Joshua.Hu | Joshua Rogers' Scribbles

Security Engineering & Penetration Testing Services

Need contracted services? I design, break, and build secure systems. If you want candid findings and real solutions, you have the right guy.

I have three principles:

  • Extreme ownership: I own the work, lead it, and deliver.
  • Getting the right shit done: focus, prioritize, and make a real impact.
  • Customer obsession always (my customers and your customers): I work to make the end-user experience excellent and care about the people using the product.

My approach:

  • I call out insecure or fragile designs plainly and bluntly, with evidence and specific solutions.
  • My aim is durable, material improvement to security, not theatre.
  • I architect complete security solutions, not temporary workarounds.

Remote or on-site; travel at cost. NDA on request. Invoicing in EUR or PLN; prepaid blocks upfront; project or retainer per statement of work.

Services

Penetration testing (software)

Application security testing, closed and open source. Web/API, mobile, desktop, cloud/K8s, CI/CD, developer tooling, and software-exposed services (no hardware/IoT, no social engineering).

Network and service infrastructure security review

Holistic review of network security and infrastructure security: exposure and attack surface, segmentation, routing/DNS/TLS, IAM, zero-trust and perimeter, logging and monitoring, backup and BCP, and change management.

First-party source code review

Full review of codebases to find vulnerabilities, risky patterns, and any malicious or suspicious code. Covers authn and authz paths, input and data handling, secrets, cryptography, error handling and logging, concurrency and memory safety where applicable, and build and release integrity with reproducible build steps in CI where feasible (no Rust or ASM).

Third-party code review / dependency review

Review source code and release pipeline of external libraries, SDKs, and services before adoption or during due diligence, with a focus on supply-chain risk. Includes full source code review for vulnerabilities if available, malicious or suspicious code, bug classes, insecure defaults, and risky patterns; assessment of maintainer health, dependency tree and transitive risk, build and distribution integrity, signatures and provenance; and verification of reproducible build steps. Possible to analyze closed-sourced programs in many circumstances.

Security architecture

Architecture for new systems / infrastructure and old systems (re-architecture). Establish trust boundaries, identity and access patterns, data protection controls, secure-by-default services, and operational guardrails. Integrates with your cloud and platform capabilities.

Security tooling design

Design of security tooling and capabilities. Define requirements, architecture, data models and schemas, event pipelines, integrations, and build vs buy recommendations. Aligns with your engineering practices and roadmap.

Security tool engineering

Design or development of internal security tooling: findings pipelines, CI/CD gates, discovery and triage automation, and red/blue utilities.

Incident response and crisis management

IR playbooks, runbooks, tabletop exercises, on-call advisory during incidents, coordination with forensics, stakeholder communications, and post-incident hardening.

Workshops and talks

Hourly, full-day, multi-day workshops (on-site or remote) for developers, engineers, and security teams; tailored talks and presentations.

Contact

For any more information, pricing, and so on, contact me with approximate details at services [at] joshua.hu.