I'm using getmail (https://pyropus.ca./software/getmail/) as a cronjob every night to download it all and then sync with an offsite backup

If I'm not mistaken gitea stores codebases/projects on the filesystem, so having a hardcoded database password makes no difference. If someone gets into the server they can simply copy the files without touching the database.

As others have indicated, a VPN server of your choosing (openvpn/wireguard) can solve your issues. Even if at some point there's an "unauthenticated RCE" exploit for gitea, having it behind a VPN will mitigate that.

I think you're just stuck because your current employer doesn't have clear paths of progression. Usually in 3 years pentesters move to an either team lead role or pivot to other areas like simulated attack (red/purple teaming).

If you enjoy pentesting, I'd just look for another job, especially since the demand for ex-devs in pentesting is huge. Have a look at a previous comment I posted: https://news.ycombinator.com/item?id=32303528#32305561

I'm not 100% certain if I'm understanding the requirement correctly - but would something like this help?

https://github.com/ctxis/SnitchDNS

You can gear yourself write security related tooling as /u/uaas mentioned, but you'd effectively still be a developer and not a pentester. If that's what you're after, you'll get exposure to InfoSec but you will never do actual pentesting to find vulnerabilities etc. I mean you might, but the companies that offer you both are very few.

I made that exact jump from development to pentesting 6 years ago, after about 10 years of development. Will you miss development? Absolutely. Are there opportunities to scratch that itch? Yes there are - but it's with scripting. The things that can be scripted to make you more efficient are insane. Your ability to understand not only what is broken but also why it's broken will help you advance yourself. You have probably even coded that exact bug in the past so you know where else to look, and you know how to do code reviews. In general, the need for pentesters with a dev background is very very high, especially since now companies worry about supply chain attacks, SDLC, etc.

My solution was to keep coding in my spare time, when I have an MVP I show it at work and then ask for time to work on it. I've significantly improved internall processes, and I've released a few offensive security tools, two of them I even presented at security conferences - as in full blown applications rather than "here's a script that does X". This way I get to pentest and provide solutions to industry-related problems. One thing to note is that most of the security tooling out there (the open sourced ones) is very python/C#/Go centric. I've seen applications written in Rails/Java that didn't get the love they deserved just because it's a pain to install them. I had to learn both python and C#, but it was totally worth it.

If you do make the jump, get ready to take a salary hit as you'd be hired as a mid-level consultant at best - and that's only if you've proven that you know a lot about cyber security, OWASP vulnerabilities, etc. But don't let that stop you, I've seen people join the industry as juniors and in 6 years making over 6 digits (UK). YMMV, but if you put in the time and effort, it's worth it.

As a user I hate it when I get localised prices, especially if the at-the-time exchange rate ends up being more expensive for me. If I see something sold for $9.99 but I get £9.99 I think "why am I paying more for this", simply because the exchange rate is more favourable since I'm in the UK. But when I only see USD prices I'm more likely to buy something as it's not overly complicated.

If you want you could pull real-time exchange rates and have a button that indicates the conversion for someone who wants to see the "most likely" price (depending on when they actually pay for it).

For example if you sell something for $9.99 just leave it as such, and Stripe will make the conversion and you'll always sell at the same price regardless from where someone is coming from.

That's how I feel about it anyway!