Yesterday I was driving back home on my scooter. It’s a 40 minutes long trip and while surfing back and forth across crazy cars not respecting speed limits I have got a lot of time to think.

A security specialist it’s like an entrepreneur or a startupper… it must have a strong culture of failure.

The culture of failure…

Yesterday here in Italy, our Minister of Economic Development Corrado Passera attended to a startup meeting near Venice. It was a great news in my country since startup culture is something growing slowly in those years.

He spoke about failure: “Chi fallisce non è un fallito. Chi fallisce è chi ha imparato qualcosa” that in English it would sound like: “Who fails it’s not a loser. Who fails he is someone he has learnt something”

Chi fallisce non è un fallito. Chi fallisce è chi ha imparato qualcosa

from penetration testers…

An application security specialist (like anyone, on the other side) fails a lot of times during his carreer. When you start testing a web application or an host for vulnerabilities it’s quite common that a non experienced tester would cause the target system to crash. It’s common to make mistakes choosing the tool or tuning the scanning parameters and being too aggressive (for a poorly written code).

Unexperience can drive you to make wrong assumptions and fill your reports with false positives.

Good hackers must learn and never give up. This is obviously true in so many fields other than IT Security.

Pentester must be curious, they must read tons of blogs and online resources and they ideally must learn something new every day. They must not be scary about a new DBMS they wasn’t aware about, or if they find something strange a good approach is starting googling at it.

This is the stream of consciousness it was in my mind yesterday around 6pm CEST.

to startuppers.

I was also thinking about myself as startupper.

Starting up this blog almost 6 month ago it was great and I’m collecting more than 10.000 unique visitors and thank you for this. is my side project since last year and I’m working almost in the darkness wrapping up code I’m writing and that you should be aware about. Most of it is on my github personal repository.

I was very excited when I discovered that in 2009, some people put online a code review platform based on github. The startup was called and it was online at least until 15 March 2011.

Other competitors offering code review as SaaS are there and veracode is one of the most promising players in this field.

Actually, I don’t know if I’ll build codesake in some way or if I will release a MVP or either if a day I’ll appear on Gartner Magic Quadrant.

I just make a whole penetration test using Owasp Testing guide and some ruby code I wrote (ciphersurfer, enchant that it will be soon merged into links).

A set of ruby code that it will be the spine behind upcoming

Link to the original keep calm poster