Punk Security DevSecOps

Simon Gurney's posts

How to search organisation-wide cloudtrails with Athena

AWS Athena is the easiest way to search organisation-wide cloudtrails implemented by AWS Control Tower. In this blog, we walk you through it.

Base tag HTML injection: A guide for pentesters

We’re diving deep into a lesser-discussed variant of HTML injection that isn’t very well known at all, Base Tag Injection.

Streamline Your Tests: Mocking APIs with VCR.py

Developers typically use the unittest.mock module to patch the requests library directly, replacing real HTTP calls with mock objects. vcrpy makes it much easier.

ZAP is dead! Long live Zap!

We take a look at the Zed Attack Proxy as it moves away from OWASP and towards the Software Security Project

dnsReaper gets ProjectDiscovery Chaos and SecurityTrails support

dnsReaper is designed to check your own domains, but now we’ve added Project Discovery and SecurityTrails support too!

Simon discussing how to prototype PCB electronics

We gold sponsored BSIDES Cheltenham with awesome badges

We ran a stall, gave 2 talks and provided 400 Delorean PCB conference branches to make BSIDES Cheltenham that little bit more awesome.

Our birthday CTF nearly didn't happen...

We put a lot of effort into testing our CTF platform, but a simple oversight nearly meant we had to call it off.

Defending from bots with Cloudflare

We use Cloudflare to protect our CTF from spam bots, VPNs and hackers.

Safely delegating role creation in AWS

AWS IAM permission boundaries allow you to safely delegate user and role creation permissions

What makes the Punk Security CTF tick?

Our DevSecOps CTF is May 4th this year, but what makes it tick?

Using iam roles inside AWS Kubernetes

AWS managed Kubernetes (EKS) allows your pods to assume AWS iam roles automatically so you don’t have to handle pesky credentials.

Auditing Fortinets Github with SecretMagpie

SecretMagpie is our opensource secret detection tool, and in this article we walk you through using it against an organisation’s public repositories.

Simplifying kubernetes network policies with cilium

Kubernetes network policies can be difficult to write but the free cilium editor makes it really simple

Auditing Kubernetes with rbac-police

Kubernetes pods can be abused to take over the entire Kubernetes cluster. rbac-police shows you which.

Applying Cyber Essentials scheme to CI/CD

The Cyber Essentials scheme provides simple and clear guidance but how does it apply to cicd?

Blocking cryptomining bills with SCPs

Attackers typically use stolen AWS Access keys to deploy expensive cryptomining ec2 instances, but this can be be blocked with SCPs.

Simon presenting on the cyber attack stage

Simon spoke about subdomain hijacking at DTX!

Simon delivered his subdomain hijacking talk with a new twist. Why is DevOps making us more vulnerable?

Simon discussing AWS Route53 NS takeovers

Simon spoke about DNS attacks at BSIDES NCL!

With so many of our talks taking us to Manchester and London, Simon jumped at the chance for a local talk in Newcastle!

The Team at our stand, ready to meet and greet!

We exhibited at DTX 2022

We exhibited for the first time, choosing Manchester DTX as our first ever trade event.

Daniel also spoke on the DevOps stage, giving a fantastic talk on DevSecOps

We are UK Cyber Security Council members

We are proud to be one of the first members of the UK Cyber Security Council, an NCSC initiative and self-regulatory body for the Cyber profession.

usecure allows us to address the human element to cyber risk

We evaluated the leading vendors in this space and found uSecure to be the best fit for our customers. In fact, we liked it so much that we’ve decided to include it in all of our vCISO packages for small businesses.