Funny artifacts of security testing

Being a vulnerability analyst has a few humorous artifacts. This takes a few different forms, but in general it's like having 100 projects - with all the related notifications - but not being responsible for them anymore.

As an adhoc member of the team for just a few weeks, you tend to get full access to everything, and then sometimes never lose it. For instance, I get TestFlight notifications for iOS applications I tested two years ago. I go unsub when I see them, but I have tested so many iOS applications, and some of them update less frequently, so I get a notification and think "Oh yeah, that app!".

Also, I regularly get put on code repositories.  Now, those get edited more often, so I usually can go and remove myself, but sometimes they are internal, so I am geting alerts but can't change the settings.  I'll email the dev lead, get the "oh yeah I'll fix that" and then get a task assigned to me randomly two weeks later.  It's a lot of fun.

The best is Jira.  I'll get added to Jira as a source for bugs, and then questions will get directed back to me.  As many readers know, the average for remediation of security flaws hovers around 360 days. Often, I'll get a ticket that has me as the source assigned to a junior developer, and get an email from an (often internal) Jira system saying "What the heck does any of this mean?!??!"  Those are always a good time too.

My very most favorite is when developers get a vulnerability on a card sometime down the road, and look me up months or even years later for clarification.  This is exactly the kind of thing I like to see.  Honestly, often the environment has changed around the vulnerability, but it restarts the conversation.  This kind of followup is something that is going to help save appsec, and we need more folks like that.

Comments are closed
Mastodon