Pentesting vs. Bug Bounty vs. Pentesting ???

The only time I pen test is before an exam to make sure I have enough ink left

As a corp pentester, this actually gave me some really great insight to think about appsec and pentesting as separate areas of security. I've recently started teaching myself API which is really fun and trying to subvert obfuscation. I would say I'm mostly a pentester but occasionally dive into appsec for specific webapps and such.

This is simply one brilliant channel. He has definitely got his mojo back. I also love his hilarious takes (like when the van pulls up to the building and the red skull lands on the door…like ghostbusters or something.

This is actually a pretty interesting topic for job searching. In my job(in US) the "networking" red teamy stuff is called pentesting while the appsec stuff is called different things within different regions in the US. In my area what you called "appsec" is called VR (Vulnerability Research). While in other areas (mid west) it's known as security research. Fun note one of my first job interviews was for a "VR" position, i thought we were going be reverse engineering virtual reality equipment.

i love the drawing/animations in this (0:49 + 1:32), really cool! great breakdown of the different security roles and how the interchange.

Thank you very much for helping me clear some of the fog from my mind as I'm heading into the "appsec" world.

This video actually helped me a lot. Thanks a lot for clarifying this two "sides" of IT security. I always been in love with the "pentesting" part, not much with the "appsec", but I think it's better to know and understand both sides :).

Really interestesting comparison between the two also helps see what we should be focusing on :D
Another summary could be that pentesting is mostly using known vulns and pwning the company while "pentesting" is finding those vulns and also creating new ones on a much deeper level

Love it! Great breakdown here. I’m right there with you, “Appsec Pentester” is how I’ve referred to the application-focused side of “pentesting.”

The problem nowadays is that every company wants a Jack of all trades when hiring a pentester. I have already 7 years of experience in the field, however I constantly have the feeling that I am not good enough, even though I am constantly learning and gaining certifications. I've reached burnout. Officially. And I am only 28 years old.

Just got my first security job and we actually do both kinds of pentesting!

Great video - really relatable to me as an appsec tester in europe.
Also, I'd like to add that this distinction is the main reason I don't think OSCP is much valuable to anyone looking to get into the AppSec side of things. You're much better off investing your time and money into eWAPTXv2 or OSWE

Thank you for this video, I am a full stack developer developer and I just started learning about cyber security. I have been following a beginner's course but it was mostly about pentesting, focusing on topics like active directory security. I had started to feel unmotived because I'm not that interested in that area. Watching your video helped me release that I should start to look more into resources about appsec. Liked and subbed.

Amazing video that was long overdue. It seems a lot of people wanting to enter any of these professions often bounce around a bit confused and maybe even focus in the wrong area due to the exact confusions you cleared up here. Well done!

Fully agree with that. In Poland, when we say pentesting, we mean the appsec side of things. The "other pentesting" jobs are rare I think and are usually called red-team member.

Finally another masterpiece!

This was really helpful for me in figuring out where I am going in this field. Cybersecurity is an industry in its toddler stages and we are still trying to understand it depths. I gravitate more towards AppSec as well, i am into details and protecting user data. But I also like pentesting because it comes with really fun tools I can use.

Working as soc analyst. Great vid explaining the industry and different sec areas! 👏

Almost 1 year ago I could not understand your videos but now after spent 1 year in bug bounty finally I understand 🙂
Thanks for sharing these amazing videos

This video really helped me clarify the path I want to take, thank you!

Thank you very much for this video, and explanation of these differences !

Melhor relatório que eu já vi (1:51):
"Verificou-se que o site carece de qualquer forma de proteção. Basta enviar 'Por favor, deixe-me entrar' e o site gerará um shell com permissões de root."
Ri muito aqui.

Great channel man, your videos keep me motivated

Thank you so much for this video! I am currently in the last semesters of my IT security master's degree. I struggle to find what I want to do exactly after university and I am doubting if my current job is the right one for me. I am mainly working a developer's job, but at a security focussed company. Your video encourages me to continue on this job for now, but still focus on the security side. Since now I was always afraid by mostly developing to miss out on the cool security stuff I might do in other jobs, but maybe this just isn't such a big problem as I might think.

Very good video thanks for that! I also like the length of the video cause I almost never have the time to watch the long ones

Another excellent video . Keep up the good work👍

great video! this explains a lot , thank you for making such video 👍

Amazing Video, I'm an AppSec :) Thanks man to make some clarification on it.

I like it how you placed the texts where your hands were at the time.
It's not 100% but sure works well in terms of visual coherence for me.

Very informative, while learning bug bounty, I always don't feel the like doing recon and running tools on various subdomains and prefer main web application. Now I know they are 2 types of security testing.

Great video! Never thought about this!

Love all of your video!

:D hilarious intro
edit: and another brilliant video

I can't believe after all these years, he is still making "pentester" jokes while spinning his pen mod 😂

Good topic, in my place of work we call the corporation part rather red teaming, due to the "pivoting" nature. But yeah, generally we have pentest teams that are really appsec teams. Good video!

I'm a network security engineer and implement security functions of osi layer 2 and 3, so blue team. Our customers sometimes have network "pentester" on site which then say "hey, I could do this and that", which is awesome, because our team always says how much more we need to implement, but it is never important enough. for some reasons external pentesters have a bigger impact then we, as external blue team. but in the end we all want the customers network to be safer, so it's fine with me ^^

You just helped me to decide what to do with my life , thank you so much for this video ..

I work as a developer, and it is one of if not my favorite hobby, so I think I am already on the appsec side of it all.
Learning how all the scanners and tools work may be useful, but it's not a ton of fun compared to my understanding of the appsec side.
Also, atm I learn about all this security stuff because it is fun, but also because I want to understand how to make my code more secure.

appreciate your knowledge ! Man

awesome. Very well explained. Thanks. :)

Even focusing on security since starting college, it wasn't until reaching industry that I realized red teaming/pentesting wasn't the thing I had been going for all along, but rather it was security/vulnerability research.

I use the term "pentesting" to refer to engagements of limited scope. This includes internal and wireless network pentests.
When the scope is not well-defined/limited, I would call that "red teaming".
I do agree that "appsec" is a good term if you're only taking about reviewing (web) applications that run on a server/workstation.

when he was spinning his pen I got flashbacks to the day in the life of a pentester video

Great man. Cleared all the clouds. Thanks

So helpful video , thank you :)

Developer here. Some of your videos teach me new things about hardening my applications

Best Explanation Ever!

legend come with legend video❤💫🔥

There's blackbox {internal,external} network pentesting (netpen), there's blackbox application pentesting (appsec). There's whitebox pentesting (network or application) where the pentester has access to everything they wish (source code, config files, etc). It all depends on the rules of engagement. Pentesting just means security testing

Penetration Testing or pentesting for short in my opinion can be any kind of security audit. This could for example be simulating what an attacker would do, and going through and testing the code/configs. Also, I've seen some kinds of pentesting where people try to physically break in by tricking lock mechanisms, picking locks, unhinging doors, sniffing RFID badges, tricking guards, etc.
(A good video showing this is "Through the Eyes of a Thief" by DeviantOllam) Even this variation of pentesting has variations. For example, you could be simulating an attacker, you could be going through and looking at all they have with them, and explaining what is bad/good, etc.

I really love the theme music

i'm from Germany just like you and i do appsec (on my apps, the apps of my friends, the apps of my father, etc.) and i do red team (on the systems of my father), i do CTF too and i like it most 😉

Fantastic video

You really hit the point

Love you man

When it come to this “pentesting” it should always come with the RoE (Rules of Engagement) & SoW (scope of work)

@LiveOverflow I think you should simply flip the video vertically, because you are pointing to your left side Pentesting but it appears on our right side LOL (like in 7:20)

legend

Thanks 😍😍

I started out wanting to do corporate pentesting and got a sec+, cysa+, and advanced digital forensics cert. Then became a developer since I found it more challenging and can do more to secure my organization. Also, there are alot more jobs in software development.

yeah, u doing best trick with pens

best explanation

nice explication

Respect 🖤

Yes i also think there is confusion in industry regarding this i also think there is a great intersection between two so it is very difficult to separate both

One point that I think should be touched on is that in bug bounty, you're not required / obligated to report on the security posture of all assets in scope. You can pick and choose what you want to attack / audit. In bug bounty, you're looking for a payout, which greatly skews how the engagement goes vs a proper pentest.

Excellent video! I think the US pentesting view is more how "hacking" is viewed by the public (non-technical people) with crazy tooling and stuff. This is probably also how script kiddies come into the field wanting to pwn some companies rather than auditing application code or reverse engineer some esoteric piece of code. I myself found "hacking" by watching more red team focused channels such as seytonic, but I found that I'm more of an appsec person. I'm happy that I'm now able to classify those different ways of "hacking".

I personally feel that knowing both pentesting and appsec is a nice boon to have. I can actually see both working together. Some companies do rely on their own brand of proprietary software and hardware (Chuck E. Cheese comes to mind courtesy of MDJ Michael's channel), from what I have heard. That makes me think that could cause problems on the corporate scale if the proprietary software and hardware is not secure enough, depending on the software and hardware's respective functions on a corporate network.

Great. Do you have a course for appsec or any sources Im really interested

And that describes the difference between an IT studies and IT security studies. I think if you want to go for pentesting the IT security one ist the better one. If you want to go for appsec a normal IT studies might be better.

thankyou :)

Could u make a video about : "How to land your first job as an 'Appsec' "

Thank you for the enlightenment, I thought pentest is just pentest

ua-cam.com/video/hcdh1Sw94uo/v-deo.html
Bug Bounty Program list & how to find bugs

Good bro

Great

I agree ! those two same words are diff

Super

2:49 the "customer" / "product" of the company. I see what you did there :P

Id say im a pentester but I only work with a single corporation and my day to day job looks more on like how you describe bug bounties as we test different parts of the corporation defined in our scope. So we are able to get into the weeds on a single application because our scope is limited to only part of the corp. And we get more visibility like what you get in app sec.

I've always made the distinction Network pentester vs Web App Penteser or Appsec pentester. To me Red teaming is using any technique possible to get into an organisation.

I tried pen spinning a little while back. Nice pen spinner! :3

Given that you're more on the app side, have you ever considered doing a deep dive into the object-capability model?

Do you have videos on how to get into AppSec as a career? I am currently doing soft dev in college.

Nice explanation. Now I found the reason I feel bored when learning those courses for pentesting:
it relies on the tools to do the magic and loss the fun of finding the bugs myself

When I first watched this video, I loved the idea behind it, but did not really agree with the categories you chose. This could be due to my personal views on some of these disciplins, but for me it is missing a certain symmetry, so I'll give it a try:
Pentesting applications / application security or security/vulnerability research:
- code audits, burp, ...
- focus on finding software vulns
Pentesting networks / network security or pentesting:
- nmap, metasploit, ...
- typically not covert
- focus on inital access methods and reaching as many targets as possible
Pentesting corporations (processes, configurations, and people) / red teaming:
- bloodhound, cobalt strike, mimikatz, ...
- physical or social aspects, depending on the scope
- covert af
- focus on post breach behaviors and specific objectives
Pentesting specific blue team detections / purple teaming:
- mitre caldera, scythe, lots of custom scripts
- emulation of TTPs
- focus on evaluating or developing single detection mechanisms

I thing i do learn from this video is. text and "text" is different 😂

Is there any course or cert that fit specifically for AppSec now?

To sum up - if I would like to focus on web application penetration testing, which OSCP’s cert should I choose?

Where would incident response and threat hunting come, blue team? Pls do make share resources on any kind of careers related to forensics. malware, threat intelligence,... resources describing in this great detail on all roles in security would be great. Thanks in advance.

Where do I learn how to be a pentester/appsec?

I am a newbie in computers. Learning to code. I aspire to get into bug bounty hunting.
Where should I start, what should I learn and is it necessary to get a CS Degree for it?

❤️

where do u practice ur ctf ?

so should we call them pentesting and vulnerability assessment/analysis?

as a CyberSecurity consultant (big team but I am Red Teamer) in my company we do both... it categorizes as External, Internal, Web and Mobile Security assessments... It is true that in External/Internal scopes we do not focus much on Web Applications (lack of time which is usually up to a week), but still we analyze them manually. In my opinion itts kinda anti professional to just run Nessus and give the client the report...

Someone plz help-me, is there any video about whats heappens in hardware while "execulting C", i saw here analyzing C assembly, but i'ld like to share to some folks lerning C about how it alocates memory and change values there.

And I know nothing of these three...
But I know sometimes that is repeated in walkthrough ctf

I thought you said that you will not make any other videos in your previous video

As a customer of application security testers (we can it pentest), I would've never guessed that the general public thought that about "pentest"
(European here)