Vulnerability Disclosure Policy

Vulnerability Disclosure Policy


Vulnerabilities are everywhere. You can be assured your systems have them. There is a good chance the vulnerabilities in your systems may be discovered by an outside party. Do you have internal policies and procedures in place on how to deal with that when it happens? Do you have a public version of that posted? If not, this article is for you.

(more…)

Annual Team Meet-Up (2021)

Annual Team Meet-Up


PEN Consultants held its inaugural annual meet-up October 8th – 10th 2021, giving each team member (and their family) the ability to meet each other face-2-face (many for the first time), participate in team-building activities, and give back to the community. Here is a summary of that event.

(more…)

Acquisition of PEN Consultants, LLC

Acquisition of PEN Consultants, LLC


Throughout most of 2021, we have been increasingly pursued by various business referral partners and investment firms, asking if we would be interested in merging with them or being acquired. This is our boilerplate statement, as to not have to repeat ourselves.

(more…)

User Enumeration vs Password Spraying

User Enumeration vs Password Spraying


What do you call a User Enumeration attack against a logon service (i.e. username + password)? Based on recent polling (Source_1, Source_2), it would appear our industry peers call this a password spray attack (by a 3-to-1 margin), despite the purpose clearly being for user enumeration. This article will explain why we are taking a minority view, while still recognizing the validity of our peers’ viewpoints, and incorporating them.

(more…)

How do I get into Cybersecurity?

How do I get into Cybersecurity?


I’m often asked questions such as, “How do I get into Cybersecurity?” or “How do I get from an IT role a cybersecurity role?”. This is a copy/paste, with a few edits, from previous emails.

(more…)

Your Schema is Showing

Your Schema is Showing


Here’s a look at the results from our recent effort analyzing GraphQL API endpoints across the web, and the percentage of those endpoints that allowed an unauthenticated user to view the query & data schema. The intent of this article is to address the implications of allowing this schema to be retrieved, similar technologies that allow access to their schema, what can be done about it, and the trend of those who have prevented such a disclosure.

(more…)

Building a Security Testing Business

Building a Security Testing Business


I am often asked, “How did you get started with your security testing business?” “What are some lessons learned?” “What are your current challenges?” I have been asked enough times that I decided to post my thoughts in blog format.

(more…)