Bradley Johnson | Security Operations Analyst

BRADLEY JOHNSON

I’m a passionate security researcher and security professional with over six years within the information technology sector and over a year and a half in a dedicated security role. I’ve been security researching since being admitted into university and I’ve been awarded multiple security researcher acknowledgements throughout the years from massive technology companies such as Microsoft and Apple.

Throughout my whole life I’ve always had a fascination with technology and seeing it rapidly change and adapt to the world around us. I love the mindset that comes with taking a specific concept that was developed for one purpose and then exploiting it to do another.

I have a strong interest in incident response, anomaly detection, malware analysis, emerging security threats and vulnerabilities as well as workflow automation surrounding security processes and infrastructure. I enjoy venturing out and indulging in security focussed podcasts and eBooks for additional knowledge surrounding the topic.

Experience
Qualifications / Awards
Languages

Security Operations Analyst | Xero
March 2018 – Present

Operations Engineer / Afterhours Major Incident Manager | Datacom
August 2017 – February 2018

Service Desk Analyst | Datacom
September 2016 – August 2017

Web Developer | Websight Cre8
September 2013 – July 2016
Qualifications

Bachelor of Computer Science – RMIT

Certifications

SumoLogic – Search Mastery

SumoLogic – Administration

SumoLogic – Security Analytics

Awards

Microsoft Security Researcher Acknowledgement

Adobe Security Researcher Acknowledgement

Oracle Security Researcher Acknowledgement

Apple Security Researcher Acknowledgement

AT&T Bug Bounty Acknowledgement

VITTA ICT Achiever
Languages
C

HTML

JavaScript

PowerShell

Python

Security Researching

Security researching to me is like being placed in a locked room, being handed a key and a box full of padlocks and then being asked to find the lock that the key opens. Instead of being frustrated if none of the padlocks are opened by the key, perhaps the real test of the puzzle was to think outside of that box all along.

It’s important to mention that I only looked for vulnerabilities within sites that openly encouraged and/or permitted security researching and responsible disclosure. None of the vulnerabilities I discovered were discovered with automated tools, through unauthorized access of systems or data and weren’t exploited by myself. All were discretely disclosed to the respective companies as well as being discovered by manually reviewing the code on public external facing websites.

My experience with finding vulnerabilities within massive companies like Microsoft and Apple, as well as the other mentioned in this section, varied vastly in difficulty to find as well as the time invested in digging for them. Some took a few days to discover, others took a few weeks of prodding around specific sections of their massive online platforms.

The major motivator and most enjoyable aspect of the journey of discovery for each vulnerability was knowing the positive impact I was making for responsibly disclosing my findings to the respective companies. Sure, it was great assisting the company be proactive and patch the vulnerability to protect themselves, but I was mainly looking out for the end users that could have ended up being potential targets of someone who had more malicious intentions.

Admittedly, since the discoveries mentioned, I’ve placed external security vulnerability research on the back-burner for the past few years as it’s primarily due to not having the abundant amount of free time to dedicate to the craft as I once had whilst doing in it in my spare time at university.

Microsoft

Discovery Date:
October 2012