Shulou(Shulou.com)06/01 Report--

With the gradual expansion of my customer circle, my weaknesses have become more prominent. For example, I have been touching the intranet for a long time, I am not familiar with the extranet, and my traditional security research assessment is not accurate. I can't afford a detailed new security project at all. In order to make up for the shortcomings of the work experience of external network address and security research and evaluation, I am determined to change my job-to a more comprehensive service platform to learn a lot of things and improve my practical value. After much exploration, a medium-sized security company threw me a recruitment to be included in the job requisition. As soon as I joined the company, I was exposed to traditional new security projects such as security risk assessment, penetration testing and so on. In the past, many veterans of the security industry in security enterprises have become my leaders. In addition to studying through self-study, I often ask my elders for advice on difficult problems in new projects. Don't think that everything will be all right with a teacher. I've had a lot of trouble.

I still remember that the first time I worked with mobile prefectural and municipal operators. I wanted to do a risk assessment for the mobile prefectural and municipal operators, but the other side gave me two months less property details during the whole process of the new project. I didn't find it during the verification-- as a result, a lot of additional property (including new security machinery and equipment, newly released security system software) has not been disposed of. After 15 days of continuous work, when I took out the analysis report and showed it to the client, the customer was surprised and asked, "Why is there so much less property?" As soon as we communicated, we found that the details of the previous two months had not been entered, and this mistake forced me to stay up all night for another five working days. The second time is that I am going to do a new penetration project. The client is a large government agency. If the customer wants to make a basic evaluation of his own security protection management system, and also certifies the working ability of the security support point of the enterprise to which I belong at that time, I stipulate that my side will carry out penetration testing on its web website, and choose me to be the vanguard of the enterprise. First of all, I will observe the safety and protection work ability of the customer. If I can break into the other side's system software, even if I reach the goal.

As a result, a few days later, I tried to attack in a variety of ways. At first, I thought that the customer adjusted the countermeasure again on the server firewall, worrying and shielding the previous detection data files, so that all the information content was not collected, and there was no idea behind it. Only according to business colleagues, to understand the customer, is there any adjustment server firewall countermeasure? Do you still remember the ironic voice of the customer on the mobile phone of your business colleague: "people don't have a relative countermeasure to adjust the server firewall, and your engineers' ability to infiltrate their work is relatively weak, haven't they even obtained the management authority?"

Then my business colleagues simply used my connection to contact an outstanding hacker who immediately broke into the web website of a government agency and gained access to help the company prove its overall strength and win over a new project. This thing is a severe blow, it is pure broken is the difference in overall strength, but this time it inspired me to gradually improve my technical ability and master new ideas. For the third time, I was authorized to come to a customer to conduct a security scan of its internal assets, but before I did the scan, I forgot to confirm with the customer whether I could carry out the scan, and who could have guessed that my penetration test failed three of the customer's more critical web servers. The client was very dissatisfied with my reckless scanning behavior. After that. I learned that, in fact, it was not caused by the scan at that time. It just happened that the customer's network server was being upgraded, which was not very smooth, and the scan led to server downtime.

After these three embarrassing events, I have gained work experience. On the one hand, improving my overall strength is the key, on the other hand, I have to learn more to communicate with customers-- to be safe, that is, sense of security, you can't be unrestrained. I was so close at the beginning, but in the end, I didn't know how bad it was. After talking so much, it was my own way of learning. If you want to conduct penetration testing on the website or app, you can go to a professional website security company to deal with it, and recommend several more professional ones such as SINESAFE, Eagle Shield Security, Green Alliance, Ambient Technology and so on.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.