Ryan Basden

@rybaz@infosec.exchange
113 Followers
81 Following
162 Posts

Independent security contractor.
#1 photography account about hacking.

Previously:
@BishopFox Red Team
@risk3sixty Pentesting Practice Lead

websitehttps://ryanbasden.com
githubhttps://github.com/rybaz
twitterhttps://twitter.com/_rybaz
I would simply write memory-safe code
Laptop numpads are psychotic, why do I have to overextend my right shoulder just to type
Finally getting around to watching Chernobyl and all I see is a bunch of MBAs making fun of technical experts and high-fiving

"In addition, ChatGPT doesn’t just itself fail to recognize the difference between fact and fiction, it presents these answers to people who are themselves unable to discern the difference."

https://lmnt.me/blog/the-dystopian-dream-team.html

The Dystopian Dream Team

A little tired of getting random junk in conference "swag bags", can I opt out? I don't need fifty branded drawstring bags that I'm just going to donate and might eventually end up in a landfill.
iPad babies can be any age.

Some of my favorites from Zion National Park.

Taken with Kodak Portra 400.

The more I talk to other security consultants, the more I realize that the industry deserves a shake-up. FTE seems more and more like an inevitable path to burnout every day.

Your external pentest scope is ~500k possible *public* IPs. In addition to manual testing, do you run Nessus scans in the background?

Why/why not?

Yes
50%
No
50%
Poll ended at .

WTF is a purple team? What's a purple team exercise? Do purple teams even lift?

Perhaps more importantly, how can you use the outcomes of not skipping security leg day to make your company give a shit about defending itself?

I'll answer all these questions and more this coming Saturday. Be there!

https://pretalx.com/bsidesatl-2023/talk/BLA3HY/

From Checkbox to Checkmate: Winning the Game for Security Budgets BSides Atlanta 2023

For many, IT security is still perceived as a sometimes-helpful nuisance, but an all-the-time cost center. The most common exception is in compliance, often disproportionately handled by IT staff due to the technical evidence gathering requirements. And it’s hard for security staff to argue the case, since you can draw a direct line from compliance reports to revenue. A clean SOC 2 report or PCI DSS certification can determine the outcome of multi-million-dollar deals. The same cannot usually be said for a clean vulnerability assessment, penetration test, or red team report (much less a not clean one). So how can security professionals compete with compliance for budgets, and how can IT professionals garner buy-in and internal support from executives and decision makers so they can affect organizational change and improvement? This session will cover how purple teaming activities can elevate an organization beyond exception management in revenue-generating deals, to providing multiple mechanisms for demonstrating substantial ROI, and quantifiably protecting existing and future revenues. I will detail actionable approaches – with real world examples – that showcase how purple team exercises can accomplish the following: - Establishing measurable security baselines and resilience across companies and supply chains - Validating the efficacy of security investments and identifying potential areas for greater efficiency. - Providing a blueprint for organizational advancement and agility via penetration tests and red teams - Evidence-based ROI communication to leadership and stakeholders - Demonstrable and continuous protection against headline grabbing, and investor rattling, emerging threats