Tips by Gabrielle B.

Dernière mise à jour : 18 juin



Please note that this article will be updated regularly. Put it in your favorites!


Follow her on Linkedin



[FREE RESOURCES / PENTEST REPORT]


Want to upgrade your reporting skills?

A good report is beneficial for your customer. That’s why you need good writing skills!

You need to be able to explain complex concepts in a simple way for the executive summary.

For the vulnerability report, you have to explain your steps clearly.

Also, do not forget to keep a base of templates so that you can reuse them and adapt them to your new context without having to rewrite the whole thing.


Check out my article about this here:

https://csbygb.gitbook.io/pentips/reporting/pentest-report


BONUS: Want to take efficient notes on the go, you can use cherry tree: https://www.giuspen.com/cherrytree/



Check my comment below for other great resources for reporting! 👇


Check out this report, because reading other people's reports is really helpful to make yours better.

Radically Open security report: https://www.ushahidi.com/uploads/post-images/REP-20170303-vv1-pen-otf-ushahidi-pentest_Redacted.pdf

Check out this other tools for notekeeping:

https://joplinapp.org/

http://keepnote.org/


[FREE RESOURCES / PENTEST - OSINT]


Want to specialize?


There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.


Today I will share resources for those who wish to learn more about OSINT and maybe specialize in it!

OSINT is often part of a pentest, but you could also become an OSINT specialist!


Check out The Ultimate OSINT collection by Hatless1der: https://start.me/p/DPYPMz/the-ultimate-osint-collection


BONUS: A 5 hours free course by TCM

https://youtu.be/qwA6MmbeGNo


More resources in comment



COMMENT: Follow OsintCurio.us! They share tons of articles about OSINT: https://osintcurio.us/


[𝐅𝐑𝐄𝐄 𝐑𝐄𝐒𝐎𝐔𝐑𝐂𝐄𝐒 / 𝐏𝐄𝐍𝐓𝐄𝐒𝐓 - 𝐌𝐎𝐁𝐈𝐋𝐄 𝐀𝐏𝐏] 𝟐


Want to specialize?


There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.


Today I will share resources for those who wish to learn more about 𝐌𝐨𝐛𝐢𝐥𝐞 𝐀𝐩𝐩 𝐏𝐞𝐧𝐭𝐞𝐬𝐭 and maybe specialize in it! 📱📱


[𝐓𝐇𝐄𝐎𝐑𝐘] Check out this great blog post on Hackthebox

https://www.hackthebox.com/blog/intro-to-mobile-pentesting


[𝐏𝐑𝐀𝐂𝐓𝐈𝐂𝐄]


[𝐁𝐎𝐍𝐔𝐒] Check out Nahamsec resources for beginner bug bounty hunters on mobile App

https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/blob/master/assets/mobile.md


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good resources on mobile app pentest? Share them in the comment


COMMENT: Check out this course by ASecurity with Abraham Aranguren and John Hammond

https://www.youtube.com/watch?v=OscXnj0kqj4


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 / 𝗣𝗘𝗡𝗧𝗘𝗦𝗧 - 𝗖𝗟𝗢𝗨𝗗] 𝟯


Want to specialize?


There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.


Today I will share resources for those who wish to learn more about 𝗖𝗟𝗢𝗨𝗗 Pentest and maybe specialize in it! ☁️☁️


Check out these methodologies on PayloadAllTheThings



[𝐁𝐎𝐍𝐔𝐒]

Checkout this Cloud Pentest CheatsSheets by dafthack

https://github.com/dafthack/CloudPentestCheatsheets


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good resources on Cloud pentest? Share them in the comment


Comment

Check out this great blog post on Hackthebox

https://www.hackthebox.com/blog/intro-cloud-pentesting


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 / 𝗣𝗘𝗡𝗧𝗘𝗦𝗧 - 𝗜𝗖𝗦] 𝟰

Want to specialize?

There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.

Today I will share resources for those who wish to learn more about 𝗜𝗖𝗦 (Industrial Control System) and maybe specialize in it!

Check out Robert M Lee’s Collection of Resources for Getting Started in ICS/SCADA Cybersecurity

https://www.robertmlee.org/a-collection-of-resources-for-getting-started-in-icsscada-cybersecurity/

[𝐁𝐎𝐍𝐔𝐒]

Check out John Hammond’s video on Attacking ICS Devices:

https://www.youtube.com/watch?v=1txnyN_3_zk&ab_channel=JohnHammond

Comment

Check out this comprehensive guide on Mission Secure

https://www.missionsecure.com/ot-cybersecurity



[FREE RESOURCES / REVERSE ENGINEERING]

Pentesting can be at the intersection of several areas.

In this series I will suggest some of these areas where having an understanding of pentesting can help you in your practice.


Check out Amanda Rousseau Malware Unicorn’s workshop and labs here: https://malwareunicorn.org/workshops/re101.html#11

Practice with Kevin Thomas’ tutorial: https://github.com/mytechnotalent/Reverse-Engineering#readme

More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good resources on Reverse Engineering? Share them in the comment


Comment Check out this Intro to reverse Engineering: https://opensecuritytraining.info/IntroductionToReverseEngineering.html


[FREE RESOURCES / PURPLE TEAM] - 2

Pentesting can be at the intersection of several areas.

In this Series I will suggest some of these areas where having an understanding of pentesting can help you in your practice.


Check out this amazing study on Enterprise Purple Teaming by Xena Olsen, Ch33r10 https://github.com/ch33r10/EnterprisePurpleTeaming

Get the book Purple Teaming for dummies by Jonathan Relber Ben Opel Carl Wright for free here:

https://attackiq.com/lp/purple-teaming-for-dummies/

Check out this article by Scythe on why and how you can go purple https://www.scythe.io/library/actionable-purple-teaming-why-and-how-you-can-and-should-go-purple


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good resources on Purple Team? Share them in the comment



Comment

Have look at Scythe Exercise framework https://github.com/scythe-io/purple-team-exercise-framework/blob/master/PTEFv2.md

Check out these courses on Attack.IQ https://academy.attackiq.com/learning-paths/purple-teaming


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 - 𝗖𝗬𝗕𝗘𝗥𝗦𝗘𝗖𝗨𝗥𝗜𝗧𝗬 𝗣𝗢𝗗𝗖𝗔𝗦𝗧𝗦 𝗔𝗡𝗗 𝗕𝗟𝗢𝗚𝗦]


A good way to have a more holistic approach to Cybersecurity is to listen to podcasts or to read blogs.

It is an entertaining way to learn and you get to hear about people in the industry from wherever you are!


Check out Phillip Wylie’s Podcast on ITSP Magazine “The Hacker Factory” here: https://www.itspmagazine.com/the-hacker-factory-podcast

And if you enjoyed why not voting for it for the European Cybersecurity Awards here: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform


Check out Christophe Foulon’s podcast here: https://podcasts.apple.com/us/podcast/breaking-into-cybersecurity/id1463136698



You are more of a reader? 🤓 I’ve got your back! Check this great blog Security Queens

https://securityqueens.co.uk/

And guess what! You can also vote for them for the European Cybersecurity Awards!


Have a look at Daniel Miessler’s Blog: https://danielmiessler.com/


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good blogs or podcast? Please share them in the comment!



Comment

Check out the Focal Point Podcast by Angela Marafino and Chantel Sims on ITSP Magazine here: https://www.itspmagazine.com/focal-point-podcast

Have a look at Your Cyber Path podcast: https://www.yourcyberpath.com/podcasts/

Check out the different shows on Hacker Valley: https://hackervalley.com/


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 - 𝗧𝗵𝗿𝗲𝗮𝘁 𝗺𝗼𝗱𝗲𝗹𝗶𝗻𝗴] - 𝟯


Pentesting can be at the intersection of several areas.

In this series I will suggest some of these areas where having an understanding of pentesting can help you in your practice.


Lately, we see more and more Threat modeling integrated with pentest processes.


Check out this session about threat modeling on Hackerone: https://www.hacker101.com/sessions/threat_modeling.html


Stay in track with this Threat modeling cheat sheet on OWASP: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Threat_Modeling_Cheat_Sheet.md


[BONUS] Check out this list of Threat modeling resources on Infosec reference by Robert musser: https://rmusser.net/git/admin-2/Infosec_Reference/src/commit/d44538cb60d7d3ad64880feb45e05362382e550a/Draft/Threat%20Modeling.md


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other resources about Threat Modeling? Please share them in the comment!


Comment

Check out the Threat modeling manifesto here: https://www.threatmodelingmanifesto.org/


[FREE RESOURCES - Secure Code Review]


Want to specialize?


There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.


Moreover, for white box pentest engagements you will have to do code review.


Check out this free introduction to Secure Code Review on Pentesterlab: https://pentesterlab.com/exercises/codereview/course


Check out this security training platform for devs: https://www.hacksplaining.com/


BONUS: Want to make a vulnerable PHP App? Check out this video by Wesley (The XSS Rat) Thijs https://youtu.be/e_dLSVpQy40


𝐒𝐇𝐀𝐑𝐄 - Do you know other resources? Please share them in the comment


Comment

Check out Tanya Janca’s book Alice and Bob learn Application Security https://www.amazon.ca/Alice-Bob-Learn-Application-Security/dp/1119687357


[FREE RESOURCES - Cybersecurity Job hunting]


Finding a new position can be tricky.


Here are a few resources to help you out.


Check out this article by Jay Jay Davey on “How to use Linkedin”: https://www.linkedin.com/pulse/how-use-linkedin-jay-jay-davey-/


Get Advice on writing a Cyber Resume with Joe Hudson here: https://www.youtube.com/watch?v=5T_u7l-t56g&list=PL4Q-ttyNIRArEf_K0V418lc6tjYEdJn4A&index=4


Get ready for your interview with these questions

https://www.springboard.com/blog/cybersecurity/25-cybersecurity-job-interview-questions-and-answers/


BONUS: Optimize your resume here https://www.jobscan.co/ to get past the applicant tracking systems (ATS)


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other resources? Please share them in the comment


Comment

Check out this article on how to hack into a cyberse

curity career:

https://digitalskills.continuingeducation.ncsu.edu/cybersecurity/how-to-hack-into-a-cybersecurity-career-the-ultimate-guide/





40 vues0 commentaire

Posts récents

Voir tout