/ workshop

Vulnerability Assessment Workshop

So I've been working on something pretty cool lately and I wanted to share some thoughts on it.

TL;DR - I'm currently delivering a vulnerability assessment workshop at multiple UK universities with the aim of providing a realistic full day workshop on finding vulnerabilities, engaging with clients, and explaining the issues & guidance in a way that can be easily understood by the client.
If you have contacts with, or you represent a university, please do get in touch with me at wiresharkGD@gmail.com

Planting the seed

Back In October, I attended a series of company training sessions in the US and one was on the topic of vulnerability assessment (VA). Despite already having knowledge of VA's and how to execute them, the session was really good fun and most importantly - held great value. The reason that this session was of greater value to me than any of the past exercises I've completed, e.g. DVWA/Webgoat/{insert deliberately broken web app here}, was simply that it simulated a real client engagement from start to finish. The technical problems ranged from simple to challenging and in addition there were deliberate hickups here and there with many problems to overcome (I don't want to give too much away for those who may participate in the future).

During my flight home I started thinking more about the pentesting sessions, VA sessions, and capture the flag competitions that I've gotten involved with in the past and I couldn't think of one which delivered the full client experience.

My background

I studied and acquired a four year honours degree in Ethical Hacking & Countermeasures at the university of Abertay, Scotland and whilst the course was awesome and set me up with the skills required to do what I do now, it too never provided me with the full client experience. Engaging with clients is very different to what I expected and I don't mean that the clients are grumpy, unhelpful or evil (which they may well be). What I mean is that there is a way in which you must present yourself to, interact with, and treat your clients. Coming out of university I wasn't sure how to do that and I wouldn't have been confident in handling difficult circumstances with a client (Thankfully, I still haven't had to). Those of you familiar with the concept of course know I'm speaking broadly about consulting skills.

Final year mock pentest

During my fourth and final year of studies, we executed a mock VA as a group coursework. During this assessment we were required to engage with the client however there was only a small amount of interaction and even at the end when presenting the findings they were very forgiving. Either we were already great at explaining the problems in an understandable way or the pentester that we presented the results to was in a good mood. Even at times when we were explaining vulnerabilities in a vague or hesitant way, the explanation was accepted without challenge and full marks were given. I think that a lot of value can be gained from simulating some difficult scenarios. E.g. "we actually aren't vulnerable to X because we use Y"... even though the testers are correct, it would be useful to learn how to handle those kinds of situations.

The Goal

For the reasons laid out above, I took initiative and internal approval from my employer to repeate the VA engagement with UK universities. I have taken the material and turned it's focus towards university students and to be graduates. In an effort to appeal to many audiences I have added vulnerabilities to the application which are easy to find, low hanging fruit, I have also added more difficult to find problems too for those with security knowledge. The entire application is modular and we have the ability to customise the vulnerabilities which should and should not be present for any given university, making it extremely easy to tailor towards their needs. My first delivery of the project will be in two days, on 22 February 2014. I'm very excited about delivering the workshop and the students at the University of Surrey will hopefully have some good feedback for me afterwards to help improve the workshop for the next groups.

Grant Douglas

Grant Douglas

Senior Security Consultant @ Cigital/Synopsys. Working on everything appsec but mainly security, strategy and SAST & DAST tooling in the mobile vertical.

Read More