As mentioned in my previous post, a colleague and myself took the train down to Surrey (Guildford) on Saturday to deliver a vulnerability assessment workshop to some Computing Science students @UniOfSurrey. We spent a full day with the students and all of them stayed right until the end so that is one positive right? The most impressive and awesome take home from the day was that several groups of students managed to get system access on the server yet had no prior vulnerability assessment knowledge. Furthermore, collaboratively the groups managed to identify and come up some advice for nearly every vulnerability present within the application.
I want to first state that both my colleague and I are very grateful for all of the students who took the time at the end of the workshop to offer their thoughts and opinions and I'm glad to say that your awesome feedback has been taken on board. Without your help, we can't make improvements for the next lot of students. It's all for the benefit of you guys and girls so your feedback really makes a difference!
Aligning with the received feedback, we have made some changes to the networking architecture of the workshop by bringing in a 24 port gigabit switch for students to jack in to. We have also modified the server to provide improved access to the application in the form of hostnames & DHCP support. This allowed us to iron out some of the small networking hiccups that occurred at the beginning of the workshop. Also, we are now in the process of redesigning the opening material to give more information, examples and resources to accommodate those who require it.
Everyone gave great feedback and the compliments received were very rewarding. We are very glad you all enjoyed the day so much and look forward to sharing the experience with other university groups. We're relieved that you guys enjoyed it so much, we really wanted to make this a fun and engaging activity and from the feedback, we pulled it off!
In addition to the above system improvements we also thought it would be a good idea to add some more challenging vulnerabilities. Over the past few days, I have added additional vulnerabilities to the application that are not only more difficult to find and exploit but are slightly more difficult to diagnose and explain. The reason for creating these kinds of vulnerabilities is to offer good examples that reinforce the importance of being able to articulate findings to a client with accuracy and clarity.
In terms of where the workshop goes now, we currently have a few universities in the pipeline who are almost ready to receive the workshop and we are working with them to settle a date for delivery. I won't name them just yet until things are set out in stone but I'm excited about getting involved with them.
I'd also really like to design some metrics for the workshop of which we can discuss and share with readers without giving anything away for upcoming universities - I'll touch on this more soon.
As I mentioned in my previous post, if you're part of a University group or you know of someone who is and might be interested then please do get in touch with us and we can discuss the possibilities of delivering the workshop to you/them. I for one am always happy to attend to enquiries and software security questions in general. If there's anything you want to get in touch with me about, just shoot me a tweet or email me.
Subscribe to Hexploitable ~ software security blog
Get the latest posts delivered right to your inbox