My website is secure.

Is it though?

Who?

Before I talk about security, motives or whatever, let me try to introduce myself a bit. I hope this might give a better understanding of why I’m doing this in the first place.

So, my name is Wiard van Rij (picture for reference). I’m a DevOps engineer with a passion for hacking (for the good). I focus my ‘hack’ work on web-based applications a.k.a. websites. In my spare time, I test the web on bug bounty programs such as HackerOne and the occasional requests I get via Linkedin or any other network.

Regular work involves a lot of automation and “the cloud” in general (Kubernetes most recently)

Why?

The primary reason for this website is to deal with statements such as “Our website is secure”. In which I want to challenge you: Is it though? In my few years I’ve been doing this, I’ve mostly won the challenge. Perhaps it was a small and minor “thingy”, yet.. that website was not “secure”. On the other hand, I want to create awareness to take security seriously, especially when dealing with user data.

Instead of arguing online, I can just send a link with “is it though?”. Remember, I automate things.

The second reason is that I just keep reading about events where companies who process thousands if not millions of users are getting hacked. Because of my interest, I follow up and read some technical details and in most cases, the hacks/exploits are not advanced. In which I just thought: I could have prevented this. So here; I will try to make things safer, one by one.

Challenge me

Whitehat hacking is still a grey area. I honor responsible disclosures and/or scopes defined in certain bug bounty projects. Yet these are mostly companies who have their security already in control. I want to reach out to companies who might not have that. Therefore this “open challenge”.

Perhaps you got this site personally linked by me, or hopefully someone else (that means I’m doing something good). It’s up to you to challenge me by sending a request.

Please read more about that on my contact page!

Challenge

Is it though?

I’m annoying. When I see a bold statement I will spend some time to prove you wrong.

My argument is easy, I know that there are some sublime companies with a lot of talent actively investing thousands of dollars for security. Yet they still have security issues. Are they bad at what they do? Do they have zero sense of security? I believe technology is evolving really fast and bugs do happen. It is about what you are going to do with it. Making bold statements saying that you are secure is the worst you can do. Being (pro) active about it and keeping it up-to-date is mandatory towards a more in control environment.

Uber resolved 1175 issues. Adobe 1936. Airbnb 509 and Paypal 437. Dropbox and Snapchat both fixed around 250+ issues each.

Yes, they might have a huge platform, yet it just proofs how much issues can be resolved in maintaining security awareness. I’m also there to help you set things up, give pointers and actually check for flaws.

Guess not, I challenge you