Cyver relies on a network of skilled professional pentesters to meet the needs of our clients. Mike Terhaar is our lead pentester and he’s been involved with cybersecurity since the early days of the world wide web. Since then, he’s joined and led pentesting teams and fronted his own pentest and cybersecurity consultancy. That wealth of experience comes together with the modern approach of Cyver and its pentest-as-a-service platform to deliver a best-of-both-worlds approach to pentesting.
Invested in Cybersecurity
Mike’s background in cybersecurity dates back to the early 2000s, when he worked as a Network Administrator for a university in Amsterdam. At that point in time, the universities set up and managed the web – as a completely open project. With no cybersecurity and nothing to protect the service from being hacked. The team had to restore the service, sometimes on a weekly basis. But, with no budget, and the determination to stick to keeping the system open source, nothing was done to prevent it. Mike and his team took actions to protect the system using open-source tools, like building IDS(SNORT), building IP signatures to track and detect viruses and signatures for detecting malicious traffic, and creating logs of how attackers were getting in, so they could put up preventive measures.
Those early days of cybersecurity ensured Mike was truly invested in cybersecurity, which he continued – until the demand for cybersecurity specialists allowed him to turn that passion into a career. He’s worked freelance since 1999, in pentesting teams, as team lead, and as senior security pentester on others.
Everyone Has Cybersecurity Problems
Mike’s time as a freelancer means he’s worked with large organizations, participated in massive hackathons, and taken part in team efforts to check the cybersecurity of enterprises with thousands of servers, networks, and IP addresses.
“In 2010, I worked for a bank, and they had a communications system with VoIP, cameras, etc., I was working to protect that equipment. At one point, I discovered they had a zero day, anyone could log into the communications equipment and listen in on any conversation happening in a room equipped with it.”
At another point, for a different bank, Mike’s team was able to hack an ATM. Someone’s failure to update the system had resulted in a zero day, allowing the team to simply pull money out of the machine.
Mike launched his own cybersecurity firm, Counterhack, in 2014. Through it, he delivered pentests and cybersecurity consultancy across the Netherlands, to banks, to municipalities, and to a range of organizations ranging from startups to enterprises.
Moving to Cyver and Pentest-as-a-Service
When Cyver launched in 2019, we asked Mike Terhaar to join as lead pentester. His vast experience with pentesting made him the perfect choice to start using our pentest-as-a-service and pentest management platform, as proof of concept and to give us real insight into what the platform needs. Now, after using the platform to deliver work for over a year, Mike is glad he joined.
“Most of my compliance customers don’t yet use all of the features. For example, there’s chat and findings management. Compliance customers normally log in and download their report and then leave. However, our other clients are starting to use the platform more and more. For example, we work with a Dutch municipality that’s using the platform to track findings and it’s great to see how it helps them secure those environments.”
The platform is also timesaving, Mike says the report automation alone cuts time spent on reporting by about 50% – allowing him to spend those hours on the client instead.
From the Pentester : Mike’s Advice
“The most common issues I see are poorly configured or inconsistently configured headers. Even if the application is secure, there’s almost always a header issue there. This isn’t really a vulnerability, but you always see it and it’s 2 clicks to correct”.
Mike also points to XSS, which is becoming rarer thanks to web application firewalls. “Protective measures are becoming stronger and easier to configure,” he says “therefore it’s more difficult to find major weaknesses like XSS or SQL injection in the wild. But when an attacker finds a way to get in, they are free to discover badly written code. Therefore, mitigation does not mean your app should not be coded well”
“Many organizations still don’t see why they need pentesting – I think that’s changing, but not as quickly as those of us interested in cybersecurity would like. Often, that’s because there are too many bottlenecks and too many stakeholders between a developer or CSO wanting a pentest and having it approved. I think approaches like Cyver, with flat rate pentests and scheduling, might simplify that. I also think the approach makes it clearer that the goal is to find and resolve vulnerabilities and as quickly as possible. Most importantly, when organizations do realize they need cybersecurity and they do start pentesting, adopting secure-by-design practices, etc., their rate of found vulnerabilities drops dramatically, because they’re doing quality work designed around security. They care and it shows. Ideally, we see more companies shifting to that mindset in the near future.”
If you’d like to learn more about Cyver and how we can help, schedule a call with Mike.