Paul Bryant

One question is starting to come up more frequently in conversations about penetration testing, and it is an entirely reasonable one. People are querying why, if Claude, Codex Security, or any number of other AI tools can autonomously scan a codebase, identify vulnerabilities, and generate reports, do you still need to engage a pen tester? It is a fair question, but the answer is nuanced and deserves a depth of discussion (and is certainly more nuanced than the vendors selling AI security tooling or the sceptics dismissing it would have you believe). There is no denying that AI security tools

A group of the most credible voices in cybersecurity just published a document that deserves your full attention. The “AI Vulnerability Storm” briefing, authored by contributors including the CISO of Google, the former Director of CISA, the former Cybersecurity Director of the NSA, and the CEO of SANS, is not a vendor whitepaper or a think piece. It’s a coordinated warning from practitioners who collectively have more signal on where this is heading than almost anyone else on the planet. When this group agrees on something, it’s worth treating that consensus seriously. The trigger for the briefing is Anthropic’s Claude

Did you spend 0% of your website’s budget on security? What about your new web application, new API, or even your new e-commerce store? We’re talking about independent security testing, auditing and verification, rather than the things your developers did (or apparently did) in terms of security. Be honest. You wouldn’t be alone. We work with a lot of developers, development shops, and founders, and we understand how things are. The competing pressures that are placed on budget and time, that come from a variety of places. We understand how busy web app developers typically are, and how many ventures

Interestingly it doesn’t really matter. The thing to know is that they’re not located anywhere in particular. Or rather, wherever they are based geographically doesn’t matter, because they can appear to come from anywhere on the internet. And because that’s true for the attackers, it is also true for your pen testers. Although we’re based in New Zealand, more than half of our pen testing is for organisations and targets further afield. In the same way that attackers can target any website, webstore, web portal, web application, API or IP address on the internet, we can pen test any target

Do You Test Pens? “Literally, what do you do all day?” That’s a question we get from time to time, perhaps because what we do is not well understood. Well, we do pen testing. “OK, but what is that?  Do you test pens?  That sounds boring.” Yes, that would probably be boring. But no, we don’t test pens. Instead, we test whether your systems can be breached, or “penetrated”. That’s a long word to keep typing, and also has connotations you might find in the Urban Dictionary, so everyone just says “pen testing”. “Got it. So what does that look

Why caring is important in security When I started phew, I had very clear intentions about building a solid reputation for caring. “Caring” might seem like a strange word to use when you think of tech. But when you pair it with “security”, it suddenly makes a lot of sense, and even more when you think about the integrity of a professional consultancy. I believe very strongly that that’s what sets us apart in the cyber security field. That, and our very specific approach to penetration testing. You could say our pen testing aligns more closely with the methodical strategy

First Up, The OWASP Top 10 Many of you who work or have backgrounds in web application development or cyber security will be familiar with the OWASP Top 10 project. The OWASP Top 10 is a standard awareness document for developers and web application security, which represents a broad consensus about the most critical security risks (vulnerabilities) applicable to web applications. The OWASP Top 10 was refreshed fairly recently to create the OWASP Top 10 for 2021 ( https://owasp.org/Top10/). Background To The phew Top 10 Although at phew we perform a wide variety of penetration testing (from wired and wireless

The Latest from CERT NZ What’s New? CERT NZ is a central organisation that receives cyber incident reports from both individuals and businesses. It tracks attacks and incidents, and provides advice and alerts. The quarterly updates from CERT provide a valuable snapshot of what’s going on with cyber security in NZ, and give us a useful insight into trends and concerns. Their latest update was released last week. It shows a decrease in the number of incidents reported from last quarter, but an increase in the type and complexity of scams. Decrease in Incidents isn’t the Whole Story There was

Background Software is constantly changing. Application and package authors tweak and update existing code more or less continually to provide features, improvements, fixes and workarounds. Also, most software is constructed, at least in part, from third party or open source components or packages, such that large parts of the code are integrated by, but not actually written by, the developer or vendor of the overall application. Given this continual change, and these varying sources of code, it is incredibly common for applications of all types to have as yet unknown security vulnerabilities. These vulnerabilities come to light over time, either