We Hack Purple Podcast

We Hack Purple Podcast Episode 46 with Sunny Wear

July 16, 2021 Tanya janca / Sunny Wear Season 1 Episode 46
We Hack Purple Podcast
We Hack Purple Podcast Episode 46 with Sunny Wear
Show Notes Transcript

 Host Tanya Janca learns from Sunny Wear about penetration testing with a live demonstration! Sunny shows off her custom app, Burp Tool Buddy, which shows you how to use and configure burp suite Pro. And it's a STEAL at $4.99!! https://twitter.com/SunnyWear

Thank you to our sponsor 10Security

NEW Secure coding Course here!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.

Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com

Find us on Apple Podcast, Overcast + Pod 

[Music] so [Music] welcome to the we hack purple podcast where each week we meet an interesting and new guest who is a member of the information security industry and this week our amazing guest sham brazil can't make it she is not feeling well today and we wish shan a very speedy recovery trust me she's gonna be fine um but she's sick so she can't be on and so i happen to be chatting with sunny ware and so sunny ware is gonna be our guest today so i'm a big fan of her for those of you that haven't heard me go on and on about her but i'm a big fan so this week um we still have the same we we still have the same sponsors we did last week 10 security and we want to thank those awesome awesome humans for sponsoring us and i guess i could just go on and on but let's meet sunny ware hi sunny welcome thank you thanks for having me thank you for being on the show i want to briefly tell everyone how i met sonny so she made this free amazing application security course on cybury and i was just learning about security and i took her entire course and i really liked it for a hundred reasons so one was that she covered just so many things and she would explain kind of the theory behind the thing and then she would show you an attack and show you the potential damage and then she would show you how to defend against it and i was like this person is amazing and it was on demand so i could just go back and watch her again and again if i wasn't sure i was like i see what she did there okay and it was free and at the time i had like a budget like this to be learning all the stuff i was trying to learn and i was just like she's incredible and then before the pandemic i finally got to meet her in person at the diana initiative and guess what's happening right now the diana initiative and obviously i'm wearing their shirt yay and guess where both of us are speaking the diamonds yeah are you speaking tomorrow sunny i am yeah uh i'm in the ctf uh village and it's gonna be at um um well it's 3 30 eastern time that's my time zone so so 12 30 uh for pacific standard time if you are those type of people which i am and i will be speaking at 11 on main stage one i guess um that's what my little link says i was like check make sure you tell them the right time tanya's back you stay the wrong time um and so yeah that means you could see my talk and then you could see sunny yeah please i'm gonna try to spark a um a journey in web app penetration testing so yes and that is a that is a topic that we talk about a lot on this show and normally i interview my guests and i ask them a million questions about their career but sunny's career is is not average at all so she teaches she writes books she like just like a thousand things and so do you want to tell them a little bit about you and if you want you could read your really awesome bio sure um yeah so i'm going to share my screen um how do i do that let's see share okay and then nancy can you put it into the show okay let me uh because i can't see you you know what i appear to like not be an admin right now so i'm feeling a little lost let me look in the private chat not shared yet okay so sunny at the bottom there's a share button you press it and then oh and then you have to click share screen and then you have to pick which screen you want to share and it's like in the separate area and i get mixed up too so share screen but then you have to do screen sharing tips then you have to click share screen then you have to pick which share screen it's like different than uh okay can you see can you see my slides no oh it's coming okay we can see that screen so can you just we saw it for a second and now it's over oh okay let me let me start sure yeah let me try it again um so i'm gonna share a share screen um share screen and and it did not work sorry weird no no here we go here we go sure okay how's that let's see i see i see and it looks good okay cool so um so so thank you everyone thank you tanya thank you for having me on the show my name is sunny ware and i in 2019 i completed a doctor of science in cyber security i'm part of a cyber security guild in tampa which is i live in tampa florida and the the members there like to call me dr sunny which is really um i like it um but anyway so um actually if i can just chat for just a moment i did my dissertation on um on devops um specifically rolling security into devops and um my uh my case study was netflix so i learned a lot writing that um cool in the during the day um i work as a web application penetration tester i'm actually a manager over my own team and we do uh penetration testing for a very large financial services company but as tanya had mentioned i also have written some courses and some books um one of the books is shown here this burp suite cookbook and you can get that as well as my secure code field manual on on amazon i have a website but what i really would kind of like to demo to you guys tonight is um something that i wrote during covent um having a lot of time on my hands uh at home um i started writing something that i thought people that are new to burp suite or people that have been using burp suite but don't know how to use it in an efficient manner i thought how about if i take all of the configurations and all of the recommendations that i do when i set up burp screen and compile them in a resource tool that you could read on your mobile phone so that's how i came up with the idea of the burp tool buddy and um i'm actually going to demo it um for you guys as okay when you're ready but it is available on ios and in the app store i'm sorry the ios app store and android um play stores so we just shared a link in the chat to all of those and they will be in the store uh in the show notes if you're listening so we release an audio only version of this podcast after so i might like try to describe some of what we're seeing so that everyone kind of gets the handle of what the burp tool buddy looks like sure can we can we see it absolutely i thought you'd never ask so so before before i show you a verb to a buddy um what i want to kind of help to explain is when you first come into burp um and uh because your viewers i don't know how much they've used burp suite but it's it's a very large application it can do a myriad of uh different things but you'll notice that there are these tabs at the top so there's dashboard and target and proxy basically like if people um on the stream wanted to follow along uh when you go to a new site like we could go to this test demo.testfire.net which is a vulnerable website that anybody can access um when you first come in here and you get your your traffic running into burp you may not know how to set up or configure all of the items um in a in an efficient way so that you can pin test this website or maybe you're not pen testing maybe you're a developer and you want to you want to kind of try to do some security testing against your own site so so let's say i'm here and i'm at the target site map and i look at this filter here and and let me just show you how i got here there's this word filter you can click this and there's a menu that appears well if you just use burps now i've already got it configured but [Laughter] by default not all these things are check marked and so what the burp tool buddy does is it helps you to um basically know how to configure each of the tabs in verb suite so this is what it looks like obviously this is a um my development version um how i wrote it oh hello you guys still there yep yep okay um everything went quiet oh yeah sorry um i was listening and then nancy did a full screen and then i was like oh i'm just gonna switch browsers um like i was gone literally under one second and you noticed being a trickster but i can't see your screen anymore okay yeah let me um and and first we'd have a thing yeah yeah there's a question in the chat great perfect um yes they do and um and please keep keep the questions coming i'm sorry about that i didn't know uh why there was a change there that's okay yeah so there there is there's a community edition in fact um let me show you that so if you go to uh portswigger and type burp suite community edition can you guys see my screen okay yeah yeah we can okay cool so um you and i might have slow internet because i got a lot going on here so but anyway there is a community edition um and that is sorry about that it looks nicer when she's not proxying it with burp no actually that's my other browser so let we could talk about that um so you whenever you do proxy you want to segregate your browser from yeah you want to have like a separate browser from the browser that you use on your operating system um and what's really cool is um in the newer versions of burp now you actually have a built-in browser let me let me show you that yeah yeah so that it's what i'm using right now i'm gonna just save this off so um you go to proxy intercept and there's an open browser here and then we can put in our traffic and immediately you're going to see uh your traffic populated here cool so um yes and what's nice about this built-in browser is i'll show you some of the more advanced features but it has this great tool for finding dom-based cross-site scripting called dom invader it's totally awesome how this works is you can put in a canary here so like let's say we put in javascript xss and um to take effect we just reload our page i'm going to do f12 and go to my tools make this a little bit bigger so you're going to see that there's a new tab here called augmented bomb and what this does is it'll take my canary and it'll inject it into the page so like i can inject my canary into the url and now you see that it's up at the top there how this is helpful is you're looking for reflection right so with any cross-site scripting you're looking for that value to be reflected on the page and from there you can then determine uh if you've got a source in a sink so if you've got an injection point which in essence is what a source is um you're looking for it to be reflected back which is going to be your sync so this is a really fancy little tool to um to help find dom based cross-site scripting okay hello it's it's pretty new so um if you've never heard of it before it it was just released um i think like this week so [Music] uh so yeah so getting back to the burp tool buddy we have a question but like is that okay so um ben's asking why segregate the browser is it more security related or can there be an interaction that affects the results yeah so it's not security related uh necessarily um it's just that like if you want to go search for something you want to segregate you know trafficking your target um from your google searching and um right now um you know i don't i'm not i'm not proxying any of this traffic and it's just purely from a researching point of view so yeah so you can go all over the internet and not have burp spy on you the whole time right and in some cases um like burp like um some sites will actually shine you i mean and i don't know if anybody's ever been shunned um by google but the world gets really small when google rejects you this can be very sad so you don't want to be proxying google um so they they may not like that so yeah so and there's a couple different ways like i showed you the built-in browser here but um there's a great plug-in that i use and i'll just uh open up the firefox here but i want to see your plugin for your tool sure um there's a foxy proxy though that will also do the same thing so you can turn it off and on as far as proxying through burp or not so yeah foxy proxy rules it's very good best so um so yeah let me let me go back to the burp tool buddy so what you'll notice is there are three sections for each tab the first section is the purpose so this is just explaining to you what is the purpose for that specific tab that's in burp suite the next section is configurations so these are my recommended configurations when you go to start attacking a site and um and obviously you know you have some sort of agreement right to attack that site or you're doing it for educational purposes so but these are the things that i recommend that you go ahead and check off when you first start burp tool buddy so these things are not on by default the way that this works is if you click more it'll show you the next configuration or you can click next configuration so this shows you how to include urls inside of your scope and so you go to next this shows you how to exclude items from your scope and you might be thinking well why do i want to exclude items from my scope so if you're running the burp scanner which you don't get scanner with the community edition but you do get it with professional if your scanner is running you don't want the scanner to log you out of the application because then you know you're just you're getting either false positives or you know you're you're not you're not doing the most that you could so by mapping out um where the login or where the log out button is and giving burp that url it will exclude that from from the scanner so it doesn't click it exactly and log you yeah so so yeah so the way that this works is you you've got you've got a burp over here so you can look at the filter and you can see that i've kind of already done this for myself uh because these are and then i haven't set my s i haven't set the uh show only in scope items because what i would like to do is kind of show you how to set your scope so i've been doing some of the things here but actually i'm going to remove this from my scope just so i can kind of show you how to do this so okay you've got your site here and um there's there's two ways that you can add to scope so you can right click the url and you can add to the scope but i want to kind of you know show you another way and the burp tool buddy has this as well um so let me let me kind of just show you um in target tips and tricks there's an advanced way to set the scope and i want to show you this because this is what we do professionally whenever we're attacking our target application because it gives us a lot more leeway to find urls that are in scope so let me show you that in the tool so what i do is i like to grab right off the root from this url so i copy that go to scope and see i'm already using advanced scope so normally this is not check marked so you would just check it like that and then you could paste the url if you like uh that's how i usually do it then you're going to highlight it and edit now what you're going to do here is you want to set this protocol to any and you want to get rid of the 443 now let me explain to you why you want to do that um in a lot of cases you know the the client will tell you what url they want you to attack but they don't always realize that there are a lot of other urls some of which might actually run over http that they're not even aware of and so as a web app penetration tester it's your job to to let them know like if there's mixed content in their site it's your job to write that up as a vulnerability and let them know so this is one of the ways that we can discover that um instead of just setting it to https we set it to any and then we get rid of the 443 because obviously that's um just https so now let's get there yeah tips and tricks um so so now we can come back to our site map and we can really clean this up a lot so just by checking this box and clicking apply now you can see that we're just focused in on our target site so um so hopefully that helps um and you know we can continue to look at a couple more um options here but can we go to the home so like does it go through every single part of burp suite because that's incredible yeah oh um yes in burp suite buddy absolutely yeah so so yeah every single tab um that comes in except for a decoder i will be adding decoder because people can give me um any kind of input and i and i roll out updates that's why i love the mobile apps because like with a book you write a book and and you pour your heart into it but then you know a few years later you want to add something new and it's it's a lot more cumbersome to update a book but oh yeah yeah but with mobile app i just i update my code i send it up to the app stores and then it rolls out onto everybody's phones so um yeah so i wanted to kind of go through dashboard because dashboard is just huge um so the dashboard has like your uh it talks about the the crawling capability and the scanning capability so of course this was the purpose then we get to the configurations and now dashboard is big and you can see that i have a lot of configurations but what i've done is i've designed it so that the configurations follow the way that you're looking at what's in burp suite so if you were to look at dashboard you would notice that the very first thing you see are these two buttons here new scan and new live task and so what i do is i explain first what the difference is between a scan and a live task basically in a nutshell a scan will go through an entire directory or area a live task is more like sort of a behind the scenes worker that runs in the background but is still scanning for you and it runs through your tools that's the main difference um but as you can see here i've got um for the next item i show you basically how to set up a new live task so i show you what the menu is that pops up when you click the button and then in the next configuration i show you how to set up everything in that menu nice this would have been so helpful when i was trying to learn burp suite gosh my professional mentor on friday told me to learn burp suite because my first pen test was monday and i was like oh crap wow and there was a lot of youtube that happened that weekend yeah there was um oh this would have been amazing well and i'm always adding to it because there's always new features and stuff so um let let me show you one other thing that i added so um let's say that there's a certain page that you really like and or a certain thing that you need to go back to again and again i set up this um favorite button and so the favorite button when the star is there and actually i'm going to turn the sound on let me go back to home uh there's a hamburger menu over here and uh you can do like dark mode i did dark mode i know a lot of people like dark mode so i wrote code for that um but there's these cool sound effects i like the sound effects um i had more but some people were like it's too much so it's okay um yeah but anyway so let me see if you can hear this could did you guys hear that or no probably not no it's probably i couldn't hear it yeah it's because it's my sound that's why but anyway it does like a little piano um so now when you go home there's a favorites tab over here and so now that'll take you right to your favorites location so you don't have to try to remember oh that's nice yeah [Laughter] i use a meditation app and you have to go several menus deep to like get to your favorites and i was telling someone else how upsetting i was about it and they're like you're really raging about your meditation app just like i have filled software for a really long time and i can't believe you have to go like four sub menus it's just it's not acceptable there's like a like an oxymoron there um right yeah so um [Music] but so i i'm i'd like to guess get a pulse for the audience like uh how much they use burp suite or um yeah if uh you know if if there's any specific questions that that they want to ask it doesn't have to be about burp suite or the burp tool buddy could also be about web app pen testing uh in general cool while you well while we wait for people to put some questions in i want to very very briefly thank our sponsor which is the thing i do thank you so much 10 security thank you for being our sponsor greg and matt you do drool 10 security are the people who made oas defect dojo and basically they do consulting and will help install it automate it make everything work beautifully for you if you don't want to learn how to do that yourself that's 10 security awesome end of sponsored section uh also i'm speaking at diana initiative tomorrow and sunny's speaking at diana initiative tomorrow and we hack purple is sponsoring diana initiative and we're giving away three secure coding courses at diana initiative tomorrow so i guess that's what probably everyone should do is just like go to diana initiative what do you think sunny yeah i definitely think so right so that's settled now we'll see you all tomorrow good we can bring sunny back on i actually have questions for sunny oh oh also there's another announcement i was supposed to make oh i'm so ridiculous uh so we hack purple and oasp have reached a partnership deal and so for all paid oas members you can receive absec foundations level one for free now so uh just use your owasp.org email address and it actually needs to be a real one um someone tried to register with oauth.com and i'm like um but yeah you just go to our website academy.wehackpurple.com and uh it should be listed there but basically you're going to get the oauth newsletter and it's going to have the link you can follow oas on twitter and they're sharing that or you can go to wehackruppel.com and look at our latest blog and it has the link too so obas members get you free stuff yeah i'm pretty excited about partnering with oas thank you for the reminder that i should do that and i'm gonna share a link to that blog post because i forgot but i'm doing it now thank you thank you for the reminder my amazing sound technician who keeps me in line so i have questions for you sonny even if the audience doesn't so if someone is if so i have had people tell me when you do a web app pen test you just run a scan with nessus or an expose and you run an automated scan with burp and you just copy that stuff into an like into a word document and then you send it to them and you're done and i don't believe that that's true would you like to share some thoughts on that oh yes i would love to that there is a question in the chat should we address that first sure yeah let's do it before we rants too much uh sure actually brand new to burp suite and pin testing do most bug bounty hunters use it or is it mainly used for in-house or independent pin testing well thank you for your question uh ow and i would say both um so bug bounty hunters use burp suite quite a bit um penetration testing and basically this dovetails nice nicely into my answer for tonya's question um i consider burp suite sort of like a tool in a surgeon's hand it is something that i use to dissect a web application and meaning that yes it has a built-in scanner but the scanner is designed to sort of laser focus a particular area of your web application and because if if you just run the scanner like say you just set your target and then you just press a button um you're going to get a lot of false positives you're also going to get a lot of issues that burp will be saying hello hey will you look at this um that you need to validate so it's not saying it's a vulnerability it's saying this is something you need to look at so for example i'll give you some examples um file upload vulnerability so burp will scan all your pages and it'll find if it finds a page that has a file upload it can't do the file uploads for you you know but it's gonna have a little um item under the issue list that's gonna say file upload folder so it's your job as a penetration tester to manually go in um do all your owasp tests and by the way uh i use owasp um the os checklist so um asvs or something else not asvs i use the um um otg version four so it's the oauth okay guys version four yeah if we can get a link for them for that oh yeah i'm getting it there's so the testing guide actually um is a cross reference to the checklist uh there's so if you look up a github otg version 4 checklist there should be a link um to the to the spreadsheet yeah so that that pdf is is actually the the the guide and then there's a chapter that goes with it yeah i'm finding it yeah sure so um so yeah bug bounty hunters i mean they're they're going to use burp they're going to use anything that's going to help them when evaluating a website um you know to find uh what the vulnerabilities are um for for their you know for their uh session yeah i feel like um so you don't want to scare people away from pen testing by telling them that it's really really hard however i had someone email me once and he said hey we used to work together at this other place i want to be a pen tester can you just like tell me how it was when i was first starting and so i was telling him so much stuff i spent two hours writing this ridiculous email to this guy that i used to work with and then he wrote back he clearly had not even read the whole email he's like oh that sucks i thought you could just click a button and make ten thousand dollars yeah and i was like yeah don't you think we would all just click that button all the time and everyone would just click the button all the time everyone won't be like i want to have one of those buttons like what and i felt so upset that he didn't even take the ti i was like i spent two hours on this and in retrospect that could have probably been a pretty decent blog post but um i feel like a lot of people seem to think that it's this really easy task but it's really a highly complex technical job to be good at that isn't it it it is um and in in my talk for the diana initiative i do talk about three pillars there are three pillars that are foundational i believe for i t and security and those three pillars are programming networks and databases so it doesn't really matter what you do you're never going to get away from those three things um and it doesn't mean you have to be an expert in all three no i mean that's that would be really hard but you really should know um you know foundational concepts about each one you should feel comfortable with like i'm not a networking person but i can talk about network devices i can talk about infrastructure i can talk about it in the sense of what's in front of the web application you know is it a waf is it a reverse proxy is there a load balancer there all of these components right so even if it's not necessarily your niche it's those three areas you you really should feel comfortable in in discussion we have some awesome questions in the chat first we have more from al thanks for the explanation sunny so i understand you have a br sweet guide that you're going through now and it's available online tell us like please uh oops wrong button um please tell him briefly about burp buddy buddy sure burp tool buddy is actually a mobile app so what i was showing on the screen was my um progressive web app it's called but i was showing my my dev version of it that i run locally um but you can buy the the burp tool buddy it's 4.99 on on the playstation playstation like 4.99 or 499 no four dollars okay i think five bucks yeah oh my gosh five dollars okay so yeah that's a steal basically you get to steal so awesome um so yeah you can buy it on android and uh an app store for ios cool and then we have questions from dwayne dwayne always asks lots of awesome questions so howdy yeah dwayne rules so he asks how do you handle developers that push back on needing secure coding training since that's what you do sunny gives secure coding training some may say we have a waff or we are not being targeted so we shouldn't have to do this what is your response so um whenever i get pushback um if if the pushback it depends on what the pushback is because i get lots of different kinds i get a garden variety which includes devices which is the waff um use a plastic bat he was saying use a plastic bat to the back of the head so i was gonna not show that i accidentally clicked on the wrong button and we'll just leave we'll just leave that everyone's saying hi to each other and i clicked on the wrong one and that didn't happen let's let's talk about waffs so waff if you're not familiar stands for web application firewall and what it does is it usually has like a black listing um of uh particular uh characters that it will um make inert you know or um get grins it blocks it blocks right it it blocks what it thinks is bad or if it or it makes it inert by taking so let's say the alligators you know your greater than and less than signs the alligators and it makes them inert by placing out output encoding and changing it to ampersand lt and ampersand gt yeah so when the browser receives that um it's not going to execute that but if it were to receive the alligators it's going to execute that as malicious javascript so so what i say for pushback um for a device is um specifically with laughs well they're blacklists that can be bypassed and guess what wafts go down and wafts don't actually address the the core of the problem which is in your code and especially if it's cross-site scripting which is the evil of all evils so you want to make sure you know you want to make sure that you're actually addressing now wax can buy you time because when you're on projects obviously you know it's it's hard to put things into production overnight um but it's it's not a substitute for addressing the core of the problem other pushbacks that i get um you know can be about um not wanting to remediate things so i take a lot of care when i do my reports to not just show how i do the attack but also to spend quite a bit of time in the remediation section giving people code samples code snippets if you need a secure design i mean i've been an architect for many many years so i could do a secure design for you um you know talking through the problems so that the developer feels like they're not just being told their baby is ugly that you know it's i'm i'm here to help you and to make to make things better yes so dwayne followed it up with how do we get programmers that create ics so industrial control system applications to write more secure code so last week so sunny you're probably unaware we had someone on name ron brash and his specialty was industrial control systems so we talked about that a lot and i would say you could just scare them the same way she scares them i mean persuades them yeah i mean i i would say that in the same way dwayne you know i've not done any i ics um penetration testing but if i were to um then i i would basically use that as leverage to build my credibility with developers that are doing that so that i could show them specifically what are the areas that are that are problems and and here's how you can fix them so if someone wanted to get in to so we already did have a penetration a penetration tester on the show davin jackson he was amazing but oh yeah ben is asking the cheese question we'll ask the cheese question comes next so that is alex i'll explain i promise um but if you were gonna give someone advice on how to become a penetration tester one day do you have like one or two things that you might suggest of like how someone could try to move their career that way absolutely so the the first thing that i would do though is i would take a little time to find out their background because that really helps uh to know what you may already have a natural inclination towards so if if they're currently doing uh actually i just had this conversation uh just a couple of weeks ago with somebody new they wanted to uh transition into cyber security and penetrate penetration testing so i asked him and he's military so i said well what what is it that you're doing right now and he said um it had to do with radio frequencies i was like oh man that's cool you know like you could jump into wi-fi and you know tear it up um so so that's why um that's why it's kind of helpful to know their background um but if somebody was like brand new and they did not have an i.t or security background i would actually suggest that they they take an i.t job first i know that sounds like i don't know maybe not sound good but there's just so much and and to have that foundation like be strong in your linux skills um um you know get have have some scripting ability you know in python or bash um these are things that will stay with you for your entire career yeah i you know the guy that had emailed me that i used to work with where he's like i just thought you could press a button and be really rich it's like well if you could just press a button and be really rich every everyone would do it like we wouldn't have anyone doing any other job right if it was truly effortless and i think it's really hard to learn how to secure systems that you don't understand how the systems work how to support them or how to build them yeah exactly um i mean just for example i started my career in it uh and i was doing builds i was basically um packaging up um deployment kits uh for that would be deployed to production and um i would write scripts in bash uh or cornshell at the time but now everybody knows bash so i would write these scripts that would automate the tasks so it doesn't sound that impressive now but like at the time i was like oh man this is awesome but i want to do development so i only stayed in that job for about six months and then i started doing development in a different position but those skills that i learned by doing that job like i still use those skills today and it's 25 years later yes exactly and i i remember i i was dragged into a security incident and by dragged i mean i begged to be allowed to be in the room um and then because i was interested in what was happening and i was just curious and i remember sitting there and i'm like oh oh that's code oh oh that's sql oh oh they're doing something very bad and all of the ir team like the incident response team looks at me and they're like you can read that i'm like i am a big nerd because it was obfuscated but somehow i could still do it i don't know how to explain i was just like oh crap and then you know 20 minutes after the meeting they're like hey do you think you could decipher the rest i'm like oh i already wrote a script that does it in powershell oh cause i was like super excited and so then before you knew it i was on their incident investigation team and then i was just like i am hooked i want to do incidents all the time but it turns out you actually just want to do them once in a while or you get really stressed out really stressed it says the 24x7 thing yes oh my gosh people that do fully incident response all the time they are stronger than me yeah i just say that like those are some tough people they're good people so i have to ask the cheese question now so the cheese question is like does your job pay well but we came to the cheese question because when i was at dev i felt like i'd really made it when i went to the grocery store and realized i was like deciding between two i really like cheese nice to sign between two types of cheese and i'm like okay so you know which one should i get and then i realized i'm a software developer now and i'm full-time and i can buy both and i was just like i've made it i'm ready yes and i wasn't like counting the exact amount of pennies i had to make sure i could afford everything in my grocery cart i was just like oh jeez and it's gonna be okay and so i felt that was like this moment where i had made it and so it has become the cheese question and ben's always like has someone asked the cheese question yet and i'm like oh we have it so ben always keeps me honest and so just being a penetration tester pay well i don't mean tell us how much you make i mean like for how hard you work and how much effort you put in and how much you have to know does it seem like it's a good deal it it does pay very well and obviously the more um background you bring um the higher your your salary so if you if you come so just for an example um if i i hand picked my team i'm very proud of my team this is for my day job and um i picked developers and i turned them into hackers like they don't even have cyber security experiences that was me like that was totally me right i was this developer and yeah i had done some security related development you know in my years but i just wanted to do penetration testing and the very first time i applied for a job uh the the potential manager asked me she's like well have you done any penetration testing and i said well no not professionally you know because that's why i'm trying to get this job and she's like well i don't i don't want you she's like i don't want you and i was like you don't want me like that was just crushing and then i was then i was mad i was like okay i'm gonna be the best i'm gonna know everything about berkeley you know i was since like i i was just a terror at that point so so now it's you know fast forward you know 10 12 years and so now i give developers that chance because i know that they have the basic foundational background of you know https request response protocol and architecture application stack you know it's there's a lot of that that's already uh laid into the foundation i can teach him to hack that i love it so basically then you mentor your team and you get to kind of turn them into like the ultimate penetration testers to help you go smash everything yeah and and and then and in turn like i've learned stuff from them so yes i'm their mentor and yeah i'm sort of the the one to help them realize this is a vulnerability this is not and show them how to dissect a web app but i learned stuff from them too right because no one person can go yeah it's just it's it's awesome it's it's a great um uh symbiotic relationship so i hate to do this sunny but we have to wrap up okay i feel like the time passed in like four seconds i'm like how has it been over 50 minutes so i'm assuming that people after seeing this listening to all this and watching you that they want to know where they can learn more about you and so can you let's say your website address so that's because some people are just going to be listening yes it's uh sun soulsec.com and that's short for sunshine solutions that's my side business um so so yes please check it out um also i've got a merch store uh if you really like the the burp tool buddy um i have uh some t-shirts on there that have burpton buddy and on the back of the shirt though is the best because it says the browser lies and that's kind of an inside joke but it basically means like don't believe everything that you see on the screen you know looking burp burps going to tell you the truth it's true and then also you wrote some books and so where would we find those books yes we find those on amazon amazon yeah so amazon's got uh the two books that i sell one is a secure coding field manual right there thank you tanya and the other one is a burp's tweet cookbook which is like a how-to on on how to use burp suite pen test and then also i mean obviously everyone wants burp tool buddy yes please burp tool buddy um is available on the ios app store and the android google play store and so basically tomorrow everyone's like everyone ever is going to come to the diana initiative and see sunny talk and me too and also just all the other awesome that is occurring and including the giveaway at the we have purple booth that you're all going to visit so you can put your name in the raffle thank you for having me thank you thank you so much thank you so much for being on the show and especially for just like last minute i was just like we're we're talking about something completely different audience members and i was like maybe i should ask her the word she could say is no i'll just ask and then i was like would you and she's like sure and i'm like i'm like let's pounce while she's saying yes great this was fun this was a great time thank you so much and thank you thank you so much sorry there's like the small delay and i get excited thank you again and so now let's do the outro so thank you audience for watching the weehack purple podcast where each week we meet an interesting and new guest from the information security industry and this week was sunny ware and it was awesome we talked about all sorts of cool stuff this episode was sponsored by 10 security the awesome defect dojo dudes who will automate all the things beautifully for you and we hack purple is doing all sorts of stuff including our amazing new sponsorship with oauths where we for all oas members you have to be a paid oas member you can get into application security foundations level one for free tomorrow i am speaking at the diana initiative and we hack purple is sponsoring the diana initiative and sunny ware and so many other amazing amazing human beings are speaking at this event is one of my favorite events on the planet and i can't be there in person but it's great because it's virtual so you don't have to and even though it is currently the end of the first day you could still attend the second day they still have tickets left because it's online so there's space for everyone um and i think that those were all the things i was supposed to announce and i just want to say thank you thank you thank you for coming back every week and listening to the weehack purple podcast have a great week and i'll see you next thursday [Music]