Monthly reviews are a collection of posts where I try to review the previous month and set the expectations for the upcoming month. Not only it helps me keep track of what I have on my plate, but also works a public record of things I have done and achieved, both on a personal level and in my profession.
It has been some time since I last did one of these reviews. Spent some time in between re-thinking my approach on these, as well as productivity on a personal level overall.
I took this opportunity to focus on a few topics I wanted for some time. It was also the moment to reflect on current projects, what I desire to do more and to do less.
The major chances is I decided to focus heavily on web application security, which after all is what consistently gets my attention. This means I want to improve on how to test web applications, I want to have a thorough understanding of web technologies, as well as acknowledge and learn trending research practices and strategies so I can replicate them on my own to find my own bugs. This involves reading more and ensuring I have a deep understanding of the topics at hand, ideally practicing on my own.
When Spring4Shell news came about, me and some friends started testing it on our own to understand the impact and that was super fun. It felt really thrilling, so that’s part of the kind of things I want to continue to do.
With all the above in mind, I am dropping OSCP as my main goal for the time being as I don’t think it is the right certificate for me - I am not looking to convert myself into a pentesters role, nor am I looking to master the skills you need to pass the exam. Regardless of how cool and interesting those skills are, like active directory or buffer overflows, it’s not what I deal with on daily basis - and if I ever need those skills, I can try to work on them on the fly, while keeping my focus on other classes of bugs.
On top of that, I also desire to continue learning and developing software for Security purposes - tooling, automation, services in general. For that reason, I have been (and want to continue) practicing a lot with Golang as my main programming language.
- Read Getting Things Done by David Allen, the classic book from 2001. I already used a system heavily inspired in GTD but the constant emphasis on continuously looking back to your trays and items to sort them out and prioritize was something I was missing. At times, my system was overwhelming to me - so I put it to the side often. Some ideas from the book do not apply to me though, like in-place trays (“At home”, “At the office”, “Phone list”), as I want to keep things as simple as possible. Regardless, it is a good read if you don’t know what this is about or you are looking for inspiration to keep you going.
- Saw some talks about Ultralearning (book already ordered) and it changed my perspective on learning. Definitely am going to apply some principles now which at least makes me feel more in control of my learning process and can do wonders when I’m feeling lost.
- Read Network Programming with Go too, from No Starch Press (months of reading, hey!?), and that was a game changer in regards to networking as I took a proactive approach to new topics or topics I felt I did have a good enough basis. Having this curious approach, I essentially went down rabbit holes studying and looking up advanced information on topics like DNS, HTTP/S, SSL/TLS, PKI solutions, and Go Programming in general. I’d like to have the time to do this with more books, like Rust for Rustaceans but I doubt I will have time for it all for the time being.
- Continue using and working on
pmz- Added note titles to filenames for easier searches, although I’m currently trying a setup with Obsidian (it’s a lot easier to test different approaches without having to develop new features).
- Joined in a Security Research group so I can start working on my skills and on the topics I’m compelled to.
Plans and Next Focuses
- Start working and writing (to then publish) write-ups on boxes, rooms or CTFs I complete. I usually write my personal notes but I end up not using them in the end. I think I should try making those public.
- To ensure I continuously generate content for the above, I need to also work a box per week, which means I should have 4 posts to write. This is an impactful measure but definitely will upbring my game on testing skills. I just need to be careful about which content I am allowed to publish.
- Vulnerability Research on an project I cannot disclose at the moment.
- Potentially a CTF? Haven’t participated in one for a while, maybe it’s time to find one for the kicks.
- Continue Exercism Go learning path to build up the foundation on Go skills. At this point, I feel productive enough to code on my own but I need more time at the keyboard to truly master this language.