If I'm not mistaken gitea stores codebases/projects on the filesystem, so having a hardcoded database password makes no difference. If someone gets into the server they can simply copy the files without touching the database.
As others have indicated, a VPN server of your choosing (openvpn/wireguard) can solve your issues. Even if at some point there's an "unauthenticated RCE" exploit for gitea, having it behind a VPN will mitigate that.
I think you're just stuck because your current employer doesn't have clear paths of progression. Usually in 3 years pentesters move to an either team lead role or pivot to other areas like simulated attack (red/purple teaming).
If you enjoy pentesting, I'd just look for another job, especially since the demand for ex-devs in pentesting is huge. Have a look at a previous comment I posted: https://news.ycombinator.com/item?id=32303528#32305561
Hello, author here. That's a database driven DNS server alright. (Bonus: it's got a web admin interface.) There are DNS implementations with various backends; that's kind of the point.
I'm not sure that a mainstream SQL database is really a good target for network telemetry and e.g. access logging artifacts. Not talking about a time stream database either. There is an architecture here, and it's predicated on not collecting "all the things" in a central place.
Example: In this model, a service / server you're monitoring might have a couple of Redis keys which get incremented every time there's a successful or unsuccessful login. Maybe there's a redis hashkey with fails for individual accounts too.
There might be a graph somewhere of the login / attempt rates. It would query the summary redis keys (via the DNS) once a minute (doing whatever it needs to keep historical datapoints for however long they're needed).
If the rate skyrockets, maybe the hashkey with account-level granularity is consulted but most of the time it wouldn't be.
There might also be a Zabbix alarm somewhere querying the same keys, and if a threshold setting is exceeded, then an alarm is sent.
It's pull, not push. It's easy enough to write something to make the periodic queries and post them to e.g. ElasticSearch and graph it with Kibana.
So the question concerns the SIEM part. Something like Splunk is married to its database (their pricing model is based on how much data you want to put into that database). Something like the Yeti Threat Intelligence Platform (TIP) (https://github.com/yeti-platform/yeti) comes with the ability to manage and orchestrate a large number of periodic or event-driven tasks and therefore has the capability to generate the periodic DNS queries; it's been a few years, but its graphing capabilities didn't compare to ELK when I looked at it.
There's a lot of overlap with SCADA as well. All of the necessary features I've mentioned can be assembled from open source projects.
Is there some SIEM, TIP or Ops product out there, with an active userbase, which has the periodic task capability, alarming, and graphing?
You can gear yourself write security related tooling as /u/uaas mentioned, but you'd effectively still be a developer and not a pentester. If that's what you're after, you'll get exposure to InfoSec but you will never do actual pentesting to find vulnerabilities etc. I mean you might, but the companies that offer you both are very few.
I made that exact jump from development to pentesting 6 years ago, after about 10 years of development. Will you miss development? Absolutely. Are there opportunities to scratch that itch? Yes there are - but it's with scripting. The things that can be scripted to make you more efficient are insane. Your ability to understand not only what is broken but also why it's broken will help you advance yourself. You have probably even coded that exact bug in the past so you know where else to look, and you know how to do code reviews. In general, the need for pentesters with a dev background is very very high, especially since now companies worry about supply chain attacks, SDLC, etc.
My solution was to keep coding in my spare time, when I have an MVP I show it at work and then ask for time to work on it. I've significantly improved internall processes, and I've released a few offensive security tools, two of them I even presented at security conferences - as in full blown applications rather than "here's a script that does X". This way I get to pentest and provide solutions to industry-related problems. One thing to note is that most of the security tooling out there (the open sourced ones) is very python/C#/Go centric. I've seen applications written in Rails/Java that didn't get the love they deserved just because it's a pain to install them. I had to learn both python and C#, but it was totally worth it.
If you do make the jump, get ready to take a salary hit as you'd be hired as a mid-level consultant at best - and that's only if you've proven that you know a lot about cyber security, OWASP vulnerabilities, etc. But don't let that stop you, I've seen people join the industry as juniors and in 6 years making over 6 digits (UK). YMMV, but if you put in the time and effort, it's worth it.
As a user I hate it when I get localised prices, especially if the at-the-time exchange rate ends up being more expensive for me. If I see something sold for $9.99 but I get £9.99 I think "why am I paying more for this", simply because the exchange rate is more favourable since I'm in the UK. But when I only see USD prices I'm more likely to buy something as it's not overly complicated.
If you want you could pull real-time exchange rates and have a button that indicates the conversion for someone who wants to see the "most likely" price (depending on when they actually pay for it).
For example if you sell something for $9.99 just leave it as such, and Stripe will make the conversion and you'll always sell at the same price regardless from where someone is coming from.
The problem is that, in some places (like India, for example) $10 might be a lot of money.
One might be able to do a lot more with $10 in India (₹800), than with $10 in USA, due to reasons that are beyond anybody's control.
For instance, I can travel 3000 km by train with $10 equivalent in India if I really wanted to (wouldn't be very comfortable, but it's possible).
The wages in those countries are also proportional of this.
This becomes relevant if you want your product to be not expensive, so that it reaches a wider audience.
For expensive goods the price difference doesn't matter as much. (Though I know people who were bummed that the Ford Mustang 5.0 V8 was twice as expensive in India than USA — but that's a different market).
I totally agree with you, but the common "this is why we can't have nice things" end result of such scenarios is that people will VPN via India in order to buy your product. And then you have to identify VPNs in order to avoid this, etc.
I don't have a solution for this, I just think the effort/reward should be considered.
The solution for this is to match the billing method.
For example, I don't care if they use a VPN - if they want to pay Indian rates, they have to do so from a INR-denominated account with an Indian billing address and have to do so using Razorpay/UPI/Indian Netbanking transfer/AirtelMoney/.... Everyone there has it - not having it is not an excuse, "I want to pay with a US Mastercard" is not an excuse. This solves it for the 99.99%+ use case. The "majority" here is so strong that if someone in India cannot pay with at least one of these payment methods and asks to use a US billing address credit card, it's either stolen or for all practical purposes I would be wondering how they survive day to day or buy groceries (or they are probably not old enough to enter into a contract to purchase or licence content from you). (It's probably stolen)
If you want to pay RUB rates, you have to pay via WMZ or YandexCash, Qiwi, Sberpay, Yoomoney.
THB discount? BigC, Tesco, PromptPay, etc.
BRL? Boleto. Even a 12 year old with no bank account can successfully pay with boleto.
Nearly every single country (I have not found one otherwise yet) that would be lower CoL and require a significant pricing adjustment has multiple unique payment methods that the hypermajority are signed up for (or required to use in the first place so everyone has an account) or is paid physically and accessible by anyone present to pay cash, that is inaccessible from US/EU/AU/etc.
These will even significantly lower your transaction fees due to foreign exchange, and lower your chargeback rates because many are effectively fraudproof due to requiring multiple factor mandatory confirmation, not allowing disputes, or being "pay in cash in person at a physical location within the country".
If you want to pay the standard USD or EUR rates, whatever normal card network is accepted no matter where you are from.
I've had lasik about 10 years ago, best decision of my life, no side effects. It only took 10 minutes, and I can only assume that the technology advanced further the last decade.
I know 2 people who had it around the same time as me, and only one has -1 in one eye after another 7 years. The other person is still glass-free.
My advice is to not go cheap. Don't choose a doctor that "also does eye surgery" (there are a few like that), go to someone who specialises in it and only does that.
Unfortunately I don't have anyone to recommend in the UK as I've done mine in Greece, but I've had -5 on both eyes and lasik did wonders.
I've been trying to reproduce this since I saw this post without any luck. The only data I see going out is generic usage data (when you have the "anonymous usage data" enabled) - however I'm not logged into Postman.
I suspect it only sends data to them server if you are logged in so you can use the functionality such as "sync between devices", which kind of makes sense.
