Software development continues to evolve rapidly, so testing APIs has become essential to ensuring robust and reliable applications.

In this article, we will explore the fundamentals of Python API testing, discuss its critical advantages, and delve into the benefits of using Locust for load testing.

Let’s get started!

What Is API Testing?

API testing involves validating the behavior and functionality of APIs, ensuring they meet the expected requirements and deliver the desired outcomes. It focuses on examining various aspects, such as request and response handling, error handling, performance, and security.

Python for API Testing

Python provides several powerful libraries and frameworks for testing APIs, allowing developers to automate the testing process, keeping the functionality, reliability, and performance of their applications. With Python, you can write test scripts that send HTTP requests, validate responses, and perform various assertions.

One of the most popular libraries for API testing in Python is Requests. It displays a simple and intuitive interface for making HTTP requests and handling responses. By leveraging requests, developers can easily test different HTTP methods, headers, query parameters, and request bodies.

Python also offers frameworks like unittest, pytest, and nose, containing more advanced features for organizing, executing, and reporting tests.

These frameworks enable developers to write test cases, group them into test suites, and generate detailed test reports.

Introducing Locust for Load Testing

While functional testing controls whether an API functions correctly, load testing is crucial to assess how an application handles concurrent user requests and measure its performance under various load conditions. This is where Locust — an open-source load testing framework — shines.

Locust lets you write load tests in Python code, defining user behavior and simulating thousands of concurrent users to stress-test your API. With its intuitive API, you can easily create complex scenarios, set user behavior patterns, and specify request rates, all while collecting performance metrics in real time.

The key features that make Locust a powerful load-testing tool include:

• User-Friendly Syntax: Writing load tests in Locust is straightforward and readable, thanks to its Python-based DSL (Domain-Specific Language). You can define user tasks, specify request endpoints, and simulate user behavior with ease.
• Scalability and Distributed Testing: Locust supports distributed testing, allowing you to run your load tests on multiple machines or even in the cloud. This scalability enables accurately simulating high loads and finding potential bottlenecks.
• Real-Time Reporting and Metrics: Locust provides a web-based interface that offers real-time insights into your load testing performance. You can monitor the number of users, requests per second, response times, and other critical metrics.

Getting Started with Locust

To begin using Locust, install it using pip, the Python package manager. Once installed, define your test scenarios by subclassing the HttpUser class and defining tasks using Python functions. These tasks represent the actions performed by users during the test. You can specify the number of users to simulate, the spawn rate, and other parameters in your test scenario.

Conclusion

Python API testing is an essential practice to prove the quality and reliability of your applications. With libraries like Requests and testing frameworks such as unittest or pytest, you can easily automate your API tests and validate the behavior of your endpoints.

As for load testing, Locust appears as a powerful tool that seamlessly integrates with Python. Its simplicity, scalability, and real-time reporting capabilities make it a go-to choice for stress-testing your APIs and understanding their performance under heavy loads.

So, whether you’re a beginner in API testing or a seasoned developer, exploring Python’s testing capabilities and harnessing the power of Locust will help you build more robust, performant, and reliable applications. Happy testing!

About Author

Bojan Popović, a seasoned QA Automation Engineer, brings a wealth of knowledge and industry experience to the table. He hails from UN1QUELY, where he has honed his expertise in assuring quality and perfection in software automation.

Introduction: A Harmonious Fusion

What if I tell you that my job doesn’t just put food on the table, but fills my soul?

What if I tell you that this isn’t confined to the occasional ‘good day’, but it’s my five-day-a-week reality?

What if I tell you that my profession is intertwined with my passion?

And what if I tell you that this synthesis nourishes not only my career but also my well-being?

Let me take you on a journey where I unravel how I merged my love for cycling with my profession as a QA Engineer. My name is Goran, and this is my story.

The Morning Ritual: Setting the Tone

As QA Engineers, we are no strangers to the myriad types of testing approaches for applications. However, some stand head and shoulders above the rest, and I consider myself lucky to employ one of them in my daily routine.

My day starts with a steaming cup of coffee amidst the greenery in my backyard. As I savor my breakfast, I skim through my emails and mentally gear up for the day ahead. A daily meeting with the team follows, which sets the tone for the excitement that’s about to ensue.

Human vs. Machine: The Importance of Touch

Let’s not forget, no simulation can ever replace the value of human testing. While automation and simulators are essential components in a tester’s toolkit, the human touch provides that intangible quality. Human testing allows for an emotional connection and a deeper understanding of the user experience.

Imagine you’re watching a movie. An AI can analyze the plot, dialogue, and cinematography and tell you if the film checks the boxes for a ‘good movie’. But can it feel the thrill of an action scene or the heartache of a character’s loss? No way!

That’s what human testing is like. It’s like watching a movie and experiencing all the ups and downs. You get to walk in the users’ shoes. You feel their excitement when something works smoothly, and their frustration when it doesn’t. There’s something raw and real about it that numbers on a screen can’t give you.

It’s like being in the front row of the cinema, popcorn in hand, fully immersed. Robots? They’re still out in the lobby.

Into the Streets: The Bicycle Odyssey

Envision this: I slip into my cycling gear, mount my trusty two-wheeler, and embark on a ride through the bustling city streets. The purpose? Testing our application that’s specially designed for cyclists.

This app isn’t just about tracking how fast you’re pedaling or how far you’ve gone. Oh no, it’s way more. It’s like having a cycling buddy in your pocket who’s always game for some fun. It dishes out new challenges to crush every day and keeps you pushing those pedals.

As I’m weaving through traffic, the application keeps pace, diligently running on a mobile device affixed to my bike’s handlebars. Each twist, each acceleration, and each brake offers a real-world scenario to challenge the application.

Data and Insights: The Bounty of The Journey

In essence, my bicycle morphs into a rolling laboratory. When I eventually steer back home, I bring with me not just numbers, but invaluable insights and a heart filled with fulfillment. The sheer joy of fusing my vocation with my passion is immeasurable.

These insights go beyond just data points; they tell stories of how users interact with applications. They create a picture of what works, what doesn’t, and where improvements can be made.

So, as I kick back at the end of the day, I’m not just clocking out of a job. I’m wrapping up an adventure. And I’ve got the treasure map for making an app that’s not just functional, but freakin’ awesome.

Redefining Boundaries: Breaking the Mold

This unorthodox approach to testing has not only elevated my stature as a QA engineer but also shattered the conventional norms associated with testing environments. It redefines the boundaries and exemplifies how versatile and dynamic the role of a QA engineer can be. Who says testing has to be done hunched over a desk? Why not on a bike, feeling the pulse of the city?

And here’s the kicker — this kinda testing paints in bold strokes. It says, “Hey, there’s a whole world beyond the screen. Let’s play!” It’s about living the experience, not just QA-ing an app. It’s about testing life and rolling with it.

So, the next time you spot a cyclist breezing through the streets, take a moment. That cyclist could be a trailblazer, a QA engineer, or even me, Goran, exploring uncharted waters and embracing the beauty of testing.

About the Author

Goran Manojlović is a seasoned expert, and UN1QUELY’s go-to guy for Quality Assurance. He sets the bar high, both professionally and privately. When he’s not putting applications to the test, Goran can be found running marathons, half-marathons, and triathlons, as a semi-professional runner. His portfolio is as diverse as his interests, boasting impressive projects ranging from e-commerce sites to entertainment apps.

In the dimly lit basement of an abandoned building, hidden beneath the layers of darkness and secrecy, a clandestine cybercrime group known as “The Shadow Syndicate” gathered around a flickering screen displaying the lines of code.

Their eyes glimmered with excitement and malice as they discovered a chink in the armor of a renowned healthcare company, MeditechCorp Pro Solutions.

As the hackers delved deeper into MeditechCorp Pro Solutions’ digital fortress, they stumbled upon a chilling revelation during their reconnaissance phase.

The main server’s vulnerabilities were laid bare — a careless oversight that set their sinister plans into motion.

With PUT HTTP enabled and lacking proper XSS protection, the company’s management system became a breeding ground for their malevolent intentions.

How did they find that?

First, during the reconnaissance phase, they found that one of the JavaScript was using the PUT keyword to unauthenticated, upload a txt file to the server and then later download that same file using the GET keyword.

They didn’t know the reason behind that, but it didn’t matter. All that mattered to them was that they had found the web security misconfiguration; to be more precise: CWE-650: Trusting HTTP Permission Methods on the Server Side.

Request:

Response:

Then the contents of the file were subsequently retrieved using the GET verb:

Request:

Response:

Then they checked the browser security headers configuration:

The CSP security browser header was not implemented.

With their newfound knowledge, The Shadow Syndicate embarked on crafting a web exploit that would haunt the dreams of MeditechCorp Pro Solutions’ unsuspecting users.

In the darkest corners of cyberspace, they wrote a diabolical piece of code — a malicious web exploit that would stealthily infect the heart of the company’s web infrastructure: the index.html file.

The first function in the web exploit downloaded the index.html file:

The second function inserted new JavaScript code into that index.html file that would send each authenticated visitor cookie to their web domain.

That would be for each visitor because the index.html was the first page they’d see after a successful login.

The third function exploited the found vulnerability and just replaced the original index.html with a new one with the malicious JavaScript code:

The web exploit was ready:

They just needed a web domain for stealing user sessions, so they used Burp Collaborator:

The web exploit was ready, and the domain was up and running, so the next phase was crucial — run the exploit:

As MeditechCorp Pro Solutions’ users innocently visited their trusted web platform, a subtle change occurred.

Unbeknownst to them, a single line of nefarious code was injected into the seemingly harmless index.html file, waiting to ensnare their every move.

The unsuspecting victims were unknowingly sending their sensitive sessions to the malevolent domain of The Shadow Syndicate.

Doctors, administrators, and super admins — unaware of the sinister intrusion carried out their daily tasks while The Shadow Syndicate watched their every move from the shadows.

They reveled in the power they wielded, lurking behind the scenes as their victims’ most private healthcare and personal information fell into their clutches.

Hundreds of hospitals utilizing a healthcare management platform have fallen victim to a security breach, resulting in the compromise of thousands of patient data, which now rests in the hands of a notorious cybercrime group.

From a business perspective, do you find this story scary?

Well, “The Shadow Syndicate” and “MeditechCorp Pro Solutions” are not real, and the story was a work of fiction — everything except the security testing. It was a real-life ethical penetration testing session conducted by the UN1QUELY offensive security team on a real healthcare management platform production system used by a lot of hospitals.

Cybercrime groups are on the rise, and this trend will just keep evolving. They’re constantly looking for vulnerable targets so they can use their skills to earn money, ruin the reputation of companies and steal private data, sell it on the black market, or use it to blackmail victims and companies.

Luckily for this healthcare management company, we were first to identify this security

misconfiguration vulnerability and exploit it just to show them how vulnerable they were. In the meantime, they’ve fixed these issues with the help of our cybersec experts.

Our offensive security team is growing and rapidly improving in a wide range of cyber skills, not only in web application penetration testing but also in mobile applications and network penetration testing, phishing simulations, and red teaming.

If you need help securing your company’s cyberspace, please contact us.

About Author

Miroslav Milićević is an experienced Penetration tester with 5+ years of experience in software engineering (including secure coding). Highly engaged in red teaming, drone security, and developing offensive security software. Motivated to learn about various penetration testing areas, including automotive, IoT, Wireless, SCADA, and drones

AWS Cognito Service

With Amazon Cognito, you can add user sign-up and sign-in features and control access to your web and mobile applications.

Amazon Cognito provides an identity store that scales to millions of users, supports social and enterprise identity federation, and offers advanced security features to protect your consumers and business. Built on open identity standards, Amazon Cognito supports various compliance regulations and integrates with frontend and backend development resources.

AWS Cognito Access Token

If you’re using Amazon Cognito to manage user authentication in your application, you should be aware of the permissions users have by default when issued an access token.

When signing into an application that uses Amazon Cognito for authentication, the following three tokens are returned to the user: an ID token, an access token, and a refresh token. The assigned scope defines the token’s access level for the particular user.

When the token scope is set to “aws.cognito.signin.user.admin” the user has the permission to view and edit their user attributes stored within Cognito (e.g., username, email, custom attributes, etc.).

Please note that the “aws.cognito.signin.user.admin” is the default scope when creating a user pool, and it’s commonly seen in implementations.

Privilege Escalation Using AWS Cognito Custom Attributes

Privilege escalation in web applications refers to the process in which a potential attacker[PB1] [MM2] [PB3] gains higher levels of access or control within the application than they were originally granted. This can occur through a variety of methods, such as exploiting vulnerabilities in the application code, taking advantage of weak authentication mechanisms, or bypassing access control mechanisms.

There are two main types of privilege escalation in web applications: vertical and horizontal.

Changing AWS Cognito custom attributes could potentially be used to facilitate either vertical or horizontal privilege escalation.

For example, if a user is able to modify their own custom attributes in a way that grants them higher privileges or permissions, this could be a form of vertical privilege escalation.

Vertical privilege escalation occurs when a user gains access to a higher level of privileges or permissions than they were originally granted, for example from standard user to admin.

In the context of AWS Cognito, a user might be able to escalate their privileges horizontally by gaining access from a normal user account to an administrative account user or group by editing custom attribute custom:isAdmin:false to custom:isAdmin:true, or any other custom attribute that referrers to vertical privileges.

Horizontal privilege escalation, on the other hand, occurs when a user gains access to resources or data that they were not authorized to access within their current level of privileges.

In the context of AWS Cognito, a user might be able to escalate their privileges horizontally by gaining access to data or resources belonging to another user or group.

In this example, the user has the custom attribute of organization ID in a way that grants them access to resources or data of that organization; if we change this attribute, it is a form of horizontal privilege escalation.

Exploitation Tool — aws-cust-cognit

aws-cust-cognit is an exploitation tool designed to test the security level of AWS Cognito user accounts.

It allows users to identify and exploit vulnerabilities in user accounts by checking for custom attributes that can be changed to escalate privileges.

Tool setup:

git clone https://github.com/UN1QUELY/aws-cust-cognit

cd aws-cust-cognit

pip install -r requirements.txt

Usage:

python aws-cust-cognit.py — aws_region <aws-region> — access_token <access-token>

Exploitation Process

· Log into the web application using AWS Cognito and intercept the request via a proxy, such as Burp Suite

· Copy access token and region

· python aws-cust-cognit — access_token <access_token> — region us-west2

About the author

Miroslav is an experienced Penetration tester with 5+ years of experience in software engineering (including secure coding). Highly engaged in red teaming, drones security and developing offensive security software. Motivated to learn about various penetration testing areas including automotive, IoT, Wireless, SCADA and drones.

In the past few years, I keep getting more questions about how to dive into cybersecurity, mainly:

1. What are the best learning resources?

2. Do I need certificates to land a job?

3. Which certificates or University courses would you recommend?

4. Should I work first in general IT?

5. How to transition my career to cybersec?

6. What career path would you suggest for someone who just finished University/BA?

7. How to get started in hacking?

8. What are the necessary basics that one should know before starting with cybersec?

9. How to land a job?

10. What are the salaries in the industry compared to development/engineering?

I have chosen the 10 most frequent questions that I will try to address from my personal experience working for at least a year or more in each of the following three Cybersecurity Domains:

1. Red Teaming — Offensive Security and Penetration Testing

2. Blue Teaming — Security Engineering and Application Security

3. Security Management — Governing Information Security

Since the idea is that this article will remain relevant in the next few years, the entire article will have a more general tone. Cybersecurity is changing so rapidly that it can be daunting from time to time to keep up with current affairs.

Although there are many exceptions in the industry, the basics from the following domains will stay helpful in the time ahead:

• networking

• operating systems

• development

• communication, soft skills.

The ABCs of Cybersecurity Careers / Major Cybersecurity Prerequisites

The key points behind any successful cybersecurity professional are absolute focus, devotion, and discipline. To keep the direct resources list to a minimum, for starters, I’d recommend the book Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career (Confident Series). It covers the absolute basics thoroughly and presents cyberspace to readers in a clear way.

Further, based on the area of interest, I would never suggest a theoretical approach in the industry that changes at a fast pace. The theory and the basics, however, should not be skipped. The best way is to do real-life exercises and go back to the basics for every topic the reader is unfamiliar with. If done properly, it is the most practical, functional, and comprehensive learning method.

Open Solutions and Constant Practice

To start hacking and, again, to keep the number of resources to a minimum, I would recommend CTFs and challenges that do not have a single solution but just a hint or a topic to research. This will build up a try-harder mindset and help you prepare for your future role, where there is no clear solution to the task, but one has to be found.

An example of a platform that releases new active boxes/machines each week is Hack The Box. It does a great job of keeping you up to date while also covering the ABCs. In a serious company that can test a candidate’s actual knowledge, their certificate or university degree should not play any role.

We also put those requirements in the job description — within the nice-to-have section — but this is never the primary requirement. Also, there is no need to have another role and switch careers later.

The junior analyst’s job is a perfect starting point in any cyber security domain. This person should be familiar with all the topics that help during the daily repeatable tasks; might be just an ideal way to start.

Career Shifts and Cybersec

In career transitions, the best way is to use the existing expertise and learn how that domain can be secured. For example, a software developer who is used to reading code and implementing the software development lifecycle can quickly discover the OWASP ASVS and OWASP code review guides and land a job in the Application Security domain.

There is no universal truth here. A rule of thumb is to start learning every day and applying to any position for a starting point. The more experience (practical non-paid projects can count as experience, too), the better the chance to land the next job.

First Cybersec Experiences

If I were to land my first job now without any experience, I would go through job descriptions and focus on what I want to do as the first step.

The second step would be to launch my own blog and discuss exciting, game-changing industry topics weekly. For example, if the topic were cloud security, I would go through some DevOps bootstrapping bootcamp with AWS, think about the offensive security way, and make a vulnerable environment on purpose. This is a common learning technique that can help both the blue team and the red team side — to have both perspectives on how the attackers think and how to secure the whole environment.

Let us say that you do not have any experience and/or certificate/university to highlight your skills for an incident response analyst position. Your resume should include all the practical knowledge projects that you went through. The technical team analyzing your CV will value these things more than a specific certificate, especially if those resources are the same as those they used when starting their own careers.

For another example: when we are hiring a new web app penetration tester — if someone has done all the exercises on the PortsWigger Labs, this might be a good indicator that the candidate is ready for a technical interview. The №1 tool being used today is BurpSuite, and the labs are going through most of the existing known bugs/vulnerabilities with that tool. The same principle can be applied to any domain.

Lastly, the salary should not be the primary reason for going into any field. Still, as in any business, if there is a high demand and a lack of people, the salaries will be higher than in some other industries, which is currently the case.

Conclusion

To sum up, this concise article has debunked the myth that it is hard to work and find a job in the Cybersec domain. We have provided some simple examples that focus on something other than expensive commercial resources: handy general advice and what to look for when you are googling (the most important skill) and researching a particular role type.

Keep it simple, implement dedication, discipline, and passion into work, and do practical exercises every day, and you will smoothly dive into the right career path of your choice.

About Author

Damjan Cvetanović — an Information Security Officer @ UN1QUELY, with a strong background in Penetration Testing and Application Security.

As a Quality Assurance Engineer, writing test cases is a critical step in ensuring that the product under development meets the requirements and is of the highest quality. The process of test case writing involves identifying and documenting the test scenarios and conditions, which are then used to verify the functionality of the software and identify any defects early in the development process. By following the best practices outlined in many studies and research, you can ensure that your test cases are effective in detecting and preventing defects, thus improving the overall quality of the software.

Top items to consider when writing test cases

1. Understand the requirements

When writing effective test cases, it is essential to understand in detail the software requirements so you can identify and cover a range of functionality and potential issues that may arise and ensure that the tests align with the goals and objectives, making the testing process more efficient and effective.

2. Use a specific test case writing format

A consistent, well-defined format for writing test cases ensures easier reading and understanding while containing all the necessary information. It makes it easier to maintain and update over time. Using a widely accepted format is good practice, allowing different team members and stakeholders to understand the presented information and facilitating collaboration and communication during the testing process.

3. Be selective in the tests written

It is essential to prioritize testing the basic functionalities of the software critical to its functionality and performance, ensuring that the testing time is used efficiently and that the most important functionalities of the software are thoroughly tested. Also, it is crucial to refrain from writing tests for unnecessary functionalities as it leads to wasted resources. Prioritizing and focusing on relevant test cases can help make the testing process more efficient and effective.

4. Use specific tools

Utilize specialized tools designed for test case management to streamline the testing process, improve organization, and increase team collaboration. TestRail is one example of a famous tool. It’s widely used for test case tracking, automated test runs, and defect tracking. Tools like this improve the overall software quality by providing a centralized location for test case management and tracking progress.

5. Use clear and descriptive test case names

Giving clear and descriptive names to titles of the test cases makes it easy to understand the test’s purpose, which can be particularly helpful when working with large or complex sets of test cases. It helps to identify the functionality tested quickly and makes it easy to search and filter through test cases, improving collaboration and communication between the team members, stakeholders, and team leads.

6. Include preconditions

When tests require specific software settings to be executed successfully, it’s vital to clearly define preconditions to ensure that tests are executed correctly and that the results are accurate. Defined preconditions also help to improve maintainability, as it allows others to understand the necessary setup for the test case to be executed successfully.

7. Run regression tests

Regression testing is the process of testing the software to check that recent changes or updates haven’t introduced new errors or bugs. This is a crucial step in the software development process that ensures that changes don’t negatively impact the software and that bugs are identified and addressed before the software goes into production, thus helping to prevent potential issues from reaching end users and ensure that the software is stable and of high quality.

8. Review and update tests

Tests must be reviewed and updated regularly to reflect the latest changes made to the software. As new features are added and software updates are made, please check and update test cases to ensure they are still relevant and accurate. This will help improve the overall quality of the software by identifying issues early on and be easier to maintain.

9. Consider automation

It is important to consider which test cases you can automate. Automating tests can help increase the efficiency of the testing process and reduce the possibility of human error. Many test cases can be executed quickly, consistently, and accurately, identifying issues sooner and freeing up resources to perform other vital tasks.

Conclusion

By following these tips, you can write effective and efficient test cases that will help ensure the quality of the final product. Remember to keep the requirements in mind and be consistent in your approach for better maintainability of the test cases. Keep in mind that writing test cases is a cyclical process. As part of this process, the test cases must be reviewed, maintained, and updated based on changes in the requirements or functionalities. Also, the test cases should be designed and executed in a way that helps identify defects as early as possible in the development cycle, where it is cheaper to fix them.

About Author

Goran Manojlović is a seasoned expert, and UN1QUELY’s go-to guy for Quality Assurance. He sets the bar high, both professionally and privately, as a semi-professional runner, running marathons, half-marathons, and triathlons. His portfolio boasts impressive projects, ranging from e-commerce sites for luxury brands, and contemporary design store featuring up-and-coming designers, to an entertainment app backed by Mark Cuban, that got the approval of industry giants like Charlie Sheen, Will Smith, Deepak Chopra, and Jay Leno.

When I first started traveling full-time, my friends and family thought I was nuts. “You’re going to get sick of it,” they’d say. “You can’t be productive if you’re not in the office.”

They couldn’t have been more wrong. As more and more companies allow employees to work remotely, even the sceptics are embracing the idea of working while traveling. So, if you’re interested in making remote work part of your lifestyle (or want to see what it’s all about), read on!

Technology has transformed the way we work.

The ability to work from anywhere, any time, on any device, has become a reality for most people, which is why remote work is booming. Gone are the days of long commutes or times spent in an office away from family and friends.

Remote working gives people more freedom to travel, settle where they want, or stay close to their loved ones while earning an income. With numerous companies offering remote positions as part of their company culture (with some even requiring it), it’s fast becoming a viable option for anyone who wants it!

Remote work offers considerable benefits for both employees and employers. For employees, it provides a flexible schedule, better work-life balance, and the ability to travel frequently. For employers, remote workers can be located anywhere in the world and are often cheaper than an office-based employee due to lower overhead costs.

But, of course, new challenges are appearing for employees and employers alike, and both are adapting to the new way of working. I’ll cover a few unique challenges I encountered in the lastfour or so years working remotely.

Working while you travel is easier than ever.

How often have you been in a situation, sitting in the office and daydreaming about far away, exotic location? But you know it’s too far, and you need more vacation time than you have. For me, it used to happen all the time, and I decided to change that. I have a lifetime goal of visiting 75% of countries on Earth. I asked myself all the time, how can I achieve that goal, working a 9-to-5 job, sitting in an office? What is making me do that?

The company UN1QUELY, where I work, has a hybrid culture. It means you have offices available in Novi Sad if you want to work from an office, but it’s optional. So, I decided to make the best use of it and start traveling and working simultaneously.

Remote work means working from anywhere, not only in your living room or backyard.

After the Covid-19 pandemic started, I saw multiple ads for job positions where the company says that you can work remotely but only from your home. UN1QUELY way of working is more than just working from home. It’s the ability to work literally anywhere in the world if there’s an internet connection and a laptop.

We can see remote workers on beaches or parks all around the world who connect with their teams through video calls (such as Microsoft Teams) and use collaboration software like Microsoft Office tools to share information and projects seamlessly across time zones.

When I say working from anywhere, I mean it to the letter. For example, I once had a daily meeting knee-deep in the sea. Literally, standing in shallow water and having a discussion with my colleagues.

Remote work requires you to be at time management.

I often hear the question, “How can you work and be a tourist simultaneously?”. It’s not an easy task; I must be honest. One must be good at time management with this kind of arrangement. My daily schedule might look like this:

· Breakfast

· Working for 4 hours

· Lunch

· Sightseeing

· Working for 2 hours

· Dinner

· Working for 2 hours

· Nightlife :D

As you can see, I managed to incorporate the tourist element to my daily routine. Of course, this is individual. You must ensure that no one feels the impact of you not being present during the day and working in the evening. In other words, it’s required of you to be a good team player, to always think, is anyone dependent on me, on my work? If not, then you can plan your schedule as you like. Sometimes, when I go sightseeing, I receive a notification that I need to handle something urgent. It happens. Nothing is perfect. You need to find a balance that works for you.

Remote work requires you to be a good communicator.

There’s a lot of talk in the world about remote work. It’s an increasingly popular trend among companies and employees alike, but what does it mean to be a remote worker? And how do you ensure that your team can effectively communicate when they’re all over? What separates them from those who work on-site is that they don’t have a set schedule and location at which they need to be present — they can choose when and where they want to work each day (or night). This freedom allows them more flexibility than traditional 9-to-5 jobs while still allowing employers access to their services throughout the week without having someone on-site.

What does this mean for communication between team members? A lot! Communication is critical in any project or organization but becomes particularly important when everyone isn’t working together under one roof. When used effectively, tools like Slack allows teams across different locations or time zones to collaborate seamlessly on projects with ease by making real-time updates and archived information available whenever needed.

Taking breaks and exploring is essential, even on a tight schedule.

You’ll be surprised just how much better you feel when taking regular work breaks. It’s not a matter of getting up from the computer and going for coffee or taking a walk around the block. Both are great, but there are plenty of other ways to give yourself a break.

I always felt so refreshed after going to the bar to take coffee (even if it was just 10 minutes to buy coffee and come back). If I was doing something that required my full attention, hanging out with friends and drinking coffee would be an excellent way to recharge before returning to it again. That is the opportunity you do not have when working a 9-to-5 job.

Worldwide internet access isn’t guaranteed or cheap.

There are a few essential things to remember when planning your trips. First, the internet could be less reliable than you might think. If you’re planning on working remotely, you’ll need to ensure adequate internet access wherever you go. This can be challenging and costly. Some countries have internet restrictions, so you must use a VPN if your company is not already using it for its internal security. But again, even if it’s the case, you have a VPN, those countries might block the usage of VPN apps that you use.

Second, the cost of living can vary depending on local prices for groceries or rent. If your goal is saving money while moving every month or two, consider locations in Europe or Asia. Rent tends to be much cheaper than in North America or Australia/New Zealand (although transportation may become more expensive). For me, Europe is in the middle with price ranges and internet availability, and I had the opportunity to visit and work in many countries.

Your remote office setup doesn’t need to be permanent, but it does need to be comfortable.

If you work from home or a bar, you know it can be uncomfortable. The chair is chipped, or the bar where you work is too noisy. You may not be able to set up your space exactly how you want it, b

ut there are ways to make your remote office feel like a place where you can concentrate and focus on getting stuff done.

Ask yourself these questions:

· Where do I spend my days working?

· Do I prefer natural light or artificial light?

· Am I near a window?

· Is the location noisy?

If you feel uncomfortable working from a bar or park, there are affordable coworking spaces that can be paid for daily. If you need a meeting room, you can rent one as well.

Going remote can benefit your career, your company, and yourself.

Remote work has become one of the most popular trends in the modern workplace, and for a good reason.

A common misconception is that you must be able to work remotely because of your job or company, but this is only sometimes the case. Numerous people choose to work remotely as a lifestyle and find that they can better focus on their work when not surrounded by an office full of distractions or drained by commute. It’s also helpful for those with families who live far away from them, allowing them to spend time with their family members without having to commute back and forth daily.

A company can benefit from having employees in multiple places worldwide. Benefits include time zone availability and being able to do live meetings with clients or prospects without the need for business trips. The company where I work UN1QUELY supports us by having working from anywhere policy.

Working remotely doesn’t mean you’re a freelancer.

From time to time, people say to me that remote working means I’m a freelancer. That is not true! Company culture defines that. Some companies use a remote work policy to avoid having company culture defined. UN1QUELY tries to provide you with both opportunities to work from anywhere and be a part of rich company culture.

Here’s what you should know about remote work.

Remote work is a way of working that allows you to be productive from anywhere. It’s not the same as telecommuting or working from home, and it’s definitely not for everyone.

The truth is that remote work can be very appealing, especially if you’re already looking for ways to travel more. But there are some things you should know about before diving in headfirst.

It will initially be challenging, requiring a different work-life balance than the office. Mind that adjusting to this way of working can take up to three months. At the start, you even might feel less productive or overproductive. It’d be best to listen to your feelings because of your mental health. You can easily have burnout moments which is something that for sure you should avoid.

Conclusion

You might be wondering if remote work is right for you. For some people, going remote is a natural progression of their career. But for others, it’s a way to give themselves more freedom and flexibility. It all comes down to what kind of lifestyle you want to have and what your goals are as an individual or company. As long as you have access to technology and an internet connection (both becoming increasingly available), there are many ways that remote work can benefit both parties involved in an agreement.

P.S. What is your experience with remote work? Share in the comments.

About the Author

Marko Romandić is a Software Engineer with Computer Science background, ReactJS and NodeJS Master, Cybersecurity Guru, and an ambitious traveler with a goal to visit 75% of our beautiful Earth or more.

Cybercrime and corporate espionage are the reality. This is so primarily because statistics show that the number of cyber-attacks has been growing yearly. In their 2022 Cybersecurity Almanac, Cisco and Cybersecurity Ventures estimated that the cost of cybercrime will hit $10.5 trillion by 2025.

We’re safe to say that attackers are more prepared than ever and are expanding their knowledge and toolset, so you should follow suit.

Therefore, securing a company’s perimeter is becoming a prevailing trend in the digital space.

Some of the standard protection practices are:

• Holding security awareness training for employees,
• Hiring cyber security experts, and
• Engaging with cybersecurity companies with impeccable SOCaS (Security Operation Center as Service).

Is all that necessary? Absolutely YES!

Is it enough to stay secure? Absolutely NO!

So, you might ask yourself now, what should you do besides that?

Well, you should test your defensive tactics!

But how? Via penetration testing and red teaming.

Penetration Testing

Penetration testing is a form of ethical hacking: a systematic process of probing for vulnerabilities in your networks (infrastructure) and applications (software).

Different penetration testing types focus on various aspects of your organization’s logical perimeter — the boundary that separates your network from the Internet.

General types of penetration testing:

• Internal network
• External network
• Wireless network
• Web applications
• Mobile applications
• Cloud applications

Red Teaming

Armies typically only know how good their defenses are in practice once tested in a war, which can lead to catastrophic consequences.

Lucky for us, in cyberspace, we can simulate real cyber-attacks through red teaming without any consequences and improve our defenses.

With red team attack simulation, there are much more attack vectors than in any other security testing. For instance, you can test how your employees would react to phishing campaigns, whether attackers can pass stealthily around your defenses and extract valuable data or check your real-world security features. You can even simulate the in-house threats.

Conclusion

With increasingly sophisticated cyber-attacks on a continuous rise, it’s more important than ever that organizations perform regular penetration testing and red teaming. It will help them identify their exposures and block holes, ensuring that cyber controls function as intended.

About the Author

Miroslav Milićević is an offensive security professional with a software engineering background. He’s primarily interested in penetration testing, software security, and the development of offense security tools.

One of the most common questions a security consultant gets from their clients is why vulnerability scanning isn’t enough.

The question usually highlights a lack of understanding about the true nature of cyber-attacks and that regular vulnerability scanning is not enough to detect advanced threats.

In this blog, we will explain vulnerability scanning, its limitations, and why you need more than a good vulnerability scanner to do your job well.

How Does Vulnerability Scanning Work?

Security is a massive issue for businesses these days. We hear about all the bad things happening to small, medium, and large companies daily. So how can you keep your business secure?

One way to eliminate “the low-hanging fruits” is by using vulnerability scanning software.

However, it’s crucial to understand how it works and in which cases it is not the best choice. Vulnerability scanning is a method to perform network security testing (NST) or web application security testing (WAST). It helps find vulnerabilities, such as missing security patches, missing HTTP headers, or unencrypted sensitive data.

These are all vulnerabilities that are very easy to find with an automated tool. It is imperative to know the limitations of this type of vulnerability checks, though. These tools will not identify privilege escalation issues between user roles or whether users can read someone else’s data since every application is different. The automated tool does not understand the privilege hierarchy that differs from application to application.

How Penetration Testing Outperforms Vulnerability Scanning?

As pointed out above, vulnerability scanning provides a sheer list of known vulnerabilities, often with false-positive results.

Penetration testing is a more effective way to secure your network than automated scanners because it simulates an attack to identify weaknesses in the security of your network or application.

This testing goes beyond and pinpoints specific weak spots in your network, such as privilege escalation issues, authentication issues, and missing access controls. It also gives you feedback on how hackers could exploit these weaknesses in the real world, and every finding is documented with a proof of concept on how to replicate the issue.

Conclusion

Penetration testing and vulnerability scan are often confused because they are similar. Still, penetration testing is geared toward security professionals as a necessary step to prove a company’s security. On the other hand, a vulnerability scan is aimed at end-users, and very often, it can only scratch the surface of the targeted application.

In our everyday programming practice, we need both these security inspections to cover as many bases as possible and stay safe 24/7/365.

About the Author

Luka holds senior experience in cyber security. Active penetration testing and software development skills helped him develop efficient and leading WAF (web application firewall) on the market. Besides private pentest engagements, Luka also found numerous vulnerabilities in popular software such as Symphony PHP framework, WordPress and Microsoft’s Bot Framework. In free time, he participates in open source development of security tools and helps design challenges for security CTF’s like Dubai Police http://CTF.ae

This blog post will explain some of the most critical points to consider regarding every company’s Information Security Program. It will also address common questions that I often receive and some mistakes that regularly occur across companies in terms of information security. I will present this matter in the following 10 points, based on my personal experience.

1. “We need a big budget to start with security” is a common misbelief. For starters, security is a profit generator when used as proper marketing, sales, integrity, safety, and business tool. You don’t need a special, dedicated budget to implement a security program.

2. Utilizing your own capabilities in terms of existing tools or employees can help in crucial points, such as asset and change management.

3. Your preferred cloud provider probably already has some valuable tools you can use as part of your plans, such as a WAF (Web Application Firewall) and 2FA (two-factor authentication) for all accounts. Your preferred code repository has probably already prepared dependency scanning and static security analysis. After all, there are a lot of free and open-source security tools that are not hard to use and maintain (the security vendors would argue here).

4. You must check whether your current employees possess specific security knowledge or a knowledge base that can be improved. It might be surprising that your company’s DevOps/Software/QA engineer has solid hacking knowledge or is an occasional bug bounty hunter.

5. “We need to hire at least X security engineers” is a sentence that I have heard too many times, with an inevitable addition that they have an insufficient budget. On many occasions, companies eventually get a dedicated security budget and start to hire security engineers without a clear plan and a task list with long-term goals. It is actually a selling point of many cybersecurity companies that offer security engineer services — something between a full-time employee, consultant, and freelancer. Scalable security is essential, and the need for a security engineer must be defined clearly in advance.

6. Ideally, your first hire should be a security manager with previous technical experience and an understanding of the topics discussed in this article. It can actually be detrimental if your first hire is a technical person or a manager without earlier hands-on experience. It happens too often in cybersecurity practice.

7. Don’t wait for a breach to splurge the security budget; be a risk-aware, incident-and-breach-oriented company instead. No matter how crazy and scary this might sound, every company will eventually have a data breach or incident, sometimes targeted and sometimes accidental. Understanding this and being ready from day one when implementing your security program is vital.

8. Communication with the board of directors is the first thing that should happen even before checking the asset and change management processes. A beer at the bar or online coffee could actually be the best tool here to start from. Company CEOs are typically busy people. Suppose you decide to have a CISO (Chief Information Security Officer) at your company. In that case, you should definitely test their sales skills — the CISO should be able to explain to the other C-suite managers the importance of the next security move in a clear, fast, and convincing way.

9. I have to mention asset and change management again here for a good reason. In many medium-sized businesses and enterprises where I worked, these two processes were either incomplete or almost didn’t exist. Suppose you don’t know (didn’t document) all your assets (common in very large corporations). In that case, you won’t be able to think about the security of those assets. It’s as simple as that, but this is, unfortunately, a common issue. After implementing proper asset management, there should be even better change management. Again, a very simple example: imagine that you have an asset inventory but don’t update it regularly. Ideally, these two processes should be implemented before you call a security expert.

Most would say that security awareness is essential in every company, which I would partially agree with. Still, I would definitely start with these two topics in any company, regardless of the industry.

10. “We need to be compliant with XYZ.” You probably do it because a particular regulatory body has done a great job or the due diligence process has been completed, which makes security compliance mandatory. Nevertheless, you should also analyze other Security points, such as Penetration Testing, Red Teaming, Security Operations Center, and, most importantly, Security Awareness Training combined with Phishing Simulation Tests, as the best way to save money, stay safe, and increase your profit in the long run.

Conclusion

Information Security must be taken seriously, but it doesn’t necessarily need to be complex or expensive. It should be accompanied by adequate support from C-suite and rely on the existing company resources and capabilities. Proper Asset, Change, Resource Management, and good hiring decisions will lead to successful and profitable information security.