Pentesting vs. Bug Bounty vs. Pentesting ???

The only time I pen test is before an exam to make sure I have enough ink left

As a corp pentester, this actually gave me some really great insight to think about appsec and pentesting as separate areas of security. I've recently started teaching myself API which is really fun and trying to subvert obfuscation. I would say I'm mostly a pentester but occasionally dive into appsec for specific webapps and such.

This is simply one brilliant channel. He has definitely got his mojo back. I also love his hilarious takes (like when the van pulls up to the building and the red skull lands on the door…like ghostbusters or something.

i love the drawing/animations in this (0:49 + 1:32), really cool! great breakdown of the different security roles and how the interchange.

This video actually helped me a lot. Thanks a lot for clarifying this two "sides" of IT security. I always been in love with the "pentesting" part, not much with the "appsec", but I think it's better to know and understand both sides :).

Love it! Great breakdown here. I’m right there with you, “Appsec Pentester” is how I’ve referred to the application-focused side of “pentesting.”

Thank you very much for helping me clear some of the fog from my mind as I'm heading into the "appsec" world.

Amazing video that was long overdue. It seems a lot of people wanting to enter any of these professions often bounce around a bit confused and maybe even focus in the wrong area due to the exact confusions you cleared up here. Well done!

Thank you for this video, I am a full stack developer developer and I just started learning about cyber security. I have been following a beginner's course but it was mostly about pentesting, focusing on topics like active directory security. I had started to feel unmotived because I'm not that interested in that area. Watching your video helped me release that I should start to look more into resources about appsec. Liked and subbed.

This is actually a pretty interesting topic for job searching. In my job(in US) the "networking" red teamy stuff is called pentesting while the appsec stuff is called different things within different regions in the US. In my area what you called "appsec" is called VR (Vulnerability Research). While in other areas (mid west) it's known as security research. Fun note one of my first job interviews was for a "VR" position, i thought we were going be reverse engineering virtual reality equipment.

Working as soc analyst. Great vid explaining the industry and different sec areas! 👏

The problem nowadays is that every company wants a Jack of all trades when hiring a pentester. I have already 7 years of experience in the field, however I constantly have the feeling that I am not good enough, even though I am constantly learning and gaining certifications. I've reached burnout. Officially. And I am only 28 years old.

This was really helpful for me in figuring out where I am going in this field. Cybersecurity is an industry in its toddler stages and we are still trying to understand it depths. I gravitate more towards AppSec as well, i am into details and protecting user data. But I also like pentesting because it comes with really fun tools I can use.

Very good video thanks for that! I also like the length of the video cause I almost never have the time to watch the long ones

Great channel man, your videos keep me motivated

Great video - really relatable to me as an appsec tester in europe.
Also, I'd like to add that this distinction is the main reason I don't think OSCP is much valuable to anyone looking to get into the AppSec side of things. You're much better off investing your time and money into eWAPTXv2 or OSWE

Another excellent video . Keep up the good work👍

Almost 1 year ago I could not understand your videos but now after spent 1 year in bug bounty finally I understand 🙂
Thanks for sharing these amazing videos

This video really helped me clarify the path I want to take, thank you!

Thank you very much for this video, and explanation of these differences !

I like it how you placed the texts where your hands were at the time.
It's not 100% but sure works well in terms of visual coherence for me.

great video! this explains a lot , thank you for making such video 👍

Thank you so much for this video! I am currently in the last semesters of my IT security master's degree. I struggle to find what I want to do exactly after university and I am doubting if my current job is the right one for me. I am mainly working a developer's job, but at a security focussed company. Your video encourages me to continue on this job for now, but still focus on the security side. Since now I was always afraid by mostly developing to miss out on the cool security stuff I might do in other jobs, but maybe this just isn't such a big problem as I might think.

:D hilarious intro
edit: and another brilliant video

Love all of your video!

Amazing Video, I'm an AppSec :) Thanks man to make some clarification on it.

Just got my first security job and we actually do both kinds of pentesting!

Great video! Never thought about this!

I use the term "pentesting" to refer to engagements of limited scope. This includes internal and wireless network pentests.
When the scope is not well-defined/limited, I would call that "red teaming".
I do agree that "appsec" is a good term if you're only taking about reviewing (web) applications that run on a server/workstation.

Good topic, in my place of work we call the corporation part rather red teaming, due to the "pivoting" nature. But yeah, generally we have pentest teams that are really appsec teams. Good video!

Very informative, while learning bug bounty, I always don't feel the like doing recon and running tools on various subdomains and prefer main web application. Now I know they are 2 types of security testing.

Fully agree with that. In Poland, when we say pentesting, we mean the appsec side of things. The "other pentesting" jobs are rare I think and are usually called red-team member.

There's blackbox {internal,external} network pentesting (netpen), there's blackbox application pentesting (appsec). There's whitebox pentesting (network or application) where the pentester has access to everything they wish (source code, config files, etc). It all depends on the rules of engagement. Pentesting just means security testing

appreciate your knowledge ! Man

I'm a network security engineer and implement security functions of osi layer 2 and 3, so blue team. Our customers sometimes have network "pentester" on site which then say "hey, I could do this and that", which is awesome, because our team always says how much more we need to implement, but it is never important enough. for some reasons external pentesters have a bigger impact then we, as external blue team. but in the end we all want the customers network to be safer, so it's fine with me ^^

Finally another masterpiece!

So helpful video , thank you :)

awesome. Very well explained. Thanks. :)

You just helped me to decide what to do with my life , thank you so much for this video ..

Even focusing on security since starting college, it wasn't until reaching industry that I realized red teaming/pentesting wasn't the thing I had been going for all along, but rather it was security/vulnerability research.

Best Explanation Ever!

Great man. Cleared all the clouds. Thanks

@LiveOverflow I think you should simply flip the video vertically, because you are pointing to your left side Pentesting but it appears on our right side LOL (like in 7:20)

legend come with legend video❤💫🔥

I can't believe after all these years, he is still making "pentester" jokes while spinning his pen mod 😂

Fantastic video

One point that I think should be touched on is that in bug bounty, you're not required / obligated to report on the security posture of all assets in scope. You can pick and choose what you want to attack / audit. In bug bounty, you're looking for a payout, which greatly skews how the engagement goes vs a proper pentest.

i'm from Germany just like you and i do appsec (on my apps, the apps of my friends, the apps of my father, etc.) and i do red team (on the systems of my father), i do CTF too and i like it most 😉

where do u practice ur ctf ?

To sum up - if I would like to focus on web application penetration testing, which OSCP’s cert should I choose?

Developer here. Some of your videos teach me new things about hardening my applications

Penetration Testing or pentesting for short in my opinion can be any kind of security audit. This could for example be simulating what an attacker would do, and going through and testing the code/configs. Also, I've seen some kinds of pentesting where people try to physically break in by tricking lock mechanisms, picking locks, unhinging doors, sniffing RFID badges, tricking guards, etc.
(A good video showing this is "Through the Eyes of a Thief" by DeviantOllam) Even this variation of pentesting has variations. For example, you could be simulating an attacker, you could be going through and looking at all they have with them, and explaining what is bad/good, etc.

I really love the theme music

I've always made the distinction Network pentester vs Web App Penteser or Appsec pentester. To me Red teaming is using any technique possible to get into an organisation.

Love you man

Yes i also think there is confusion in industry regarding this i also think there is a great intersection between two so it is very difficult to separate both

Where do I learn how to be a pentester/appsec?

You really hit the point

Someone plz help-me, is there any video about whats heappens in hardware while "execulting C", i saw here analyzing C assembly, but i'ld like to share to some folks lerning C about how it alocates memory and change values there.

I started out wanting to do corporate pentesting and got a sec+, cysa+, and advanced digital forensics cert. Then became a developer since I found it more challenging and can do more to secure my organization. Also, there are alot more jobs in software development.

Great. Do you have a course for appsec or any sources Im really interested

I work as a developer, and it is one of if not my favorite hobby, so I think I am already on the appsec side of it all.
Learning how all the scanners and tools work may be useful, but it's not a ton of fun compared to my understanding of the appsec side.
Also, atm I learn about all this security stuff because it is fun, but also because I want to understand how to make my code more secure.

Thanks 😍😍

legend

When it come to this “pentesting” it should always come with the RoE (Rules of Engagement) & SoW (scope of work)

Id say im a pentester but I only work with a single corporation and my day to day job looks more on like how you describe bug bounties as we test different parts of the corporation defined in our scope. So we are able to get into the weeds on a single application because our scope is limited to only part of the corp. And we get more visibility like what you get in app sec.

Given that you're more on the app side, have you ever considered doing a deep dive into the object-capability model?

And that describes the difference between an IT studies and IT security studies. I think if you want to go for pentesting the IT security one ist the better one. If you want to go for appsec a normal IT studies might be better.

Excellent video! I think the US pentesting view is more how "hacking" is viewed by the public (non-technical people) with crazy tooling and stuff. This is probably also how script kiddies come into the field wanting to pwn some companies rather than auditing application code or reverse engineer some esoteric piece of code. I myself found "hacking" by watching more red team focused channels such as seytonic, but I found that I'm more of an appsec person. I'm happy that I'm now able to classify those different ways of "hacking".

Is there any course or cert that fit specifically for AppSec now?

when he was spinning his pen I got flashbacks to the day in the life of a pentester video

I personally feel that knowing both pentesting and appsec is a nice boon to have. I can actually see both working together. Some companies do rely on their own brand of proprietary software and hardware (Chuck E. Cheese comes to mind courtesy of MDJ Michael's channel), from what I have heard. That makes me think that could cause problems on the corporate scale if the proprietary software and hardware is not secure enough, depending on the software and hardware's respective functions on a corporate network.

And I know nothing of these three...
But I know sometimes that is repeated in walkthrough ctf

Could u make a video about : "How to land your first job as an 'Appsec' "

Respect 🖤

nice explication

If you are the author of the code that has found to have vulnerability? Would you find yourself guilty of not knowing about it? or would you be open to resolution in improving yourself to not do the same mistake again?

When I first watched this video, I loved the idea behind it, but did not really agree with the categories you chose. This could be due to my personal views on some of these disciplins, but for me it is missing a certain symmetry, so I'll give it a try:
Pentesting applications / application security or security/vulnerability research:
- code audits, burp, ...
- focus on finding software vulns
Pentesting networks / network security or pentesting:
- nmap, metasploit, ...
- typically not covert
- focus on inital access methods and reaching as many targets as possible
Pentesting corporations (processes, configurations, and people) / red teaming:
- bloodhound, cobalt strike, mimikatz, ...
- physical or social aspects, depending on the scope
- covert af
- focus on post breach behaviors and specific objectives
Pentesting specific blue team detections / purple teaming:
- mitre caldera, scythe, lots of custom scripts
- emulation of TTPs
- focus on evaluating or developing single detection mechanisms

2:49 the "customer" / "product" of the company. I see what you did there :P

I am a newbie in computers. Learning to code. I aspire to get into bug bounty hunting.
Where should I start, what should I learn and is it necessary to get a CS Degree for it?

Do you have videos on how to get into AppSec as a career? I am currently doing soft dev in college.

so should we call them pentesting and vulnerability assessment/analysis?

How to become product pentester (appsec) what should to start to learn?

Do you have to go to college for pentesting?

Good bro

For appsec what CTF categories they should focus on..and how much better you should get at it?

I tried pen spinning a little while back. Nice pen spinner! :3

thankyou :)

Nice explanation. Now I found the reason I feel bored when learning those courses for pentesting:
it relies on the tools to do the magic and loss the fun of finding the bugs myself

I agree ! those two same words are diff

hello, i want to get into the cyber security business, i'm brazilian and would like to and i have a lot of affinity with the area, are there really any salaries that go from 100k to 350k per year? is there space to undertake?

as a CyberSecurity consultant (big team but I am Red Teamer) in my company we do both... it categorizes as External, Internal, Web and Mobile Security assessments... It is true that in External/Internal scopes we do not focus much on Web Applications (lack of time which is usually up to a week), but still we analyze them manually. In my opinion itts kinda anti professional to just run Nessus and give the client the report...

Melhor relatório que eu já vi (1:51):
"Verificou-se que o site carece de qualquer forma de proteção. Basta enviar 'Por favor, deixe-me entrar' e o site gerará um shell com permissões de root."
Ri muito aqui.

Thank you for the enlightenment, I thought pentest is just pentest

Where would incident response and threat hunting come, blue team? Pls do make share resources on any kind of careers related to forensics. malware, threat intelligence,... resources describing in this great detail on all roles in security would be great. Thanks in advance.

I'm Mobile apps developer, which subjects should I research to start learning about security in that field?

Super

Great

yeah, u doing best trick with pens

I thought you said that you will not make any other videos in your previous video