Tag: Penetration Testing

  • Meet the Team: Brian Tant, VP of Engineering

    I’m Brian Tant, and I serve as Raxis’ VP of Engineering. This week, I’m the subject of our in-house infosec inquisition where I’ll be asked all manner of probing questions intended to give you, the reader, some insight into the machinations of a troubled mind. Normally, I avoid this type thing, but, after a series of increasingly dire threats from our COO, Bonnie Smyre, I relented.

    Jim: When did you first get into security?

    Brian: Do you want the professional answer or the seedy underground one?

    The professional version is that I started in IT at the ripe age of 17. I lied about my age to get on with a tech staffing company. They made me do a series of placement tests, although back in the day we used paper.

    Jim: [shudders]

    Brian: I know, right? Anyways, I had been doing computer stuff for a while and the tests were pretty basic. I did well enough that I bubbled up to the top of the roster for a big brand company looking for a tech. They brought me in and made me a field technician day one. It was the typical firehose-sippy-cup experience that comes with jumping up a level.

    Fast forward several cubes later.  At some point, I found I had a knack for Terminal Server and Citrix and did that for several years. My last deployment was one of the largest Citrix farms in the world at the time: 1000+ servers and 30k concurrent users across the globe.

    Jim: And then?

    Brian: I got bored. How many times a day can you hear the phrase, “I can’t print” before you start questioning some fundamental life choices. I loved the tech, but the users. Oi.

    Jim: So where does security come into the picture?

    Brian: Ah. For that we have to re-visit the the dark seedy part I mentioned earlier. Back in the 90s, the hacker scene was mostly to do with phones and usenet groups. Networks were mostly flat, and email was a cool idea that would never take off. My taste for mischief found a home in that community. Twenty-some- odd years later I decided to re-kindle that and found that there was a whole sector of talented folks that shared a passion for devious tinkering.

    Jim: And the rest of the story?

    Brian: As a Raxis Paul Harvey would say…

    Jim: Wow.

    Brian: Yep. I am that dork. Mark (our esteemed CEO) took a chance and brought me onboard Raxis early on. We were tiny, but eventually found our voice. Since then, we’ve grown, and I’ve been privileged to be a part of building something special. What we have here is a real sense of family. I can’t imagine being anywhere else.

    Brian doing literally what he’s often suspected of doing figuratively.

    Jim: Switching gears. If there is one thing I’ve learned working with Raxis it’s that you guys roll hammer down all day. The pace is frenzied, and things are always changing. How do you unplug?

    Brian: As my wife will tell you, I have a problem with hobbies.

    Jim: Oh?

    Brian: Most of them tend to connect with farming or agriculture in some way. We have a small homestead where we keep bees, goats, worms, chickens and an indeterminate number of dogs and cats at any given time. I sit on the board of directors for the local farm bureau and chair the bee keeping club.

    Jim: No shortage of fur-babies then.

    Brian: I also make wine, mead, soaps, preserves, and have been known to run a still now and again. For a while I even made a podcast that gained a modest following. I do a lot of backpacking and am a master diver.

    Brian spending quality time with his six-legged livestock.

    Jim: Back up; a still as in moon-

    Brian: As in alternative fuel for small engines.

    Jim: [cough] Moving on, if you had to pick a favorite thing about working at Raxis, what would it be?

    Brian: Easy. It’s the people. The people are the heart of this company. Raxis is an ego-free zone. We’re all passionate about what we do, but, unlike most shops, Raxis is built on empowerment. We’re only the best if our people are at their best, and that means we take care of each other. The same holds true with our customers. Our success comes from helping them succeed.

  • Meet the Team: Bonnie Smyre, Chief Operating Officer

    As Raxis’ chief operating officer, I’ve been busy prodding coworkers to do these meet-the-team interviews. (Looking at you, Brad, Brian, and Mark). Now, it’s my turn for a conversation with our marketing specialist, and the result is the interview below. I’m more accustomed to conducting interviews than giving them, so, if you’re a qualified penetration tester, check out our YouTube channel and our careers page. If Raxis is the type of company you’d like to work with, who knows – maybe I’ll get a chance to interview you.

    Jim: First of all, condolences for your Tarheels’ recent loss to my Seminoles in football.

    Bonnie: That’s all right. I’m a baseball fan, so North Carolina will get its redemption in the spring – if not before.

    Jim: Really? I wouldn’t picture you as a baseball person. How did become a fan?

    Bonnie: That started while I was at UNC. I was working as a web and database developer for many years. Baseball just seemed to be an athletic extension of that same mindset. As a game, it fit in with the details, patience, and long-game required to code a complex application from start to finish… and end up with a result that faculty, staff, and students were all happy with.

    Bonnie cheering on her alma mater.

    Jim: I don’t think I’ve ever heard anyone make that connection before. Is that what attracted you to a career in IT in the first place?

    Bonnie: I was a shy bookworm when I was younger. IT was a field I thought would allow me to work independently and not require me to interact as much with other people. However, as I grew in my profession, I realized that I needed to get past that shyness if I wanted to really make a difference.

    Jim: Did that happen naturally, or did you have to work at it?

    Bonnie: Oh, I worked on it. I moved on to a development job at PBS North Carolina (UNCTV while I was there). During our pledge drives, I was usually backstage working on a computer, but occasionally I would be on the phones and on live television. There are people who still tell me they remember seeing me on air.

    Jim: Did that make you more comfortable being in front of people?

    Bonnie: That started me on the path, I think. But the real breakthrough was when I went completely outside my comfort zone and took improv classes for a few years. I was petrified at first, but I met some great people who gave me the courage to get over my fear.

    Jim: I think most people would find that terrifying – to be on stage, all eyes on you, and the pressure to be funny.

    Bonnie: Improv isn’t like stand-up comedy. The whole point is that you are not alone. The team has your back, and you have theirs. It gives you a confidence to just run with what pops into your head & see if it’s funny.

    Jim: Okay, so you’re a veteran IT pro and you’ve got all this improv experience. How did you find your way to Raxis and bring those skills together?

    Bonnie: Our CEO, Mark Puckett, & I were good friends in high school, and I met his wife when her mom and dad were “band parents” for the marching band. (I played the flute.) In 2014, I moved back to the Atlanta area to be closer to my family and began working as a penetration tester at Raxis. When my first PSE (physical security evaluation) job came up, I found that my improv experience helped me think on my feet.

    Jim: So, improv helped you convince people you were someone else and your IT background allowed you to capitalize on that?  

    Bonnie pretending to be an elderly woman on stage (l) and for a real-life PSE (r)

    Bonnie: Yep. It’s a bit scary how often people believed me, but the good news is, it was all for educational purposes. Once they see how easy it is for someone to slip past their security, it helps them better understand what they need to do to protect themselves and their companies.

    Jim: Unlike other companies, most of Raxis’ best work has to stay confidential for obvious reasons. In the absence of outside validation, what makes the work fulfilling to you?

    Bonnie: As I’ve grown in this job from pen tester, to project manager, to leading operations, I’ve found that I’m no longer in a shy IT position. Just like my improv team made me feel safe to try new things, the team here at Raxis makes things fun every day. It honestly doesn’t feel like a job. I get to work with great people and do what I love each day.

  • Meet the Team: Scottie Cole, Lead Penetration Tester

    I’m Scottie Cole, and this week, it’s my turn to be interviewed by our marketing specialist. Unlike my Raxis colleagues, I’ve been friends and worked with Jim for well over a decade (that is, if you consider what he does actual ‘work.’ ) What follows is our best attempt at an interview, but it highlights one of the things I like best about this team: For as hard as we work, we also have a lot of fun. If that sounds like an environment that would bring out your best, check out our careers page and learn more about our opportunities.

    Jim: I seem to remember you having much darker hair when we first met.

    Scottie: That’s right! And I seem to remember you actually having hair when we first met.

    Jim: True enough. You were responsible for our internal security at the cybersecurity company where we both worked for many years. Some of our readers might think that would be an easy job or maybe even redundant.

    Scottie: Thanks to you and your marketing people, I always had plenty of new risks to mitigate. 

    Jim: You’re welcome.

    Scottie: Seriously, security companies are frequent targets of hackers, so we have to pay extra attention to keeping our own house in order. We have customers counting on us, of course, but we also have our reputation to protect. That raises the stakes and adds a lot of pressure.

    Jim: Given your previous jobs, you were accustomed to working under pressure, right?

    Scottie: I spent several years as a dispatcher, a firefighter, and a law enforcement officer. Those jobs gave me plenty of experience working in high-stress situations. In cybersecurity, the ‘bad guys’ are different, and the fire drills aren’t literal, but the consequences can still be very severe. That’s especially true when you consider how many devices are being connected to the internet now.

    Jim: You’d know that better than most. Your house is like Area 51, except with more electronics.

    Scottie: Well, maybe more radios.

    Jim: That’s right. You’re a HAM radio operator. How’d you get into that? More importantly, why?

    Some of Scottie’s HAM radio gear

    Scottie: As a dispatcher, I became fascinated with radios. When cell service and other forms of communication go down, the HAM operators can continue to broadcast, and that’s an important civil defense benefit. During the terrible hurricane in Puerto Rico, for example, it was the HAM operators providing updates to people in the US. Think about how relieved people were to hear that their loved ones were okay. Or how important it was to know what relief supplies were needed where.

    Jim: Is that how you found your way into the IT security world?

    Scottie: That was actually more by chance than by design. As you remember, our former company was growing fast, especially in the early days. They needed help, so a friend of mine offered me an opportunity to join the team and learn about infosec. Being a first responder was a great job, but cybersecurity offered better pay and more predictable hours . . . in theory.

    Jim: I’ve asked other team members how they found Raxis, but as I understand it, Raxis found you.

    Scottie: That’s right. In my previous job, I didn’t like to take phone calls for security reasons.

    Jim: I thought it was only my calls you didn’t take.

    Scottie: There were a lot of reasons I didn’t take your calls. But I was always wary, and the folks at the front desk knew to screen everyone. But (Raxis’ COO) Bonnie Smyre actually got me on the phone to talk about doing a penetration test for us. My first thought was, “She must be really good if she got through that easily.”

    Scottie Cole, drone operator and wannabe surfer

    Jim: Did you hire Raxis for the pentest?

    Scottie: Yep. But I also got to know Bonnie, (VP of business development) Brad Herring, and (CEO) Mark Puckett and realized this is the type work I want to do, and they are the people I want to work with. As I met other team members, I knew it was a great culture and a great team, so I jumped at the opportunity to join them.

    Jim: What’s your favorite part of the job?

    Scottie: What’s not to like? I get paid to hack into other people’s networks. I get to learn from the best in the business and share what I know with them. It’s an outstanding company in a space that’s becoming a lot more important. When business owners say that a network breach would be more damaging than a fire, you understand just how critical cybersecurity is in our daily lives.

  • What You Need to Know (But Were Afraid to Ask) about Raxis Web App Testing

     What’s special about a Raxis web app test?

    One thing that sets Raxis apart is that our pentesting team is made up of engineers who performed varying roles creating and supporting IT systems before they became pentesters. This includes several engineers who have strong backgrounds in software and web development.

    Even better, Raxis is proud to have a close-knit team of pentesters who collaborate and share their ever-growing knowledge with each other and with our customers. You may have a former web developer performing your test, and that person can easily reach out to a former network admin. They can share info about the most secure web app features as well as how the supporting network should be configured securely..

    Our customers repeatedly tell us how much they appreciate this because it directly translates to relevant, actionable findings. It also encourages natural conversation between their development teams and the security engineers here at Raxis.

    How does this collaboration help customers?

    A recent test we conducted provides a great example: We identified several findings, and the customer was very pleased with the process. Upon follow-up, our sales team found out that the customer saw a small performance reduction after implementing our recommendations. From the customer’s perspective, enhanced security was worth the small drop in performance.

    Because of our development background, however, Raxis’ team members knew that didn’t have to be the case. Our project manager proactively set up a call with the customer to discuss. Result: The customer remediated using Raxis’ advice and regained all of the original performance. They told us they appreciated how Raxis “went the extra mile.”

    To us, that’s just business as usual.

    How many application tests do we do?

    Customers often ask about our application testing process. Application testing accounts for over 50% of our penetration tests. Last year, we performed over 600 application tests. Like all of our assessments, each test is custom tailored to the customer’s application and overall objectives. This could mean testing the entire app, a portion of the app, or following the app throughout the entire development cycle.

    What is your methodology?

    Like all of our assessments, our application tests are primarily manual attack simulations against a customer’s application. Where you see an email field, we see an opportunity for cross-site scripting. Aside from our own experience and expertise, Raxis applies the OWASP framework to our penetration testing, including (though, of course not limited to) the following assessment categories:

    • Access Control
    • Authorization and Authentication
    • Session Management
    • Configuration Management
    • Error Handling
    • Sensitive Data Exposure
    • Input Validation, Injection and Cross-Site Scripting
    • Root Cause Analysis / Reporting
    So, what do I get out of this?

    At the end of a Raxis application assessment you get peace of mind and a solid deliverable. Our reports align with the NIST standard, so they meet regulatory compliance standards. The reports feature an executive summary, engagement storyboard (where applicable), and detailed vulnerability findings that include screenshots, risk explanations, remediation recommendation, and risk scoring.

    Is your web app security keeping you awake at night?

    We understand. Just as we are known for excellence in pen testing, we’re also known for our no-pressure sales and scoping process. We get it. We don’t like to be harassed, and we know you don’t either. If you’d like to start a conversation with one of our experts to help understand the possibilities for your project, feel free to reach out. We’d love to help.

  • Raxis’ Transporter Enables Remote Penetration Testing

    Adapt. That one word sums up what was, for most of us, the biggest challenge of 2020 and the COVID-19 crisis that came along with it.

    As the pandemic took hold, families, employers, and employees had to adapt to a new way of living. Children had to adapt to learning virtually. Parents had to adapt to working from home while caring for children and helping them with school. Pets had to adapt to everyone being home all the time. Companies had to adapt to remote work, Zoom meetings, and new ways to collaborate. 

    It was much easier for some than others. Raxis, for example, has been a remote-work company since its launch in 2011. For us, working from home was literally another day at the office. For many of our customers, however, it was a major disruption with lots of implications for security. The need for penetration testing was made more urgent by the dramatic shift to WFH. The question we faced was how to go about it in a way that was both safe for our team and effective for our customers.

    We did continue to travel when necessary, but the pandemic made it more difficult to get to our clients and more time-consuming to conduct our testing. Fortunately, we had another option, one that would allow us to complete internal and wireless network testing without the need for going onsite.

    We developed the Raxis Transporter device several years ago as a time- and cost-saving measure for our customers. With this secure network backdoor, which can be mailed to and installed easily by customers, we can conduct in-depth testing remotely. When the pandemic hit, the Transporter became a lifeline for customers who needed our services, even if they couldn’t host us at their physical locations.

    In the video above, I explain more about the Transporter, how we use it, and why it gives us another cost-effective option for delivering high-quality services to our clients.

    As you heard in the video, Raxis’ Transporter is a simple-to-install device that allows our elite team of professionals access to everything they need to perform a thorough penetration test. And that’s just one of the many practical innovations we bring to our work.

    All of us hope that the pandemic is on its way out, but remote work is here to stay. I’m proud to work with a company that remains way ahead of the curve for our team and for our customers. 

    If you are ready for Raxis to put your security to the test, contact us. We can discuss which type of test would best suit your company and your needs. 

  • A Note from the Hacker-in-Chief

    Raxis is an amazing place to work. 

    As founder and CEO, I say that with a great deal of pride – and only one (very important) qualifier. 

    Raxis is an amazing place to work if you’re the right person for the job.

    Over the past several weeks, you’ve heard from our employees about what makes it special to be part of our team. 

    Throughout this series, they told you what it‘s like to work for Raxis, the skills needed to be a penetration tester, and how communication is key to, not only our success, but also the success of our clients. While I am very proud of what Raxis has done and how good we are at it, I am even more proud of the culture we have created. 

    At Raxis, we truly believe in fostering a culture of education. We take pride in the learning environment we have created and the continued growth of our people. We encourage our employees to constantly expand on their skills and to share as they go — when one learns, we all learn. 

    We also believe in giving our employees the freedom to do their job on their own time. With that freedom, the expectation of results is understood. Our fully remote team is made up of people who don’t need constant supervision and instruction. Instead, our team is driven by their commitment to finding results for our customers. 

    Most importantly, when it comes to fostering the Raxis culture, it comes down to teamwork. Our diverse team is composed of some of the brightest minds in the business all bringing different backgrounds and skillsets. We learn from one another, and by learning and working together, we provide amazing value for our clients. 

    Now, I’ll let you in on a little secret: What makes it special to me is all of them – the world-class team of professionals we’ve assembled. Their intellect, tech skills, experience, and personalities make each day interesting, exciting, and incredibly rewarding.

    Being part of the Raxis team is not an easy job, but it is a fun job. Again, if you’re the right person for it.

    Do you have what it takes to be part of our team? Please make sure to watch all the videos in this series. Honestly assess your ability to thrive in an environment where we value accountability far more than control. Where freedom and flexibility bring out our absolute best work. And where we’re as excited about tomorrow’s challenges as today’s victories. 

    If that sounds like your ideal work environment – and you’ve got the skills to hit the ground running – then let us hear from you.

     

  • A Culture of Freedom with an Expectation of Results

    When it comes to choosing a job, there are so many things to consider – benefits, responsibilities, leadership, and of course pay — to name just a few.

    But for many, a company’s culture is near the top of that list. In fact, an Indeed survey found that 72 percent of job seekers say that it is extremely or very important to see details about company culture in job descriptions. The survey also found that 46 percent of job seekers said they would not apply to a job if they did not believe it would be a good culture fit for them. That’s pretty eye opening.

    At Raxis, we look for talented people we know will work well with our unique culture. If you think that makes us very selective when hiring, I’d say that’s accurate. But here’s why: We give our employees a great deal of freedom about when and how to get their jobs done. With a fully remote team, we hire people who don’t need constant supervision and instruction. Instead, they are driven by a powerful desire to get results for our customers, and we hold them accountable for doing just that.

    Not everyone works well in that type of environment — and that’s okay. There are lots of tech jobs with an abundance of structure and routine. But if you’re the type who thrives outside a rigid environment, and you do your best work independently, check out the video below (and others in the series).

    Raxis lead penetration tester Scottie Cole talks about the freedom he has as a Raxis team member and the tremendous responsibility that comes along with it.

    We know how important culture is to prospective employees. It’s just that important to Raxis, too. If you’re a talented cybersecurity pro who values flexibility and is committed to results, you’re the kind of person we want to hear from.

    For more information, check out our careers page and the rest of our website to see what we offer.

    Want to learn more? Take a look at the first part of our Working at Raxis discussion.

  • Change is Growth in the Pen Testing Field

    Ask most of us at Raxis what we do, and we’ll tell you we’re penetration testers or ethical hackers or simply that we work for a cybersecurity company. But if you ask what that means – what we really do on a day-to-day basis – you’ll likely get a variety of fun stories about sneaking into buildings, bluffing our way past security guards, using high-tech equipment and special software to hack into networks . . . you know, the usual things.

    That’s partly because the field of penetration testing requires us to try many different approaches to breach a customer’s defenses, which means the more skillsets we bring to the job, the better our chances. But it’s also because Raxis is a company where those additional talents are rewarded with opportunities to grow.

    In this week’s video, Adam Fernandez explains how his journey at Raxis has taken him from pen tester to his current role as our Lead Developer. 

    Adam is a great example of the unique talent we have at Raxis and the type of multifaceted professionals we look for to join our team. His professional growth is helping our company grow and in turn opening up new opportunities for all of us.

    Are you the kind of person who brings more than one set of skills to the job? Are you looking for a team where flexibility and adaptability are appreciated and rewarded? If so, take a look at the other articles in this series and let us hear from you.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Client Success is Raxis’ Success

    At Raxis, we find communication with our clients is one of the most critical and key components of our service. 

    Throughout the penetration testing process we are communicating with our clients through daily updates, at the end we provide not only a debriefing call but also a full report describing what we found, what it means for them, and steps they can take to resolve any issues uncovered throughout the process. 

    In the video above, Raxis Senior Manager of Operations and Customer Delivery Tim Semchenko explains how critical the after-action reporting is for our clients.

    It is undeniable that finding network security vulnerabilities and helping our clients shore up those weak spots is a huge component of what we do. However, the key to a successful engagement between us and the client is all about the communication. Our penetration testers must be able to not only find security flaws but also to accurately communicate these issues with the client as well as detail how to remedy them. 

    We could simply drop a report on your desk showing what we found and what to do to fix it, but that just isn’t who we are. We want our clients to feel that Raxis is a trusted partner who respects them and is there to help them understand every aspect of their report.

    By treating customers like partners, we ensure our success is based on your success. 

    Here are some other posts you might enjoy:

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • What’s it Like to Work at Raxis?

    One of the great things about being a penetration tester is explaining what we do to people inside andoutside the world of cybersecurity. Having done this work myself and now managing others, I can’t imagine a more fascinating job. However, I also can’t imagine doing this job for any company other than Raxis.

    That’s because we’ve assembled a team of outstanding professionals with wildly diverse backgrounds that range from film and television to law enforcement to web design to IT administration and software development. We are, of course, expert hackers, but working for Raxis means that we all bring much more to the table.

    Over the next several weeks, we’ll be offering up a series of videos that will show you what our company and our work is truly like. These videos will likely be helpful if you’re interested in penetration as a career. They must-watch material if you want a career at Raxis.

    In addition to an advanced skillset, we expect an incredibly high degree of integrity. The nature of our works means that we only bring on people who have held positions of trust and who have proven themselves worthy of ours. 

    Integrity is essential, but it’s only one part of the larger picture that is culture. Beginning with our founder, we’ve brought on people who work well together, naturally. We have created a culture that places a high value on creative thinking, problem-solving, and above all, teamwork. 

    Please take a look at our inaugural video above. Raxis’ chief technology officer Brian Tant and I will explain how each penetration test demands presents different issues and opportunities. If you think you have what it takes to join our ranks, keep watching in the weeks ahead as other members of the Raxis team discuss different aspects of life in our world.

    Also, keep an eye on our careers page. Occasionally, we have openings for people with the right skills, determination, and attitude to join our team.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Three Reasons Why a Penetration Test Won’t Break Your Network

    Myth: A penetration test breaks your network. 

    Reality: A penetration test helps you find vulnerabilities so someone else doesn’t break your network (and your customers’ confidence in you).

    This is actually a common concern we hear from potential customers. Many are worried that a pen test will damage their network by crashing a server, knocking their website offline, causing an eclipse, or maybe releasing a 5G kraken. 

    In the video above I explain how we work with our customers ahead of testing to make them feel at ease and to help them understand that our profession is hacking but that our business is protecting theirs.

    As I explained in the video, our pen testers aim to make as little noise as possible while they’re slinking around in your network. Our whole goal is to get in, and to not get detected or get blocked. Crashing and breaking things is the opposite of that. And we’re simply not going to perform the kind of attacks that cause actual damage.

    The only scary part of our penetration tests are when you realize what might have happened if a hacker found your vulnerabilities before we did. 

    Be sure to also check out this article from Bonnie Smyre: What to Expect When Expecting a (Raxis) Pen Test?

    If you are ready for Raxis’ elite team of professionals to put your security to the test (did we mention they have successfully breached some of the most sophisticated corporate networks in the US?), then reach out to us here.

    Also, if you liked this video, please be sure to subscribe to our YouTube channel for more videos that can help you improve your security posture.