A month or so ago I travelled back up to sunny, sunny, Scotland to visit my friends at Abertay University. I arranged to go deliver our vulnerability assessment workshop on the back of my then recent delivery to the University of Surrey. It's always good to hang out with the @AbertayHackers crew and it's great to see the level of passion that's continuously growing throughout the group.
The delivery of the workshop went unbelievably smooth thanks to the volume of feedback from the Surrey students. I was able to steer completely clear of previous hiccups and pre-empt them.
Overall I was very impressed with the effort involved. We targeted the 4th year and post-grad students and received a great turnout (just shy of 40 students) and furthermore everyone participated well.
Prior to the assessment, the groups had the chance to sit down with me one on one and ask some pre-engagement questions of which were all very sensible and reasonable. Some groups of students asked more intelligent and understandable questions and as a result had quite a heads up on the other groups.
During the assessment itself all of the groups performed very well, with some gaining root access to the system very quickly. Unfortunately, at first the group thought the assessment was now over and proceeded to ask me what's next. To which I asked them, if I fixed this one vulnerability, am I secure? Of course not, back to work they went.
Nearly all of the vulnerabilities were uncovered and those that weren't were admittedly, mainly due to time constraints. After a quick pizza break, the students sent me their final reports and presentations for review.
Overall, the reports were written well, only two findings were required to be written up and the intro/exec summary etc. were not required. The writing style demonstrated by the groups was impressive, well structured and logical. Although there were a couple of places here and there which didn't make a whole load of sense. There was also one group who forgot to check their report before handing it in and one student had accidentally left a finding's impact scoring as "shit gets crazy yo" (highlight of the day was impersonating the client, asking them to explain where in the NIST severity matrix that resides).
I have more statistical data of which I'll follow up with soon, but for now, this should do as a reflective summary.
I received a lot of great feedback once more with plenty compliments, thank you to all that came and made it an awesome day. It really makes the effort worth it.
Subscribe to Hexploitable ~ software security blog
Get the latest posts delivered right to your inbox