If I'm not mistaken gitea stores codebases/projects on the filesystem, so having a hardcoded database password makes no difference. If someone gets into the server they can simply copy the files without touching the database.
As others have indicated, a VPN server of your choosing (openvpn/wireguard) can solve your issues. Even if at some point there's an "unauthenticated RCE" exploit for gitea, having it behind a VPN will mitigate that.
I think you're just stuck because your current employer doesn't have clear paths of progression. Usually in 3 years pentesters move to an either team lead role or pivot to other areas like simulated attack (red/purple teaming).
If you enjoy pentesting, I'd just look for another job, especially since the demand for ex-devs in pentesting is huge. Have a look at a previous comment I posted: https://news.ycombinator.com/item?id=32303528#32305561
You can gear yourself write security related tooling as /u/uaas mentioned, but you'd effectively still be a developer and not a pentester. If that's what you're after, you'll get exposure to InfoSec but you will never do actual pentesting to find vulnerabilities etc. I mean you might, but the companies that offer you both are very few.
I made that exact jump from development to pentesting 6 years ago, after about 10 years of development. Will you miss development? Absolutely. Are there opportunities to scratch that itch? Yes there are - but it's with scripting. The things that can be scripted to make you more efficient are insane. Your ability to understand not only what is broken but also why it's broken will help you advance yourself. You have probably even coded that exact bug in the past so you know where else to look, and you know how to do code reviews. In general, the need for pentesters with a dev background is very very high, especially since now companies worry about supply chain attacks, SDLC, etc.
My solution was to keep coding in my spare time, when I have an MVP I show it at work and then ask for time to work on it. I've significantly improved internall processes, and I've released a few offensive security tools, two of them I even presented at security conferences - as in full blown applications rather than "here's a script that does X". This way I get to pentest and provide solutions to industry-related problems. One thing to note is that most of the security tooling out there (the open sourced ones) is very python/C#/Go centric. I've seen applications written in Rails/Java that didn't get the love they deserved just because it's a pain to install them. I had to learn both python and C#, but it was totally worth it.
If you do make the jump, get ready to take a salary hit as you'd be hired as a mid-level consultant at best - and that's only if you've proven that you know a lot about cyber security, OWASP vulnerabilities, etc. But don't let that stop you, I've seen people join the industry as juniors and in 6 years making over 6 digits (UK). YMMV, but if you put in the time and effort, it's worth it.
I totally agree with you, but the common "this is why we can't have nice things" end result of such scenarios is that people will VPN via India in order to buy your product. And then you have to identify VPNs in order to avoid this, etc.
I don't have a solution for this, I just think the effort/reward should be considered.
As a user I hate it when I get localised prices, especially if the at-the-time exchange rate ends up being more expensive for me. If I see something sold for $9.99 but I get £9.99 I think "why am I paying more for this", simply because the exchange rate is more favourable since I'm in the UK. But when I only see USD prices I'm more likely to buy something as it's not overly complicated.
If you want you could pull real-time exchange rates and have a button that indicates the conversion for someone who wants to see the "most likely" price (depending on when they actually pay for it).
For example if you sell something for $9.99 just leave it as such, and Stripe will make the conversion and you'll always sell at the same price regardless from where someone is coming from.
I've had lasik about 10 years ago, best decision of my life, no side effects. It only took 10 minutes, and I can only assume that the technology advanced further the last decade.
I know 2 people who had it around the same time as me, and only one has -1 in one eye after another 7 years. The other person is still glass-free.
My advice is to not go cheap. Don't choose a doctor that "also does eye surgery" (there are a few like that), go to someone who specialises in it and only does that.
Unfortunately I don't have anyone to recommend in the UK as I've done mine in Greece, but I've had -5 on both eyes and lasik did wonders.
I've been trying to reproduce this since I saw this post without any luck. The only data I see going out is generic usage data (when you have the "anonymous usage data" enabled) - however I'm not logged into Postman.
I suspect it only sends data to them server if you are logged in so you can use the functionality such as "sync between devices", which kind of makes sense.
I use getmail[0] on my rpi. Download everything from gmail and fastmail using IMAP (sync) overnight into a truecrypt container, and then offsite backup to rsync.net. It's also storing everything into an mbox so you can easily import that file anywhere.