Fun With Vulnerabilities

This is my first article for Morrisec but some of you might already be aware that recently I joined the Morrisec team as Head of Engineering. During this time, we’ve commenced our penetration testing program which we’re all very excited about, but today I wanted to write a little bit about a pet project of mine that I’ve been quietly working away on in the background. I’ve always been a big believer in teaching people how to fish instead of just handing them a fish, or to put that into the cybersecurity context, I believe there is a lot of unnecessary obfuscation out there making it seem harder to secure your environment than it might be. Although, I’ll leave it to you, dear reader, to work out why cybersecurity often seems so mysterious, I’m just interested in doing my small part to help demystify it.

Hands on Security Training for Developers

Which brings me to my point, I’ve been keeping myself busy developing a new introductory course titled, “Fun with Vulnerabilities: A Technical Guide to Improving Your Security Posture”. This isn’t your typical boring security lecture—it’s a hands-on, interactive adventure aimed at your development team, where you get to play the role of the hacker. We’ll be learning how to exploit vulnerabilities and how to develop secure code to protect your applications from these real-world threats.

Coming back from my time working for big tech in America, I noticed a real lack of this sort of hands-on awareness training material aimed at the Australian SMB space, and for this reason, it seems to me that a lot of businesses out there understandably think security can be daunting and expensive, but it really doesn’t have to be. From what I’ve already seen, many places are really missing out because they’re not using the organisation’s greatest security asset, their own people!

Building On Your In-House Skillset

The truth of it is, even if you don’t have a team of security professionals, with a little help, your organisation’s people likely already have many of the skills needed to proactively defend against potential threats. We’re always going to need security compliance auditors to prove we’re meeting our obligations and we’re always going to need things like the occasional penetration test performed by a professional dedicated to the job, but these services are akin to calling in the fire department. Sure, we need the fire department but what about the days in-between when the fire department is elsewhere? Well, we have our fire safety warden, we occasionally do fire safety drills and we’re all responsible for fire safety, right? Then why not cybersecurity?

Has your organisation introduced application security methodologies into your development lifecycle? Does your team do threat modelling? If not there are plenty of excellent online materials such as the The OWASP Threat Modeling Cheat Sheet for example. Sure, it can be a little dry at times, but I can’t recommend practices like threat modelling enough, although you may then find yourself asking more questions such as “Are we all aware of the common vulnerabilities we might face?”. And sure, the OWASP Top 10 and OWASP API Top 10 are invaluable resources that I highly recommend technical people take the time to read, but then a lot find themselves asking “Sure, we understand the threats but do we all know how to spot the warning signs of a potential security weakness in design?” or “What does this mitigation recommendation within this penetration test report even mean? Does the pentester even know?”. Personally, I think part of the problem here is too many training courses simply repeat this material at its audience without providing context or a framework to educate oneself further. We’ve all learned a programming language from books but let’s be honest, the real learning that sticks with us for life is when we sit down and start coding in the language for ourselves.

Integrating Security into the Development Lifecycle

So I figured, why not emulate that but for cybersecurity? In the course we’ve developed, participants will discover and exploit security issues hands-on in a controlled environment and see the real-world impact for themselves. Well discuss mitigation techniques for the vulnerabilities we’ve found and figure out how to implement effective solutions to address them. We’ll also take a step back and discuss strategies to seamlessly integrate security practices into the development lifecycle.

Honestly, I really wish I could tell you there was this one thing you could do to solve all your security concerns but if I told you that, I’d just be selling snake oil. However, I can help demystify the complexities of application security through interactive learning and that’s more than half the battle.