I strongly believe, whatever area of security testing you are working on, applications, smart contracts, hardware, these points apply
1. Be prepared to fail
- Expect out of 50 reports, 40-45 to be duplicates, known issues but not going to fixed, mishandled by triaging, out-of-scope or some other technical roadblock that from a blackbox perspective your unaware of.
- Success rate when starting out is generally low; but thats how anything in life is.
2. Constantly self-evaluate
- Evaluate why reports were closed. Extract the problems/insight and use it in future reports. If one program/project thinks a WAF will block the attack, you can expect other programs/projects will think the same. So DIRECTLY address it in the initial report.
- Build on your failures and cover your back before miscommunication occurs, You ONLY learn this from failing which becomes experience. Which is why embrace point No.1
3. Fight Imposter Syndrome
- You ever smashed through a series of practical labs, CTFs, thought you were unstopable and then turned to a live application and it felt like your running into a wall.
- Imposter Syndrome is real. Understand its patterns and learn to recognize the thought process that is associated with it.
- This will help you fight the urge to give up, keep your confidence up. The BIGGEST fight you have in bug hunting is with yourself
4. Speak Life to yourself
- "The tongue has the power of life and death" - Proverbs 18:21
- Speak positive, confident, care words to yourself. No matter how hard current wall is in front of you.
- You got this far right, why cant you make it further
5. It Rarely is a textbook vulnerability
- While thankful of the several projects out there that explain vulnerabilities, when it comes to replicating that process/bug, I find it oftens fails...or maybe I was the 12,345 person to try that approach
- Anyway..even from reading disclosed bug reports, reporters finds are unqiue.
- Why? Bugs are not generic. There is usually some subtle variation from app to app which if you have not FAILED enough, you won't know to recognize
6. "I fear not the man who has practiced 10,000 kicks once, but I fear the man who has practiced one kick 10,000 times."
- In reality, you wont master everything in one go
- Learn 1-3 attack classes, build a testing methodoloy using practice labs, test the methodolofy on live targets and refine.
- Why?...MASTERY.
- You only get good at what you fail at several times and on that note, never automate anything you have never manually practiced before. This way you'll know what to expect when things go wrong, what successful results and what data is actually useful. (Some of it is just noise)
7. Starting is always the biggest Hurdle
- Starting will always feel overwhelming. Especially if you decide to look at a big company
- Our amazing minds are BRILLIANT and RATIONALIZATING. We can beautifully talk ourselves out of testing a program/project on some ration reasons. FromIts big, they cant have bugs, I'm not ready, let me spend more time learning.
- Dont hide from the feeling. Recognize it. Acknowledge it. And Push through. You only lose by not sarting. If you got >=0 bugs, you still learn something new.
8. Ego doesn't help
- The bigger your ego, the greater hit you'll take when your can't find anything.
- enjoy the small wins. Slow success, builds character.
- You learn real Mastery, patience, gratitude, self-discpline from moving slow low.
- Ego will have you hanging dry, burnt out and/or a mental wreck after a few months of 0 bugs.
8. You will forget. WRITE
- Even if something seems meaningless in the moment, make a side note...in a way that a future version of yourself will read and understand
- I'm guilty of this. Several notes that were correct but reading them again after a while, they made no-sense. Probably missed a few bugs.
- Keep everything documented.
- Try different writing styles overtime
9. Its always Hard.
- Everyone looking for common bugs, of course its hard
- Go for the bugs which are lesser known, high severity and most people wont have the patience to learn/find them.
- Getting ready to fail, Master a attack vector and you are garanteed to win sometime in the future - one way or another.
10. Social Media is the best place to feel like a failure
- If you want to feel like a failure, read success stories with a negative mindset
- Success stories are made to inspire in a positive constructive way. If you read a success story and you feel dampened, depressed, down... chances are you need to change your mindset to be more constructive.