phewadm

Pen testing is a professional service, but for customers looking to engage a pen testing provider it sits in an awkward category of purchase. Unlike most professional services, where you can assess capability through a proposal, a reference call, provider visibility in the marketplace, or a few hours of scoped work, the quality of a pen test is genuinely difficult to evaluate before you buy it. And to some degree, it remains difficult to evaluate even after you receive the report. This is the core problem buyers face. You are commissioning work whose depth and rigour you cannot directly observe,

It’s not uncommon for teams to commission a pen test (particularly their first one) without really knowing what’s about to happen. The process can feel like a black box, which is ironic given that black box testing isn’t where you should be heading. This lack of clarity and understanding is not surprising given the technical nature of these engagements. However, it doesn’t need to be like this. In this guide, we walk you through what actually happens, from initial conversation to ongoing assurance. Our view is that an informed buyer makes better decisions and gets more from the testing experience

Since phew was founded, our focus has been on building a business grounded in quality. That meant investing heavily in how we work, developing rigorous methodologies, and holding ourselves (and our testing) to high standards. By delivering work we could genuinely stand behind, we prioritised substance over presentation, and outcomes over optics. Along the way, we didn’t really pause to spend time fully articulating who we are, what we stand for, and why it matters, but recently we decided it was time to address that. By undertaking a brand story exercise with the team at Flux, we’ve been able to articulate

We are delighted to announce that phew has been recognised as an approved supplier of security services on the New Zealand Government’s Marketplace, through a Collaborative Marketplace Agreement. phew has joined the Information Security Professional Services Panel alongside other approved suppliers to the Government, listed on MBIE’s procurement platform, Marketplace, under the ‘Source Code, Application Review and Technical Testing’ category. As an approved supplier, phew has completed the open primary procurement process, meaning that phew is a supplier that government agencies can confidently engage, and with whom agencies do not need to negotiate their own contract terms or pricing. Being

If the Kaseya attack was a “supply-chain attack” in terms of the industry accepted definition then it is a stretch of that definition. The distinction is important, because software supply-chain compromises are harder for customers of software solutions to detect using usual defensive measures, and generally involve exploitation techniques that fall outside the scope of web application penetration testing standards. So there is a feeling that essentially no blame rests with the software customer, and perhaps reduced blame rests with the software vendor. In this post we explore the implications for Kaseya of mis-categorising this attack as a supply-chain attack.

What’s New? Cert NZ has released its first quarterly report for 2021. The Cert NZ reports provide an interesting snapshot of recent cyber security incidents reported by both individuals and organisations in New Zealand. The latest report shows that a total of 1,431 incident reports were made to CERT NZ in the first quarter of 2021, involving losses of almost $3 million. Notable Increases Reports of ‘unauthorised access’ increased significantly this quarter. Unauthorised access involves an attacker gaining access to an account without your knowledge. Often this happens because of weak passwords, or login credentials that have been leaked in

Online Security Online apps and tools have become an integral part of how we live and work. If you own or run one of these systems, you will be aware of the constant threat of a cyberattack, and the risks this poses to your business. If you use cloud services you should also be aware of the assumptions you are making about the security of those services, or have a basis for trusting the security assertions the vendor is making. Regular, pre-emptive penetration testing (or “pen-testing”) can mitigate these risks, provide knowledge and confidence, and improve the security and privacy