[John Kounelis]

When you go through the typical CS curriculum or you start a job as a software engineer, there's very little, if any, knowledge that you gain about how to develop secure code. Even the top, best, smartest engineers at Google, the super cracked 10x engineers that can reverse binary trees in their sleep, they still probably don't know the basics of security. It's like, you can do all these leet code hards, but like, hey, I just owned your app because you don't know how to check the content type of file uploads.

Like, that's just not a thought that comes into a lot of developers until they either are like forced to learn it, or maybe they have to deal with an app sec person like me to teach them.

[Kyser Clark]

Hi, I'm Kaiser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

Hello, welcome to the show. Today we have John Kounelis, who is a senior product security engineer with five years of experience across software engineering and AppSec. He transitioned into security after discovering vulnerabilities in his own code, now focuses on web app pentesting and source code review.

He's active on the Cynic Red team and recently started exploring hardware hacking as well. For education, he has a bachelor's in computer science and a master of science in cybersecurity. For certifications, he has the OSWE and the OSCP.

So, John, thank you so much for hopping on the show. Go ahead and introduce yourself to the audience.

[John Kounelis]

Yeah, thank you for having me on. So, you kind of covered the basics already. So, yeah, I started off as a software engineer, you know, kind of was a little bit interested in cybersecurity, but not quite sure what to do with all that.

So, you know, as I kind of grew my skills as a software engineer, I was doing my master's as I was working and kind of learned about, you know, the different ways to attack software and the different type of vulnerability classes. And then, you know, kind of along that, I started getting the perspective of, you know, kind of an attacker as I was, you know, dealing with my own code and the software systems I was working with. So, that kind of led me to exploring and poking around into the code base and finding vulnerabilities.

And then after that, I was pretty much just hooked and, you know, just kind of pushed to move more into the AppSec space. So, kind of was straddling kind of different roles that were sort of varying degrees of software developer and AppSec. And just recently kind of moved to a full-time proper product security AppSec role.

So, that's kind of a little bit about my background. And yeah, thanks again for having me on the show.

[Kyser Clark]

Yeah, thanks for being here. And yeah, thanks for introducing yourself and unpacking some of your experience. So, what exactly hooked you into making that switch from software engineering?

Like, what was it in particular? Anything particular?

[John Kounelis]

I think it's, I don't know, I feel like I've always had an appreciation for just like people, just kind of like the hacker mindset or the hacker ethos, I guess. People that could just like take things and just make them do things that they weren't expected to. You know, like when I was a younger kid, I was super into playing video games and I thought like, you know, people did like video game mods or like jailbreaking iPhones and iPods.

Like, I was all into that stuff as a kid. So, I was just like, man, like this is so cool. So, I kind of always had an appreciation for that.

And like, you know, I got into software engineering because, you know, I was, I liked working with computers and stuff. But it wasn't until, you know, I realized like, oh, like all this like offensive security hacking, like that's what it is. And like for some reason, you know, I get satisfaction when I'm like writing code and they're like, oh, it compiles and it works.

But for some reason, like getting it to do something it wasn't expected to do is just like so interesting and satisfying. So, you know, that kind of resonated with me more than just doing the normal development work. So, that's why I sort of decided to pursue that.

[Kyser Clark]

Nice. And as you got into the security side of things, looking back at some of your earlier projects in software engineering, like, do you like realize like, oh, snap, like that was probably vulnerable code at some point in time, like some of your older programs?

[John Kounelis]

Oh, yeah. 100%. Like when I first, that's like the interesting thing about, you know, about like web app testing, especially like if you're, you don't have a software background, but maybe this will inspire people to get into, you know, bug bounty or offensive security is that when you go through like the typical like CS curriculum or like you start a job as a software engineer, there's like very little, if any, like, you know, knowledge that you gain about like how to develop secure code.

Like even the top best smartest engineers at Google, you know, the super cracked 10x engineers that can reverse binary trees in their sleep, they still probably don't know the basics of security. It's like you can do all these leet code hards, but like, hey, I just owned your app, because you don't know how to check the content type of file uploads. Like, that's just not a thought that comes into a lot of developers until they either are like, forced to learn it, or maybe they have to deal with an app sec person like me to teach them.

But yeah, so earlier on, I'm sure a lot of my code was vulnerable, because that's just not where my head was at. And then later on, I was like, oh, wow, like this type of stuff that people do is actually really bad and like a bad practice.

[Kyser Clark]

Yeah, so, so you're saying a lot of the insecure code that we're seeing is no fault to the developer and the software engineer, it's the curriculum. So what do you think would be like, if you if you can make wave like a magic wand, like, what would you say would be the thing that would fix it? Just like adding security, like as a class during the curriculum?

[John Kounelis]

Yeah, I mean, I won't I won't go as far as to say it's like the course as well. Because I think like, ultimately, I think there's kind of a whole chain here, like you should be responsible for your own code. And like, people reviewing the code should also be responsible for it.

So there's a whole chain there. But yeah, I mean, at least for me, when I went through my undergrad, there was like one security class that was like an elective. And like, I took it because I was, I was interested.

And you know, it teaches you kind of some of the basics, it definitely gives you good foundations, but you have to definitely go like deeper to really like understand writing secure code. So I think, yeah, curriculum should definitely have more like mandatory classes on on writing secure code for software engineers, because it's like, the reality is, is that a lot of companies like most of the code is being written by like, junior, you know, or mid level engineers, you know, or maybe it's just clutter or catchy, you know, you know, but back when there was junior level software engineers that were writing most of the code, you know, like, they're, they're just churning stuff out. And like the senior developers, they're like, reviewing it, they're busy, they're doing a lot of stuff. So it's like, you're trusting them to maybe do like the simple tasks, but like, they can have vulnerabilities in that too.

So there's a lot of, you know, kind of trust that goes into that and not a whole lot of consideration. So, you know, data is important to people. And if we're just training the people that are going to be managing it to like, not think about that kind of stuff, it just creates problems.

But it also creates job opportunities for us. So I'm not going to really complain too much.

[Kyser Clark]

Yeah, there's always, yeah, we're always finding stuff in web apps. Yeah, I mean, I still find cross site scripting and my teammates are finding SQL injections on a very regular basis. And it's still out there to this day, even though it's been on top 10 for probably a couple decades now.

[John Kounelis]

Yep.

[Kyser Clark]

So after you made the switch from software engineer to security, what did you wish someone told you before moving from engineering to security full time that you didn't know?

[John Kounelis]

Um, it's a good question. I think one of the things that I guess I kind of had to learn on my own that I wish would have I would have had a little bit more guidance on is just like, the like the amount of effort you need to really spend on understanding like complex vulnerability chains too, because it's like, you, you know, like, especially if you go through a lot of like the basic like web app, pen testing training, or it's like, okay, you learn, I do always you learn, you know, XSS, like, cool, you do all that. But like, really, like when it's when you start to become like actually skilled, is when you can start like, understanding how these vulnerabilities get like chained together. And like, you know, maybe you have something that's not too impactful, or, you know, it's like kind of a low, but like, I can chain that with this.

And now this, this small thing becomes a much bigger problem and whatever. So like, being able to think like that, it's kind of like the end game. You know, when you're kind of learning this stuff, instead of just finding like little one off vulnerabilities, if that makes sense.

So yeah, I kind of wish that I knew that more and more going in. But it's also something I think, like, if you pursue the field long enough, it'll be something you just kind of pick up on and understand.

[Kyser Clark]

Right? Yeah. Yeah.

And that's, I mean, that's not something that's necessarily like things you understand at the beginning, it comes with experience, like you said, like, I feel like a lot of people probably didn't know that going in, you know, and cybersecurity is a lot more nuanced than what people think going in, right? So, I mean, there's a lot to cybersecurity. And before you get in, it's, you don't really understand like, what, what's out there.

And I always tell people, like, yeah, it's like, you know, three head of dragon, you cut one head off, and then three more come up, like, as soon as you, the more you learn, the more you realize you don't know.

[John Kounelis]

Yeah, 100%. There's just so many things you can, like, just keep on going deeper and deeper on. And, you know, you can kind of choose at any point, do I want to go, you know, breadth first search or depth first search, you can do that at every node.

So you want to be like the person who's like the expert on this one, like tiny little thing, like go for it. Or if you want to like, learn and branch out and learn other things, you can do that too. So yeah, that's why it's such an exciting field to be in because you can never learn everything.

And there's always more stuff you can improve on.

[Kyser Clark]

All right, John, it's time for the right fire round.

[John Kounelis]

All right, let's do it.

[Kyser Clark]

You've been I think you're I think you're ready. All right, I feel it. I feel I feel a win today.

[John Kounelis]

I'm hoping for the dub.

[Kyser Clark]

All right, so those who don't know, John will have 30 seconds to answer five questions. If he answers all five questions in 30 seconds, he'll have a bonus six question that's unrelated to cybersecurity. John, your time will start after I stop asking the first question.

Here we go. John, what is your favorite hacking tool?

[John Kounelis]

Chrome DevTools.

[Kyser Clark]

What color font is your terminal?

[John Kounelis]

White.

[Kyser Clark]

What was your first computer?

[John Kounelis]

Some old HP desktop.

[Kyser Clark]

Do you think cybersecurity is underfunded in most organizations?

[John Kounelis]

Yes.

[Kyser Clark]

Are cybersecurity boot camps worth it? That was like just under 20 seconds. That was fast.

That was that might be a record. All star out here, man. Nice.

That was that was very rapid fire. You would have if you was a in the wild west and you was someone that do it, you'd have a fast draw, I think. All right, so here is the bonus question.

If you were a villain, what would your evil lair be disguised as?

[John Kounelis]

My evil lair. I don't know. This is the hardest question I've ever been asked in my whole life, dude.

[Kyser Clark]

You didn't give it much thought. That means he is an evil villain, guys. Yeah.

[John Kounelis]

I think it'd be would be funny, like something that would be, I think like a I'll go with like one of those like, you know, those like cat cafes where people go to like, you know, you get coffee or whatever, and they have like a bunch of cats. They only have two cats, but like, I just get a bunch. And like, I just mean, my evil lair and like people would just come in and like, you know, I have people there during the day.

And then at night, I would like, you know, do do all my my evil stuff.

[Kyser Clark]

Yeah, that's a that's a solid choice. I would never suspect the cat cafe being an evil villain's lair. That's really good.

That's very solid. And yeah, I know you're talking. I went to some cat cafes when I was in South Korea.

I don't do they even exist in America? I don't I feel like they're not legal because it's like not saying they are.

[John Kounelis]

They this is one where I live.

[Kyser Clark]

Oh, nice. OK. I just I never ran across one in America.

[John Kounelis]

I've never seen one in America, though, you know.

[Kyser Clark]

They there needs to be more cat cafes, honestly, like I would I would stop at a coffee shop every day if I had one near me, that's for sure.

[John Kounelis]

Oh, yeah.

[Kyser Clark]

If I was an evil villain, I gave it some thought for the show because I have no one that plans these questions out. And I thought I wanted something where no one would bother me, because like if I'm an evil villain, like I got to be scheming. And if I'm scheming, I don't want to be interrupted.

And what I came up with was a graveyard because no one walks in a graveyard unless they have a loved one or like a friend that was like buried there.

[John Kounelis]

Yeah.

[Kyser Clark]

And no one goes in the graveyards at night. So I feel like no one would ever bother me if I had an evil lair.

[John Kounelis]

That's true, you'd have to watch out for the grave robbers. But other than that, yeah, you'd be pretty much left alone.

[Kyser Clark]

Yeah, and I would definitely put the skulls of my enemies around the graveyard, too, just for extra precaution. So that's that's what I came up with.

[John Kounelis]

You're Vlad the Impaler over here.

[Kyser Clark]

All right. So your most interesting response. Let's go with your favorite hacking tool.

So you said you said Chrome developer tool. Is that what you said?

[John Kounelis]

Yeah, yeah, DevTool or whatever browser DevTools.

[Kyser Clark]

So yeah, why is that your favorite hacking tool?

[John Kounelis]

Because it's like an entire IDE in your browser. You can do everything in DevTools. Obviously, I'm more of a client side guy.

But yeah, you got breakpoints. You got log points. You got conditional breakpoints.

You can change stuff as you go along. Um, yeah, man, it's just you can do so much just in in DevTools. It's insane.

And I think people don't really utilize like how powerful that is.

[Kyser Clark]

Yeah, I mean, I'm one of them. I don't use the DevTools that much.

[John Kounelis]

You got to get on it, man.

[Kyser Clark]

I'm in. I'm in Burt's Sleep the whole time when I'm doing all that stuff. And I'm not using the browser.

[John Kounelis]

You're missing the juicy, juicy client side path reversals. The DOM XSS, that's that's what the best stuff is, man.

[Kyser Clark]

Yeah, well, I have used it to verify DOM cross-site scripting because I found cross-site scripting. But then once I found it, I went to the senior pen tester and I was like, hey, I got this cross-site scripting. You know, let me out here.

And I was like, is this reflected? Is this DOM? Is it stored?

I knew it wasn't stored. I was like, is it reflected or DOM? Because I didn't know the difference between the two.

And then he sat down with me. He's like, here's the difference. And then, you know, that's when the browser tools came in handy for that reason right there.

So, yeah, definitely underrated tool for sure. That's a really good answer for me. You know, as I said, I read the question.

So I thought about this ahead of time. My favorite hacking tool? I don't really have one.

I feel like, you know, I just there's so many things I got to have to get the job done, right? I mean, like if you ask a carpenter what their favorite tool is, like, is it going to be a hammer? Is it going to be a saw, a nail?

It's like, no, it's like he needs all of them. So I don't really have one. And that's probably not the answer most people want to hear.

But that's what it is. I mean, if I had to pick one, probably Burp Suite because it has so much in one.

[John Kounelis]

Yeah.

[Kyser Clark]

It is. I mean, it's called a suite for a reason because it has so many tools. So I mean, in a way, Burp Suite might not even be considered a tool that has multiple tools in one.

But yeah, Burp Suite is really nice, especially the professional version. It's got the, they actually wrote out AI. We're not using it because our company policy says we're not allowed to use the AI yet.

But we are allowed to use a scanning feature. And the scanning feature is nice. And it can speed up some of the testing.

But you still got to manually verify and stuff. But yeah, I really like Burp Suite.

[John Kounelis]

Yeah, Burp Suite. I think especially if you're a pen tester, it's essential. I actually have been using Kaido more recently.

I think if it's more lightweight. Yeah, yeah. It's definitely more lightweight.

But if you're not using all the scanners and all kind of the, there's definitely a lot of stuff that Burp has that Kaido doesn't. But if you're just doing more basic stuff, I like it more. I think it's a lot quicker and cleaner.

But I think you need both if you want to really be able to do everything.

[Kyser Clark]

Right, yeah. I haven't really touched Kaido. But I might do a deep dive on it one day.

It's definitely picking up popularity for sure. I think the reason why it's picking up popularity is because people want, like, they want the, I don't know what they call it on Kaido, but like the intruder that's not throttled. I know that has like a thing.

And that's like the biggest thing that the Burp community has that's in the Pro version. And the Pro version is very expensive. So that's why a lot of people are going to Kaido, which makes sense.

[John Kounelis]

Yeah, it's like 20 bucks a month if you don't want to do the year. People are going to think I'm like sponsored or like a Kaido show, but I just like the tool. But yeah, if you don't want to commit to like the 500 bucks or whatever it is for Burp Pro, I think, you know, Kaido, I think it's 200 bucks a year or 20 bucks a month.

So, you know. You can register right now.

[Kyser Clark]

This is not sponsored.

[John Kounelis]

This is not sponsored. I'm not being held at gunpoint by Kaido.

[Kyser Clark]

All right. Let's go ahead and move on to the next topic. And this one's a very interesting topic because you were my first guest to jump in my Discord and be like, hey guys, I'm on a show.

What do you want to talk about? So this question comes directly from the community, directly from the Discord. And I might have to start doing this.

So if you guys are listening to this and you have more questions, feel free to drop them in the Discord. And yeah, in the future, I'll probably just let you know what kind of what guests I have. And then I'll just be like, what do you want to ask this person?

And I'll ask it on the show. But here's a question. This is word for word.

This is not filter at all. So here it is. Hey, John, really looking forward to the episode.

I started learning hacking in March and I'm giving myself a year to learn as much as I can and earn some certs before applying for pen testing roles. Would love to start bug bounty soon to get some actual real world hands-on experience beyond just CTFs. Given this time frame, I was wondering when you were starting out, what helped you build real world skills the fastest?

And how do you know when I'm ready to start bug bounty hunting? Thanks a lot.

[John Kounelis]

Yeah, the first thing before I answer the question that I want to highlight about that is I love how the end game of all that is like, you know, I'm studying all this. I want to, you know, do something that has real world impact beyond just CTFs. I think that's such a big thing and such a good thing to focus on.

I think so many people, they're just like, OK, I want to get these certs and then I'll do try hack me and hack the box and whatever. And it's like, those are all great things to do. Those will all help you learn.

But at the end of the day, it's like if you're applying to a company, it's like all of that was just kind of like you're playing a game. You know, it's kind of just like there's no impact beyond just you bettering your own skills. But if you do bug bounty and find a bug or you find a CV, like that has a real world actual impact that shows, you know, you have real skills and you can do stuff that matters.

So I think it's great that that's like your goal for that. So first part of the question is, you know, how do I help getting, you know, how do I help get that kind of real world experience, you know, in preparation for that? So for me, like I kind of mentioned before, I started off as a developer.

So I had such a huge advantage because I have access to this code base that I'm contributing to every single day. Like I understand it. I know how it works.

And like this is like the perfect playground for me to like just start learning vulnerabilities because I already know how it works. So like what I would say to someone who obviously like doesn't have that at their disposal, just start like pick a code base, you know, either open source or now, like literally vibe code, vulnerable app, just like, you know, whatever. It's super, super easy now and like understand how it works.

And like you can really play around with it. Like as a developer, you can, you know, make your requests, you can hit break points in your IDE and understand like the data flow and all that. And like, I think this is important and this will help you with your skills because a lot of, a lot of people will just learn kind of like the black box approach, which is like what you will be doing.

And most of the time with bug bounty. But when you get that actual insight of like what's going on, like in the code, how our applications, you know, how do they work? How does data flow through them?

You'll kind of understand, like, it won't just be like you're sending stuff to this, you know, literal black box and, you know, you don't have insight as to how it works. You'll understand what makes something vulnerable. You know, how do I do things like bypass this regex or whatever?

Like you'll have that intuition. And then when you're attacking an app that you don't know, you can kind of start like interacting with it and like in your head kind of being like, okay, it's probably doing something like this. So, I mean, this is just my approach.

You know, obviously people are different, but I think being able to understand it from the developer's perspective will like help you in the long term as you learn to bug bounty. So, I hope that kind of answered the first part. And then the second part of how do I know when I'm ready for a bug bounty?

Obviously, like you can always just go and start poking around. I would say the first thing, and I think someone else has talked about this before, is probably Joseph Thacker. But he mentioned the most important thing before you start like digging into bug bounties is understanding what does an actual vulnerability look like?

Like what is an actual exploitable vulnerability? So, for example, let's say you found like XSS on some website that you can exploit by setting your own cookie in the browser. Like, okay, yeah, that's XSS, but you had to change your cookie.

Like how are you going to do that for another user? So, like if you go and report that, they're probably going to be like, you know, NA or informational and close it out. So, like what you have to do is understand like what's the difference between something that might be kind of a vulnerability known as a gadget where it's like it's not necessarily a vulnerability in and of itself, but you could maybe chain it together with something else to make it real.

So, understand that before you start, because you don't want to get excited you found a bug and then just like get disappointed. So, understand that first. And I think you know that you're at least kind of ready when you can look at an application and start thinking of ways to attack it.

Like if you're just like going on programs and going on an application and you're just like, I don't know what to do. Like I'm just going to like try stuff. And like you're just trying stuff that you like kind of almost know doesn't really work.

You know, you probably should study and learn some more. But if you can at least go and approach and like, okay, like let's say there's some query parameters here. Let's see what's going on there.

Or maybe there's, you know, a login page here. Like let's go through the OAuth flow there or whatever. Like if you can have those ideas, just go for it and start attacking.

And the more like the more time, the more reps you get, like doing this stuff, the more you'll learn. And the important thing to know is there's going to be such a long period of time where you're just going to like be spending all this time just like banging your head against the wall because there's like some tiny piece you don't understand where you're like, oh, I can get, you know, HTML injection, but the XSS isn't popping. And it's like, oh, that there's a content security policy there.

And then it's a whole rabbit hole. Like there's just all these little things that like no one training course is going to teach you. You just have to kind of suffer through it.

But like every time you spend all that time suffering through it, you're going to learn more. And then next time you see it, you'll just immediately know.

[Kyser Clark]

That's a good point. You mentioned banging your head against the wall because that happens a lot in the real world, much more than CTFs. And that's one of the things that I personally struggle with to this day is, you know, when I'm in a CTF or I am in a certification exam, you know, yeah, I might get stuck, but eventually I'll figure it out after a couple hours.

But there's some times where like I'll go days on a pen test and just bash my head against the wall and I just can't find anything. And I'm like, that's one of the things I struggle the most with in the real world and pen testing, because I was thinking about this the other day while I was driving home from a certification exam. And I was like, man, I was like, the real world is much different than a CTF.

Like CTFs are good, like to keep your skills sharp and you can learn a lot that way. But it's still a lot different at the same time. Because in a CTF, like, you know, there's a vulnerability there.

But in the real world, it's like, is there a vulnerability here? And if there is, it's like, where do I even go? Like, there's no hints, really.

Like CTFs, like, they kind of give you hints. So yeah, that's the biggest thing that I personally struggle with. And like, when I don't find any like critical vulnerabilities, I feel like I let my client down.

I feel like I'm not a good pen tester. So that's one thing that I really struggle with. And another thing you mentioned was interesting to me, like it was a new term to me.

It was like you said it was a gadget, something that can be used in combination with something else. I never heard that term. So that's pretty cool.

And then another thing you brought up was vibe coding. So what is vibe coding? I'm sure there's people listening that don't know what vibe coding is.

And I'm just curious if you want to explain that for the viewers.

[John Kounelis]

Yeah, yeah. So I guess if you're a listener, I hope you're comfortable under that rock. But if you haven't heard basically, vibe coding is essentially using AI to completely write code for you.

And when I mean like completely, it's like you're not writing a line of code. It's you writing prompts saying, I want an app that does this, this. And you just keep prompting it.

It writes the code. This doesn't work. Fix it.

And you're not really programming based off of any sort of technical skills or whatever. It's literally just vibes. You're like, OK, I want this to do that.

It's this very fuzzy thing. But it's gotten to the point like AI has gotten so good at doing this that you can actually build pretty impressive applications just by doing this. So I kind of brought this up because if you're learning hacking and learning a program is good.

But you don't need to learn everything all at once. Just kind of learn it enough. If you can just use this to be like, all right, I know that I want some kind of web application.

Maybe I'll say, oh, give me some application. Make it vulnerable to whatever, SQL injection or template injection. Whatever it is you want.

And then have it generate that. And now you kind of just created your own CTF. So that's a good strategy to use if you want to just immediately have something off the cuff and just be able to attack.

[Kyser Clark]

Nice. Thanks for that explanation. And I'm curious, have you ever seen why you're a vibe coding AI write insecure code?

[John Kounelis]

Yeah, definitely. I'm kind of not on the developer side anymore. But even just from personal use, there's times where I just ask it to spin up something real quick.

And I almost get sniped by it, too. I just want a little thing to work. You're like, oh, this is vulnerable.

And I'm just like, OK, that's not the point. That's not what I wanted to do. But yeah, you have to remember that.

Remember back when I said a lot of code is just written by junior engineers or whatever? It's like, OK, well, what are these models trained off of? They're next token predictors.

They're there to predict the statistically likely most next thing to complete what it was supposed to do. It was trained on a lot of the code that was insecure to begin with. So that's what it thinks is the next logical thing to come through.

So that's why all these people are saying, oh, yeah, it's all this vibe coding that's creating all this insecure code. Now you also have people that don't understand how the code works doing it. So it's this problem.

I think there's some guy who tried to launch some SaaS that he was bragging, oh, I just coded all this and saying, I don't even know what I'm doing. And I did this. And within 30 minutes, I think someone found a SQL injection, just completely destroyed the application.

So yeah, it just kind of shows the importance of, yeah, someone should probably understand how this works and know how to secure it. So that's vibe coding.

[Kyser Clark]

Nice. Nice. Well, speaking of SaaS, so you've worked across multiple industries, defense, biotech, and SaaS software as a service.

For you, how does AppSec change between industries? And what do people get wrong about that? Because I'm assuming that AppSec is definitely a little bit different across industries.

Can you explain that a little bit?

[John Kounelis]

Yeah, it's a lot different. So yeah, I mean, with defense, like, kind of like you would expect, like, there's a lot of very rigid processes, a lot of red tape. They have it figured out, at least.

Like, they have, like, okay, this is our process. This is how we do it. And they just stick to it.

You don't deviate from it. But at least it's a lot of times often inefficient. But they do take security, obviously, very, very seriously.

And along every step of the way. Cybersecurity and defense is like, you know, like, it is very much our process. And that, like, you do basically the same kind of steps, you know, you see what applies to whatever you're building and do it there.

So it's pretty, like, cut and dry what you need to do there. My experience with biotech was, like, you know, it's obviously still a regulated industry. You have, like, HIPAA or whatever.

But, like, I don't know, in my experience, like, biotech companies, a lot of times they're not, like, their main thing isn't, like, software, right? Like, they're oftentimes, like, they're using software to do other things with it, right? So I think with that, they don't have the as much, like, process, you know, as well thought out.

Because I don't think they really have as many resources. Especially, you know, like, people who are on the actual, like, developer side of things, you know? Like, they have, like, people developing the code.

But there's, you know, maybe not someone who's there actually making sure the code is secure. Like, you might have, like, these requirements to do things. But, like, you know, who there is really checking, like, at the implementation level, you know, that things were done correctly.

So, you know, there is that kind of gap there. But I think it's just because, like, again, software isn't, like, their primary thing. It's just kind of, like, this other part of their overall business.

And then my experience with SaaS so far, you know, I guess I'm pretty new to the SaaS world. But it's actually a lot more, like, well-defined than I initially thought. Like, they do take security, like, very seriously.

And they have, like, a lot of, like, resources in their product security and AppSec teams. You know, especially if you have a company that's just churning out so much code all the time. And, you know, if you have a lot of customers who are trusting you, like, with that data, they do put a lot of effort into, like, having those resources.

So it's different. Because, you know, I'm coming from somewhere where it wasn't necessarily, like, you know, a bunch of, like, people in AppSec, like, going through it. Now it's like, oh, yeah, like, now you're actually on a dedicated team to do this.

You know? And if anyone from my previous employers was saying I loved working for the company, this is not to throw shade, anything like that. But, yeah, that's just how it's been for me.

But, again, take everything I say with a grain of salt. It could be different at, you know, at other places.

[Kyser Clark]

Yeah, that's a very good disclaimer.

[John Kounelis]

So I'm going to get put on a blacklist, but it's fine.

[Kyser Clark]

Having worked on both sides, building secure apps and breaking them, what do pentesters and red teamers often misunderstand about developers and the challenges they face?

[John Kounelis]

It's a good question as well. I think one thing that's easy to forget is, like, you can find some vulnerabilities that seem very obvious, but it's, like, when you have so many people, like, working on a code base and, like, doing stuff, like, it's just so easy to, like, step on someone else's foot, like, accidentally and, like, you know, there's a lot of times where teams, like, don't communicate properly where it's, like, oh, okay, like, you know, I implemented it this way because it's, like, a valid business use case, and it's, like, maybe that's true, but it's also vulnerable. So it's, like, I found a lot of the time, you know, you'll talk to developer teams about, like, you know, something that seems vulnerable, and, like, they won't understand why that's a vulnerability.

Yeah, it's supposed to work like that. So I think, you know, if you're, like, a very security-minded person, you'll look at things from the lens of, like, you know, this is vulnerable, this is a problem, but someone else, like, might not see it that way. So you have to kind of, you know, spend, you know, like, kind of level with them and also kind of understand their perspective, too, because it's, like, okay, yeah, it kind of does make sense that, like, maybe someone with this level of access can do this.

So, you know, I think both people kind of need to, like, level with each other, and that's kind of one of the more challenging parts, I'm sure, about, you know, being in offensive security and working with developers is you have to meet each other somewhere in the middle, but understanding, like, how to talk to developers and, like, just putting in the effort to be, like, okay, like, actually understanding the intended business use case will be super helpful.

And you can kind of use that, you know, to explain, you know, maybe why this is a vulnerability, because then it'll violate, you know, this other, you know, how things are supposed to be, I guess.

[Kyser Clark]

Great explanation, and thanks for unpacking that, because I'm sure there's definitely some pentesters out there that are just, like, why won't they just fix it? It's just a simple vulnerability. Like, why can't somebody do it?

[John Kounelis]

The level of effort required to fix things, too, is often a lot greater than you'd expect. So just because it's a simple vulnerability, it might require, like, an entire, like, design change of the entire application sometimes, and it gets complicated.

[Kyser Clark]

Right, yeah. Yeah, that's easy for people like me who wasn't a developer or software engineer before getting into web app testing, and, like, yeah, I found cross-site scripting, fix it. And then they're, like, do you have any idea how much that narrows it down, that meme?

[John Kounelis]

Just throw a laugh in front of it, it's fine, right? That'll solve everything.

[Kyser Clark]

Yeah, we've, that's a, man, you can make an entire episode on, a whole discussion on that, and that we've had, we've had clients that are, like, yeah, we have a laugh, it's not a problem. It's like, there's no way, there's a problem. Some developers don't understand why it's still a problem, but once again, it's like, we don't understand, you know, what they're going through, because, you know, development's not exactly easy.

[John Kounelis]

No, it's not, it's hard, it's hard to get right. And that's the other thing, too, that you have to remember is, like, if you're offensive security, or apps, or whatever, it's like, when you find that vulnerability, you have, like, definite, like, proof, like, you've done your objective, you popped that crit, or you found that vulnerability, like, you did it, you did what you're supposed to do. If you're a developer, you are never at the point where it's, like, done, there's always improvements you can make, or things you have to do, like, it's an ever-evolving thing, like, it's never perfect.

And if you think it's perfect, in six months, you're going to look at your code, you're going to think it's terrible. So it's, you know, a lot goes into it, into maintaining, like, actual good software. So, you know, I think it's something that you don't really understand, or can appreciate, unless you've spent some time on the developer side.

But it's important just to kind of understand that, and not be too hard on the devs.

[Kyser Clark]

Great advice. So, John, we're running out of time. So, yeah, I get the last question, which is, do you have any additional cybersecurity hot takes, or hidden wisdom you'd like to share?

[John Kounelis]

Um, I don't know, I feel like I spilt the beans on everything. I know, no, just kidding. Yeah, I think, definitely, focus on getting real-world experience, especially, like, you know, you, people who are, like, entry-level, like, trying to break in, you know, the certs are a good thing, you know, doing your try-hacking or whatever, but, like, really focus on trying to give, like, real impact to what you're doing, to show that to do a company.

Do stuff that's real to make you stand out from people. Like, you know, everyone has their security plus, everyone has done all these things, you know, like, don't be the same. Do more than what other people are doing, and show that, like, you have the skills, like, from day one, to be able to provide value for the company.

And I know that's hard to do, like, without experience or whatever, but the beauty of being in offensive security is you have the entire world in front of you on, you know, online. You have so much, you have so much stuff to look at and find vulnerabilities in. And, you know, if you can take that and show that to a company that you're able to find it out in the real world, you'll get rewarded eventually.

[Kyser Clark]

Thanks for sharing that, and thanks for being here. Where can the audience get ahold of you if they want to connect with you?

[John Kounelis]

Yeah, you can add me on LinkedIn. I'll just put it, you can put it in the bio, right?

[Kyser Clark]

I'll put it in the description. Yeah, I always put LinkedIn bio, LinkedIn profiles in the description.

[John Kounelis]

Okay, yeah. And then I have an X account. I just kind of lurk on there, but if you want to follow me there, I'm on there, underscore, underscore, JKBRAW, underscore, underscore.

And then I'm in the Kaiser's Discord too. I just joined that today, but, you know, I'm there. So if you want to join, and if there's ever anything that, you know, I can help you with or advice or anything like that, like, feel free to hit me up there too.

[Kyser Clark]

Great. And audience, best place for each me. I'm actually on a channel, I used to say LinkedIn, but my LinkedIn messages, my DMs are getting packed.

So the best way to get ahold of me, if you want to ask questions, just drop a YouTube comment, because I would say more times than not, the questions I get in my LinkedIn DMs are things other people want to know. So if you drop a YouTube comment, then everyone gets the wisdom. So, and it helps with the algorithm.

So yeah, best place for each of you guys, just drop a comment, ask your questions there, and I will get to you eventually. All right, John, once again, thanks for being here. Thanks for dumping your insights and wisdoms.

And audience, thanks for watching. Thanks for listening. Hopefully, I'll see you in the next episode.

Until then, this is Kaiser, signing off. Take care.