, so it's not all bad, and the conversation is packed with valuable insights I don't want you to miss. If this is your first time tuning in, rest assured that episodes other than 20 and 21 sound much better, and if the audio quality is a deal breaker for you, I get it, but I hope you'll power through this one or check out another episode. Thank you for your understanding, and let's go ahead and get into it.
Hello, hello. Welcome to The Hacker's Cache. My name is Kyser Clark.
I have over six years experience in the cybersecurity field, and I currently work as a full-time penetration tester. Today, I have Jonathan Fuller, who has over seven years experience in the field. He started as an IT systems analyst consultant, did that for about two years, then he moved into network operations technician for almost a year and a half, then went into AWS security architect, did that for about nine months, then became a NOC engineer for a half year, moved into penetration testing, was a pen tester full-time for two years.
He did some cloud deployment architect and cloud security testing for TCM security, then he moved into application security engineer, did that for about half a year, and is currently a senior application security engineer for going on two years now, and he is also the founder and CEO of Avid Security and has been doing that for over a year now. For education, he has a bachelor of science in computer science, and for certifications, he has OPSEC certified security professional as OSCP, the AWS certified security specialty, and the AWS certified solutions architect associate. So, Jonathan, thanks so much for taking your time for doing this episode with me.
Go ahead, unpack your experience and introduce yourself to the audience.
[Jonathon Fuller] (2:55 - 6:24)
Yeah, absolutely. Yeah, my experience has definitely been all over the place. I graduated university right into the pandemic, and nobody wanted to hire all those wonderful junior individuals, so I spent a lot of time working on AWS certifications, and this was back in the day when they didn't require the cloud practitioner, a lot of jobs didn't, so I tried to beeline it to the security specialty, and along with doing the OSCP, I spent a lot of time wanting to break into InfoSec. I was just a lowly student consultant for the local state government, and then I wanted to break into more cybersecurity-related things, and that was when I helped also create CyberSecLabs, which was like a competitor to Hack the Box and TryHackMe, and that's the undisclosed part that I can probably change into disclosed now, and my friends and I, we created that platform. It was really cool to build AWS infrastructure, vulnerable machines, and that's really what got my feet wet with cybersecurity while I was still working for Genvid as a NOC engineer.
From there, I got my first pentesting job for Socklogix, delivered some web app tests, and helped clients remediate some of the wonderful, fun things that they had, and then that's when Heath reached out to me to help build the PNPT. Him and Joe had already created the majority of the vulnerable environment, and they just needed somebody that had that sweet, sweet AWS experience and vulnerable machine experience too, because there's lots of fun things you got to do in the cloud to make vulnerable machines talk to one another, and so that was when I helped him create the infrastructure for the PNPT, automations, lots of automations, and did some cloud security testing for him, and then from there, I bounced over to Colfire for a penetration tester. That was my first full-time big boy penetration testing job. It was going from first gear all the way to fifth gear, skipping all the gears in between, especially working for the AWS contract.
It was an intense part of my life, got a lot of the Linux terminal knowledge now that I carry around with me every day from just needing to be as efficient and quick and skilled as possible, and then from there, bounced over to being an AppSec engineer. That was where a co-worker of mine was already working for Redfin, and the grass is always green on the other side, as they say, and I wanted to see what it was like working for developers, being almost like a penetration tester, but solely for a single company and working closely with developers, and that really intrigued me, because I felt like sometimes clients weren't always the most receptive to my ability to get their attention, and with being an AppSec engineer, you don't go away as quickly. If the developers don't like you, they have to talk to you face-to-face. You can trap them, and that was where I'm at now with being an AppSec engineer, and then for now, for Jack in the Box, I've definitely helped implement the AppSec that we have now, vulnerability management, attack service management, all the acronyms, SAS, DAST, RASP, you get all the wonderful acronyms.
That's where I'm at now, while also creating my own penetration testing firm, an AppSec firm, because I felt like there was definitely room in the industry for somebody that brings with the pragmatic experience that I do have, brings those skills to clients to help them remediate and fix vulnerabilities as well.
[Kyser Clark] (6:27 - 7:02)
Nice. What a wealth of experience. Yeah, it is all over the place, but I think it all goes in together at one point or another.
Everything that you've done kind of manifests itself into this one really well-balanced professional that you are, and I think it's really interesting. I think what I want to know is, why did you get into... So you was in a NOC engineer role, and then you jumped into more cybersecurity stuff.
How did you bridge that gap between, yeah, I'm a network engineer to now I'm a cybersecurity professional, and what was some of the challenges that you faced making that transition?
[Jonathon Fuller] (7:03 - 8:29)
Yeah, I was a NOC engineer while I was also going to school, and my school only had a single cybersecurity course. And while I was in the cybersecurity course, there was a little advertisement for Kali Linux and the OSCP on the side, and I had close to zero knowledge of any cybersecurity whatsoever. So of course, my first idea was to look on Reddit, is the OSCP worth anything?
And then when all the comments were like, absolutely, absolutely, I was like, oh, this would be cool. This would be a fun learning experience. And then me about a year and a half into the whole experience, my eyes wide open looking like I'm a trauma individual seeing the worst behemoth of my life, scary ghost at night.
It was... I interpreted my OSCP experience to be the first obstacle for me to get the career and the experience that I wanted to. And even though I got beat down more than twice or three times, I kept looking at it that, hey, it's okay if I fail.
It's because I didn't have all the tools. I didn't even know of all the tools that were available to me. I was trying to learn the skills needed to pass the OSCP.
And that experience led me through learning about Homelab, learning about virtualization, learning about Linux, learning about everything that I didn't want to know about Windows. And I was able to tie those things together along with the network experience that I had been gaining as a NOC engineer, especially automation. And I think those things altogether helped me prepare for my cybersecurity career and to be lucky enough to be employed in the cybersecurity industry.
[Kyser Clark] (8:33 - 9:15)
Great to know. Hey, I wanted to tell you about my new cybersecurity insider list, where you get raw, unfiltered cybersecurity advice, tips, and hot takes, plus exclusive first looks at my content delivered directly to your inbox every single week. No flow for spam, just valuable content.
Head over to Kyserclark.com slash newsletter and level up your cybersecurity knowledge today. Once again, that's Kyserclark.com slash newsletter. There's also a link in the description.
All right, now back to the show. So let's go ahead and get into our wrap fire questions. Jonathan, are you ready for the wrap fire round?
[Jonathon Fuller] (9:16 - 9:17)
As brave as I'm going to be.
[Kyser Clark] (9:19 - 9:28)
It's a lot of thread, don't overthink them, just spit them out as fast as you can. And first thing comes to your mind, it doesn't even need to be a ride, just say it.
[Jonathon Fuller] (9:29 - 9:30)
Strawberries, how many arches does it have?
[Kyser Clark] (9:33 - 10:01)
All right, audience, for those who don't know, for those who are new to the show, Jonathan will have 30 seconds to answer five questions. If he answers all five questions in 30 seconds, you'll get a bonus six question that is unrelated to cybersecurity. And his time is going to start as soon as I stop asking the first question.
Kind of like family food, fast money. It's kind of very similar to that, except there's nobody else and there's no audience.
[Jonathon Fuller] (10:01 - 10:02)
There's no money.
[Kyser Clark] (10:03 - 10:19)
Yeah, there's no money, that's all I wanted to say. All right, so let's go ahead and get started. On a scale from one to 10, how useful are security audits?
[Jonathon Fuller] (10:20 - 10:21)
Seven.
[Kyser Clark] (10:22 - 10:25)
Have you ever collaborated with law enforcement on a case?
[Jonathon Fuller] (10:26 - 10:26)
No.
[Kyser Clark] (10:27 - 10:29)
What color font is your terminal?
[Jonathon Fuller] (10:33 - 10:34)
White with a little bit of blue.
[Kyser Clark] (10:35 - 10:37)
Most unique device you've ever hacked?
[Jonathon Fuller] (10:39 - 10:42)
A Dell PowerEdge server.
[Kyser Clark] (10:43 - 10:44)
Favorite capture a flag event?
[Jonathon Fuller] (10:48 - 10:49)
Don't have one.
[Kyser Clark] (10:54 - 10:55)
We're just over 30 seconds, unfortunately.
[Jonathon Fuller] (10:56 - 10:57)
Okay.
[Kyser Clark] (10:57 - 11:04)
So no bonus question this time, but you were almost there. You got 31.5 here, so.
[Jonathon Fuller] (11:05 - 11:07)
Okay. Because of the CTF trauma.
[Kyser Clark] (11:08 - 11:14)
Yeah, CTF trauma. There's a lot of events out there, and especially if you're not super active in CTFs.
[Jonathon Fuller] (11:14 - 11:21)
Well, it was like favorite, right? Because favorite has to be a good thing. It's all just trauma, a lot of it.
[Kyser Clark] (11:21 - 11:32)
Yeah. Yeah, I mean, that's a good point to make. If you don't have a favorite because you don't think it's worth pursuing, then that's actually worth talking about.
So is that how you feel about CTFs?
[Jonathon Fuller] (11:33 - 12:53)
I definitely enjoy CTFs. I think that they have something to offer. I just don't know if any events in general reached the point of where I thought the entire thing was like, yeah, I should do all the tasks, should do all the boxes, and I'll learn something.
I don't think there's little nuggets here and there, especially because vulnerable machines and CTFs are so difficult to create. I've been on the opposite side of the coin. But a lot of CTF events nowadays are just really...
Like I see some of the most recent hack-the-box machines, and they just teach the most wild things that I've ever seen in my life. I think the most traumatizing one that I've seen was I had, of course, passed cryptography for my degree. And I saw, I remember one machine, I saw EPSAC walking through it, trying to find the RSA prime number.
And that flashed so much trauma through my mind. And it gently reminded me of why I don't do all the modern hack-the-box machines. And I think that also says a lot about CTFs in general.
Of course, there are some good ones, right? I like having the hands-on experience when it comes to IoT devices, smaller devices, physical CTFs are actually really cool, even lock-picking ones. But when it comes to virtual CTFs, and especially cryptography ones, I will be walking in the opposite direction.
[Kyser Clark] (12:55 - 13:06)
Yeah, I totally agree with you when it comes to cryptography. There's seven layers of encoding that you have to decode. And it's like, man, why am I doing this?
[Jonathon Fuller] (13:06 - 13:08)
It was in the picture the whole time, right? Steganography.
[Kyser Clark] (13:08 - 13:37)
Yeah, I'm like, man, this is definitely CTFE. And it is frustrating, for sure, to run across that. So let's go ahead and dive into our main discussion.
And the first thing I want to talk about. So as the founder and CEO of AvikSecurity, can you tell me what AvikSecurity is and what it does? So you said something, you said pentesting and AppSec consulting.
Is there more than that? Or is that really like the cusp of what it is?
[Jonathon Fuller] (13:38 - 14:34)
That really is the cusp of what it is. And the large reason why I created it in the first place is that I felt like I wasn't able to deliver a lot of the value that I saw in engagements as a pentester to clients working for some of the bigger firms. And even as an AppSec engineer, sometimes I would have to reference old penetration tests to get a better understanding of my environment.
And I feel like a lot of times on penetration tests that a lot of the information that we gather as pentesters isn't always put out there into the report. Maybe if we gather 100% information that we do, maybe what 5% to 10% actually appears in the report. And I feel like that I can do better, that we can do better as pentesters to give more of that information to our clients.
And that was a huge reason as to why I created AvikSecurity as well. In addition to having the AppSec experience to help clients remediate more effectively, sniff out false positives, and provide more pragmatic solutions to their needs.
[Kyser Clark] (14:36 - 15:14)
Yeah, that's interesting you bring it up. You're right, only 5% to 10% of what we find on a pentest actually makes it in the report. There's so much that I'm seeing that doesn't make it in the report because I'm only reporting on the bad things typically.
And I might write a few notes about why this is good. But overall, the pentest report is mostly like a list of dirty laundry. And it's not everything.
And there's some things that you see in a pentest, this doesn't seem like it's a vulnerability. I can't exploit this. I don't see how this would help an attacker break into the network and you just don't put it in a report.
[Jonathon Fuller] (15:15 - 15:15)
Right.
[Kyser Clark] (15:15 - 15:17)
There is a lot of information that doesn't make them in the reports.
[Jonathon Fuller] (15:17 - 16:18)
Yeah, and especially as being a pentester, especially when you're doing internals, you get so much information as to what clients have running on the inside. Though a lot of times AppSec engineers or InfoSec teams don't have the tools or capabilities or time to gather information on internal systems. Like from one of the pentest reports that I had, I had noticed that a really ancient switch was still connected to the management port and still an active IP address on our network and wanted to get it removed.
But a lot of times I still refer to it as an AppSec engineer, pentest reports. And there's a ton of information on there. Even just mMap scans, graphs, graphs of what your attacking machine was able to touch, network layouts, all the topography, all that stuff is really, really useful information.
If not for remediation, then it's information. So I feel like a lot of AppSec and pentesting and even just company security is knowing what the heck you have in your environment, internally or externally facing. Those are the two biggest things, I think.
[Kyser Clark] (16:20 - 16:32)
Right. Yeah. Asset management is one of the biggest challenges in IT and being able to expose devices that they didn't know about in the network could be very beneficial for sure.
[Jonathon Fuller] (16:34 - 16:35)
Yeah. And I think that should...
[Kyser Clark] (16:36 - 16:37)
Go ahead.
[Jonathon Fuller] (16:37 - 16:59)
I was gonna say, and I think that should and helps quite a bit with that. That's been my favorite tool to set up for companies because you can just throw it a single domain and it sniffs out all your subdomains, all of your DNS records, and it displays to you in a single dashboard what ports you have open. And it's helped find a lot of stuff that a lot of companies that I've worked for didn't even know that they had.
So I think this is a pretty useful tool.
[Kyser Clark] (17:01 - 17:05)
Yeah, for sure. So how do you split time between your day job and your own company?
[Jonathon Fuller] (17:06 - 17:36)
Yeah. So the day job, straight up nine to five, because my wife also helps, works with the company with me and she also has a full-time job. So that's after dinner and as patience allows, seems to be going right now, especially with how busy everything is.
And then the weekends too, a lot of time is devoted to active security. I'm growing it. A lot of it needs to be worked on in terms of media presence, thought leadership, and attending events and those kinds of things.
That's really where I want to take it.
[Kyser Clark] (17:38 - 17:50)
And do you plan on making that like your full-time thing? Do you plan on leaving your current employer? I mean, if you can talk about that, if not, then we can just skip over, but do you plan on making that your full-time gig going forward?
[Jonathon Fuller] (17:50 - 18:42)
Yeah, eventually I would love to make active security my full-time job. Once the revenue supports me being able to work on a full-time. But right now I've got to put the bread on the table.
And I love working for my current employee. I really do enjoy my job. I can't say that I for a lot of the other previous employees that I've worked for, but I'm very thankful to be where I am now.
But always just wanted to get back into pen testing and offered additional little bit of information for clients. And with all that wonderful absolute experience I have now to being able to help clients remediate too, because my wife's family has other small businesses. And I see that a lot of times it comes down to, they just need help with PCI.
They just need help with setting up email servers. They need help with, wait, I didn't know that that was probably facing. Just stuff like that, being able to help companies with that is really rewarding.
[Kyser Clark] (18:45 - 19:33)
Yeah, for sure. I always tell myself we're out here protecting organizations, which ultimately are comprised of people and those organizations have customers. So when you're out there consulting with companies, what you're really doing is you're securing the internet and you're making the internet a safer place.
And that trickles down to all of humanity really, because everybody's using these apps. I don't want to mention specific names, but I've definitely worked on applications that people that I know use in their personal lives. You know what I'm saying?
So being able to actually secure applications that are providing real value to people that I know, that gives me a purpose of what I'm doing.
[Jonathon Fuller] (19:34 - 19:44)
Yep. And my wife's family is all in medical, all the medical field. So if any of their stuff gets down or they can't charge credit cards, things go south real fast, real fast.
[Kyser Clark] (19:46 - 19:56)
Yeah. So what advice can you give to anyone wanting to start their own cybersecurity venture? What is one thing that you wish you knew before you started?
[Jonathon Fuller] (19:57 - 20:51)
Yeah, there's quite a few good talks about cybersecurity in general and starting companies, but there's only very few that talk about them together. And I feel like the most useful piece of advice that I've learned doing so is that you want to find a need or an itch, that itch is so bad that you want to scratch it in terms of the needs in the cybersecurity industry. And once you need to scratch the itch so bad that it just takes over quite a bit of your thoughts, that's when you know you've got something good on your hands.
And for me, that is to do with pentesting and AppSec. And that's when you know you've got something good in your hands in terms of a company to create or a product to create. Because of the course, there's a service side to cybersecurity and there's the product side.
And we're sticking to the service side currently. And that's when you've got something to really chase down and blow away weekends for.
[Kyser Clark] (20:53 - 21:28)
Yeah, I haven't started my own company, but I have heard, you know, when starting your own company, it takes a lot of time and effort and it's not 9 to 5. You need to put 800 to 200 hours a week into it if you want to be successful. So yeah, definitely hats off to you and good luck with your company and your entrepreneurial endeavors going forward.
Because I think that definitely is a challenging but also rewarding experience. So I'm interested in following your journey and see how it works out for you.
[Jonathon Fuller] (21:28 - 21:28)
Yeah, thank you.
[Kyser Clark] (21:30 - 21:52)
So moving on to your AppSec experience. And so you kind of talked about why you went from pentesting to AppSec. Can you explain the differences between pentesting and application security and why someone might want to make that jump and why it would make sense to do that?
[Jonathon Fuller] (21:53 - 24:17)
Yeah, I'll give it in the most scuffed terminology and Jonathanisms that I possibly can. I view pentesting in just being able to, you're usually given an external and internal environment by a client. You test it, obviously you need to deliver a report.
The difference between that and what we do for AppSec is that with AppSec, you're working a lot more with SaaS tools like Snyk, Showed and Tenable. To do a lot of the automation that you would do in a manual test, you're doing it very often and you're constantly getting reports. You're having to sniff through a lot of information that you then need to deliver to the development teams or the infrastructure teams or the deployment teams.
And then when it comes to what you would do for a normal report, you're having to do that much more often, especially if your AppSec team is delivering metrics, right? Because the metrics are what everybody cares about. The numbers, our vulnerability is going down.
Is our threat, our threats going down? Is our logging increasing going down? Are our costs going up or down?
I'm doing a lot more with that. And I think what really allured me to migrate from pentesting to AppSec was being able to have a more personal relationship with what I'm securing. That really intrigued me because with pentesting, we don't always get the time that we want to work on a client or a tool or a website.
And with AppSec, whether you love it or you hate it, it's like the family you wish you didn't have. You just got to slowly learn to love it. And being able to watch it grow and mature is a beautiful thing.
Being able to see the exploits that you're closing, the vulnerabilities that you're closing, the attack surface that you're closing. Being able to see that tangible impact on a week-to-week basis has been really cool to see. I'm very thankful for that.
So I would say if you're curious about the migration from pentesting to AppSec, if you've been feeling like you want to be more in touch or more personal with the information or the tests that you're doing, I would say take a sniff at AppSec and see if it fits your needs. Especially if you're into home labbing as much as I am. If you like messing with the infrastructure, if you like blowing up servers for no reason whatsoever and destroying Proxmox environments accidentally, then AppSec is definitely your two cents.
[Kyser Clark] (24:20 - 24:31)
So with AppSec, are you doing mobile apps, web applications as well? How is application security different from a web application pentest or a mobile pentest?
[Jonathon Fuller] (24:32 - 25:52)
I would still say it's like that one cousin you wish you weren't related to. They're always sitting around. They're always hanging out with you, whether you like it or not.
And you get to shape a lot of the company's growth or the website's growth or the mobile application's growth. You can quite literally shape what APIs it has available, assuming, of course, that you work closely with the developers and they like you. I would say that a web app test, you're maybe learning about a website or a web app for what, seven days max, five business days, let's say.
But when you're working with AppSec for a web app, you're stuck with there. For me, two years, I'm working with that website and it's never going away because Jack in the Box will always need a website. And whether or not somebody actually turns something that was meant to test, turns it publicly facing or pre-prod or whatever have you, those little, I call them whack-a-mole moments, because they'll always pop up and you always need to whack them back down until another one pops up.
I think that those moments will always happen. But the difference there is that you're working with it day in and day out and it allows you to have a really close relationship with what you're doing, which I really like.
[Kyser Clark] (25:53 - 26:06)
Is it the same skill set, you would say? So you said the difference is you're working more intimately with the developers, but is it the same sort of skills? Are you still like testing for SQL injection, cross-site scripting?
[Jonathon Fuller] (26:06 - 28:07)
Good question. That's a solid question. I would say, I was going to say Venn Diagon, it's probably a horrible way to say it, but I would say about 90 percent of pen testing skills would cross over very well into AppSec.
But I think a lot of what you need to be successful in AppSec is quite a bit of people skills, which of course you gain with pen testing, with delivering reports and retests and remediation, things like that. But a lot of it comes down to, I would almost say like a silent respect between the developers and yourself. I think that developers have a lot of respect for me since I do develop in my free time, I do mess with the infrastructure, I do mess with a lot of technology and tools in my free time that enterprise and companies use on a daily basis.
And being able to speak from a pragmatic point of view helps developers understand that you're not just there to ruin their afternoon or day to fix a vulnerability. You're there to actually help them improve and grow and help them deliver a more solid product. So I would think that there's maybe 50 percent going from AppSec to pen test would be transferable.
But I would say that 90 percent of what you do in pen testing could be easily transferred over. Like with SQL injection, let's just say, you can easily explain as an AppSec engineer to a developer why SQL injection is bad. But being able to correctly and empathetically point out to them where the issues are and remediate them and chase them down and retest and validate is another whole beast.
And then it becomes the whole, oh goodness, will we build container images for each PR that we merge? So we got to go whack the other 10 containers that we have floating out there that had this SQL injection. And that's a little bit different than pen testing because you don't have to go into all the docker registries and delete the bad container images.
[Kyser Clark] (28:09 - 28:39)
Yeah. So I've talked about with some other guests and previous episodes about like the differences between external and internal pen testing. It sounds like application security is kind of like internal pen testing.
Is that accurate to say? And if not, why would someone want to go into application security over internal pen testing? And is application security a slower pace than external pen testing consulting?
[Jonathon Fuller] (28:39 - 30:23)
Yeah, I would say that AppSec forced my view of cybersecurity to be much more holistic because I'm delivering metrics, I'm delivering numbers, I'm delivering, I'm having to purchase tools that are way more money than I'll ever be worth in my entire life. And that has been much different to me than internal pen testing. Internal pen testing to me is, of course, gathering information, delivering a report, fixing, bringing forth vulnerabilities and helping developers and teams remediate them.
But with AppSec, you never really leave. And I can say that, yes, maybe AppSec is a little bit slower paced. And maybe a better way to say it is it's much less of a sprint than pen testing.
And it is much more of a consistent jog or run. There's never time to let up. You're always going to see little things whack up and then you do have to sprint to the next checkpoint, let's say.
But it's not so much you're sprinting and you're having to run past things that you wish you could have seen or the roses you wish you could have smelled along the way in terms of, oh, I would have loved to be able to commit a PR for this team to help them, you know, help them increase their input sanitization. That's what I would probably want to say is that if you're as a pen tester, if you're doing internals or external, if you're curious to see more of what teams can do and establish better relationships, then maybe AppSec would be helpful for you. Or if you're getting yelled at too often by clients, but you're sure you're a people person, then go into AppSec as well.
[Kyser Clark] (30:26 - 31:07)
It's good to know. So I'm going to shift gears a little bit. So you highlighted a little bit on how you contributed to the PMPT course and and you said that they already had like the vulnerable environment.
And from what you said, you said like you had to put it up in the cloud and like automate it. So like I'm assuming like so people can, you know, like, hey, start the exam and then they get this exam built. Can you explain what that process was, what challenges you face and kind of how like how hard was it to do that?
And like, I just want to know, like, as much as you can tell me, like, how that process was putting that out.
[Jonathon Fuller] (31:07 - 33:20)
Yeah, yeah. So he had already put together a wonderful Google Jamboard or Scala draw of what he wanted done in terms of the lab environment. And then he messaged me on Discord.
He's like, wait, you do Python, right? I said, yeah, I do. And that started the whole snowball turning down into a gigantic snowball at the bottom of the mountain.
And what it really a lot of the challenges that I ran into were challenges we ran into at CyberSec labs as well was automation for when students need to spin up or spin down their environment, VPNs, VPNs always seem to break, especially if the student doesn't have a consistent connection and vulnerable machines breaking for no reason whatsoever other than that they think you're ugly today or you woke up on the wrong side of the bed for no reason whatsoever. Because the moment that you stop the machine, turn it back on or restarted, it works exactly how you would have expected in the first place.
Those were the biggest things that I saw. So instilling consistency for vulnerable machines, having to possibly even change exploits because the exploit wasn't consistent enough to be as part of a test was a huge part. Making the VPN environment be usable for students that didn't have a connection, like the poor people that live in Australia working on their high ping and very low upload for the students as well.
And then the third part was automation. There were so many different systems that we were having to hook into such as Calendly, Google, Gmail, events, make sure we emailed students the correct times, make sure that they received the VPN package at the right time, the right materials, the list just went on and on. Those are some of the big issues that I faced when helping to create the infrastructure.
So Heath and Joe had made the majority of the vulnerable machines and then had like a napkin diagram. And they're like, all right, make it work. And so it was, oh no, here we go again in terms of setting up vulnerable environments.
But it taught me a lot, had a great time. I did lots of Terraform, lots of Python and lots of automation and lots of AWS fun. So that was the majority of what I did.
[Kyser Clark] (33:22 - 33:27)
Yeah. And you really leaned on to your cloud experience there, right?
[Jonathon Fuller] (33:27 - 34:04)
A ton of cloud experience, especially cloud experience and setting up vulnerable machines. Because like I said, consistency is key when creating a student environment because if a student's like, hey, this exploit should be working. And then you get a support email one hour before the student's Windows closes in there.
They're not too happy with you. They're not too happy with the environment and not being able to make any progress. It definitely changes your perspective on what it is to be a student and what it is to offer a quality test.
But lots, leaned on my cloud experience quite a bit. It was a good time.
[Kyser Clark] (34:05 - 34:36)
Yeah. Well, I haven't taken the PMPT course, but I might in the future and or maybe it might but I've heard good things. I haven't heard anybody complain about the exam environment or the course environment breaking or anything.
So it sounds like you did a good job and I can't wait to see for myself what it is. But everyone is, I haven't heard anything negative about the course or the exam environment. So kudos to you and you did a good job building that out.
[Jonathon Fuller] (34:36 - 34:48)
Yeah. Thank you. But now it feels weird to say, should I go get the PMPT?
Do I not do it? Do I just get like an honorary PMPT? I'm in that conundrum now.
[Kyser Clark] (34:49 - 34:55)
I think he has a PMPT, right? He doesn't have his own cert. So I don't see if he can get it.
[Jonathon Fuller] (34:56 - 35:01)
It's that Obama meme, putting a medal on himself. That's how it feels.
[Kyser Clark] (35:04 - 35:17)
That's hilarious. All right. Well, we're running out of time.
Unfortunately, this has been a great discussion, but I need to know, do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share with the audience?
[Jonathon Fuller] (35:19 - 36:15)
There were two things and I put them both right here. I would say that if you're looking for lab tech, these Lenovo ThinkStation minis that are like 150 bucks, they come with like 16 gigabytes of RAM, have a core five eighth gen, like a hundred bucks, come with everything you need to get a lab started. Super cheap.
And they're not Raspberry Pis that die every five minutes on ARM architecture. Great thing to do. And they have a PCI slot.
Another thing is that framework laptops are great. I've had both the laptops that I've used for pen testing and work and school and fun expand and die on me. So I finally migrated to framework and I'm super happy with the machine that I can fix and repair myself.
And I think that there's a lot of value in pen testing, being able to break apart the very tools that you use every single day. But in terms of spicy, spicy hot takes, I think I delivered everything when I was talking about delivering more information to clients for ethics security. But I think that was it.
[Kyser Clark] (36:16 - 36:23)
Yeah, that's good to know about those. Where can they get those machines at? Like, where can we buy those?
[Jonathon Fuller] (36:23 - 37:07)
Yeah, tech eBay has been the best thing in my life and the worst thing for my wallet. And my wife wants to kill me now. So I can I'll drop some I'll send you some links and some queries to use to find these machines.
They're not too bad. But if you're looking for like, another big thing is if you want to a server rack, the IKEA has a table called lack. And it just so happens that it is the perfect width of a server.
So people make what they call racks. And if you want to get started in the home lab being inside and building your own vulnerable environment, lack racks, and old Dell PowerEdge servers are a great place to go. So I'll share some queries with you.
You can send it to the audience.
[Kyser Clark] (37:08 - 37:38)
Great. Yeah, we'll put those in the show notes. All right, Jonathan.
Well, thank you so much for your insights and expertise. It has been a lot of value here. And I appreciate you sharing all your wisdom with me.
I definitely learned a lot. I had a lot of questions about OpsTech because it's something that I haven't really gotten to or even really considered. So it's nice to know like some more opportunities out there for, you know, red teaming and cybersecurity professionals.
So thank you so much for providing that. Where can the audience get ahold of you if they want to get in touch with you?
[Jonathon Fuller] (37:39 - 37:56)
Yeah, LinkedIn is a great place to but great place to be. And then I'm also available over email at john at john Fleur.io. And there's no H and john, as my mother always told my mother always told me. So j o n at j o n fuller.io is a good place to get me.
[Kyser Clark] (37:58 - 38:46)
And audience the best place to get ahold of me is LinkedIn as well. And my website Kyserclark.com. Thank you so much for watching.
Thanks for hanging out. If you have a recording, please hit the like button. If you're watching on YouTube, subscribe to YouTube channel.
And if you're on Spotify or podcasts, do me a favor and review the show. My preference is five stars. But if you think it deserves four stars, then that's okay to rate it what you feel is necessary.
Six stars. If that's possible, six stars would be also preferred. But yeah, if you want to support the show, reviewing it on our podcast and Spotify would help the show the most right now.
And once again, thank you so much for watching. Thanks for hanging out. And this is Kyser signing off.
[Jonathon Fuller] (38:47 - 38:48)
Awesome. Thank you so much.