Category: Career

Review Portswigger Web Security Academy

Update 2020/08

The materials and labs exloded over the last months:
Web cache poisoning
Information disclosure vulnerabilities
Insecure deserialization
Authentication
SQL injection
Cross-site scripting
Cross-site request forgery (CSRF)
XML external entity (XXE) injection
Clickjacking (UI redressing)
Cross-origin resource sharing (CORS)
Server-side request forgery (SSRF)
HTTP request smuggling
OS command injection
Server-side template injection
Directory traversal
Access control vulnerabilities and privilege escalation
Testing for WebSockets security vulnerabilities
DOM-based vulnerabilities

The full list of labs is not included here, it is simply too long!

Link: Web Security Academy
Content: Teaches the basics of Web Application Security, so far SQL Injection, XSS, OS command injection and File Path traversal. Comes with small labs.
Career: Penetration Tester but I recommend it also for everyone interested in security
Level: Beginner
Price: Free

Web Security Academy

The description from the originial website:
Welcome to the Web Security Academy. This is a brand new learning resource providing free training on web security vulnerabilities, techniques for finding and exploiting bugs, and defensive measures for avoiding them.
The Web Security Academy contains high-quality learning materials, interactive vulnerability labs, and video tutorials. You can learn at your own pace, wherever and whenever suits you. Best of all, everything is free!

For tracking and doing the labs you need to create an accout.

I found the explanations and the labs very suitable for beginners and I think it is a great starting point for web application security.

The team behind it is the same that is behind the Burpsuite and the famous Web Application Hackers Handbook (consider buying it if you want to go deeper into the topic):

The Web Application Hackers Handbook
Authors: Daffy Stuttard, Marcus Pinto
Content: The standard book about hacking Web Applications, goes into depth about the most important topics. Authors also created the BurpSuit.
Career: Penetration Tester
Level: Good for beginners, but also useful for experienced penetration testers

Career Path Security Basics

Most people starting a career in IT security have a huge interest in topics like hacking, programming, system administration, networking and so on. When you apply for a junior position, employers normally expect basic skills and huge motivation. In this article you can find some useful resources for learning the basic skills that are useful for all career paths in IT security. More specific articles for specialized career paths like penetration tester, DFIR expert, malware expert and so on, are about to follow.

If you have any ideas or suggestions for additional useful courses, please feel free to leave a reply in the comment section below or just add them to your personal training list.

I suggest to look for suitable courses or certifications, to set yourself a goal and make a plan how to reach your goal.

If you want to read how I started my career in IT security have a look here.

Programming

Depending on your career, you should have knowledge in various programming languages. As a penetration tester, these could be assembly, C, javascript, HTML, python and bash for the beginning. Programming skills are not only useful for penetration testers, but also for other career paths. For example in a blue team, programming skills are very useful for automatization.

In this section you can find some examples for learning basic programming, more specialized examples follow in the career path sections.

HTML

Html & JavaScript

Learn Basics by building your own Computer

Build a Modern Computer from First Principles: From Nand to Tetris
Content: Teaches the basics of computer sience by building a computer from ground up. There is also a great TED talk about the course.
Career: All
Level: Beginner
Price: Free or with certificate

Programming Python

Python might be the most important language to learn as a starter.

Programming for Everybody (Getting Started with Python)
Content: Python Basics
Career: All
Level: Beginner
Price: Free or with certificate

There is a ton of free resources on the web, this also looks useful:
https://www.python.org/about/gettingstarted/
https://www.learnpython.org/

More EDX courses: https://www.edx.org/learn/computer-programming

More coursera courses: https://www.coursera.org/browse/computer-science/software-development

Programming Bash, Learning Linux

For all career paths, you will need Linux skills.

https://www.bash.academy/
https://www.learnshell.org/
http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO.html

If you lack of basics in Hardware, OS and so on consider this one:
https://www.professormesser.com/free-a-plus-training/220-901/comptia-220-900-course/

Networking

Professor Messer’s CompTIA N10-007 Network+ Course
Content: Great and free video course for preparing the CompTIA Network+ exam, I recommend to add a book nevertheless.
Career: All 
Level: Beginner
Price: Videos are free

All in One CompTIA Network+
Author: Mike Meyers
Content: Coverage of the CompTIA Network+ certification exam objectives, goes into the topics in depth. I liked the questions after each chapter. Came with a CD with an exam simulator long ago, now the content is online. 
Career: All 
Level: Beginner
Buy at Amazon U.S.
Buy at Amazon Germany

You may consider to do the certification for the CV.

More Coursera courses: https://www.coursera.org/browse/computer-science/computer-security-and-networks

Learn about http:
https://developer.mozilla.org/en-US/docs/Web/HTTP
https://www.tutorialspoint.com/http/

Basis Security

The Cuckoo’s Egg Decompiled Course
Content: Highly recommended course by Chris Sanders, teaching the basics of attacking and defending networks through the lens of the famous “The cuckoos Egg” book by Clifford Stoll.
Career: All
Level: Beginner
Price: Free

Professor Messer’s CompTIA SY0-501 Security+ Course
Content: Same as the Network+ course for Security+, I also recommend to read a book additional for preparation.
Career: All 
Level: Beginner
Price: Videos are free

Mike Meyers’ CompTIA Security+ Certification Passport
Author: Dawn Dunkerley
Content: For preparing the CompTIA Security+ Certification this book is recommended. It covers every topic from the exam and also includes review questions as well as a practice exam.
Career: All
Level: Beginner

You may consider to do the certification for the CV.

Introducion to Cybersecurity
Content: Short non technical introduction course for everyone who is curious about cybersecurity. Explains the basic concepts from a higher level.
Career: All
Level: Beginner
Price: Free or with certificate

More EDX courses: https://www.edx.org/learn/cybersecurity

More Coursera courses: https://www.coursera.org/browse/computer-science/computer-security-and-networks

Stay tuned, my next article will be about the career path for penetration testers.

Links

Thanks @SparkyS04 for proofreading.

Certifications Pro & Con

A lot has been written about certifications and whether you should have them or not. For me it is pretty simple, certifications helped me finding jobs and improving my career.

As a penetration tester I made OSCP and OSCE, for getting a bit more into DFIR I made the CHFI certification. At the beginning of my career I did CompTIA Network+ and Security+ for learning and prooving my skills. At some companies it is simply a door opener. I know enough people who never certified and are great at their jobs and also don’t have problems making a good career.

But of course there are other ways to show your motivation:

  • have projects or a blog that are showing your skills
  • have you found vulnerabilites? write them down in your CV
  • found something great? consider to give a talk at a conference
  • maybe you are a great CTF player?
  • don’t forget your personal network

Besides that, what certification you want to do strongly depends on your career path and the budget. SANS courses & certs cost a ton if you have to pay for yourself and are mainly useful if you want to go into DFIR.

On the other end there are certifications from EDX or coursera that are cheap but of course not that recognized. Certifications from securitytube are also worth a look.

After all it is the mix of certifiations, courses, experience, personality, connections and so on that enables your career.

Working at a CERT and shifting to Technical Lead

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career
Part 2: From Beginner to Expert as Penetration Tester
Part 3: Working at a CERT and shifting to Technical Lead (this part)

A new job
Because I was interested in Incident Response and wanted to specialize more in the field of penetration testing I applied at a CERT in one of the 30 biggest DAX enlisted companies in Germany. The environment was of course completely different to consulting companies:

  • more long-term thinking
  • not much overtime
  • more administrative work
  • more time for in-depth work

As in every job there are some advantages but also some disadvantages, but the advantages predominate for me.


More specialization
I was lucky that it was possible for me to attend lot of training and learning on the job. At this time my plan was to specialize in the field of exploitation. Among the training I did was:

  • “Tactical Exploitation and Response“ by Attack Research
  • Internal Incident Response Training
  • SANS Sec 660 with GXPN certification
  • “Windows Kernel Exploitation” by Hacksys (higly recommended)
  • Corelan Bootcamp & Corelan Advanced (higly recommended)

Also I was able to go to conferences like Brucon, Blackhat, Defcon and others and I could present Avet now three times at the Blackhat Arsenal, which is by the way one of the most fun events I presented.

But it became different
… than it was planned by me, which is not a bad thing. I did a lot of Incident Handling and later I was involved ramping up a vulnerability management system. While the latter is not that interesting for most people working in penetration testing, I learned a lot about companies politics and also management, which helped me a lot within my personal development. Because I traveled mainly to Asia I could also get Chinese lessons at work, which is a great thing. 

Promotion
After about three years I was promoted to a technical lead position in the Red Team of the CERT with some new duties:

  • Ensure that all provided services (Pentesting, Vulnerability Management and so on) work properly
  • Adjusting with the other CERT teams and management
  • Conducting job interviews
  • Organizational tasks (yes, writing excel sheets)

About the new position I sometimes have discussions with other professionals. One thing is that I definitely shifted away from technical stuff. On the other hand it is possible to influence the direction for the future, for example what should be in focus for the next time. By job descriptions and job interviews you can find suitable people for your team and so on. 
Important for me is not to loose the connection to the hands on work, so I like to be involved here too. But being also involved in some management tasks also gives the opportunity to self improvement and training on a non technical level.
If you do not like these tasks you better continue you technical career, which also gives you opportunities for improving and developing.

Conclusion
Besides all things I learned from a technical point of view (Incident Response, Trainings etc.), the more important lesson for me was and still is what I can learn from a management point of view and the personal development. Sometimes the attitude and the political thinking is more important than the technical knowledge for improving things in a big company, I try to find a way where I can combine both.

Two important take aways:

  • The exploitation trainings in that depth were not necessary when I look back at this time. It was no total waste of resources, but choosing more careful and adjusting your learning goals is always a great idea.
  • After staying for 18 and then 17 months at the two jobs before it is a good idea to stay a bit longer at the new job. Changing jobs too often might look bad on your CV. Also staying for a longer time is also opening new perspective (when you are on the right company).


That concludes the career article series from my personal point of view (so far) and I hope you enjoyed reading and that my experience is also helpful to other people and especially to beginners in the field.

Links

Some Online courses I did during that time:

Books:

For more links and book recommendations please have a look at the recommendations list.

From Beginner to Expert as Penetration Tester

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career
Part 2: From Beginner to Expert as Penetration Tester (this part)
Part 3: Working at a CERT and shifting to Technical Lead

My first job
The first job as a penetration tester was pretty exciting for me. I was lucky to have many colleagues that engaged very much with the newcomers, and for the beginning everyone got at least three workshops lasting 2-4 days, if I remember correctly. The OSCP prepared me pretty well to the thinking of solving the day to day problems on the job. The job was at a consultancy company that mainly is doing penetration testing engagements in Germany. During that time I also started researching about antivirus evasion (in my free time btw). I most consultant jobs time on the job is short. For me that was a huge advantage, I was able to do web app testing in short time. Besides learning from colleagues I also read some books like The Web Application Hackers Handbook, The Shellcoder’s Handbook and Network Security Assessment.
I had my first presentation (in German at the Backtrack Day 2013) about antivirus evasion, which made me very proud of course. 
During the first job that lasted 18 months I also visited the CCC Congress twice, had several chances to conduct interesting pentests (mostly web and mobile) and did an interesting online course (Malicious Software and its Underground Economy: Two Sides to Every Story). Because I liked the hole exploitation topics I made the SLAE certification, which was a lot of fun and I highly recommend, also for preparing the OSCE. Now there is also a 64 Bit version.

My second job
I learned a lot and had great colleagues, but for me it was time to move on to my second job as a penetration tester, where I had the chance to travel more and to work for clients on site. Further I had the chance to do some Digital Forensics and Indident Response (DFIR) under the condition I do any certification, so I choosed the one the looked easiest for me, that was the CHFI (Certified Hacking Forensics Investigator). I would not necessarily recommend it, but at this time it helped me improving my career and also to do some forensics and incident response work. For the preparations I bought “The Official CHFI Exam Study Guide”. For gaining more in depth knowledge about forensics I attended a course at the University of Applied Sciences Albstadt-Sigmaringen about data storage forensics.
Besides the work I continued my research on antivirus evasion and gave a talk at the Deepsec conference 2014 (“Why Antivirus Software fails“).
Also I had the chance to speak at public and closed events from my employer and started to visit the OWASP chapter Cologne. For education and to get from professional to expert level I decided to make the OSCE certification. That was a blast for me. I never had such a challenging time in my career and I fell through the first test and had to take a second shot. The OSCE is highly recognized especially in the Red Team and Exploitation community. Like the OSCP for me it is not about teaching certain techniques, but training the right attitude you need for breaking stuff (Try harder). I was glad when I got the famous mail from offensive security after the second exam.
After 17 months on that job I took my chance and hired at a CERT, this will be the story for part 3.


Conclusion & some notes

  • be grateful for the knowledge and support of friends and colleagues – sometimes I forget to say this… so to everyone who helped me during my career: thank you!
  • when it is time to move on, move on, after all it is about business and your personal development
  • Giving talks gave me the great opportunity to network in the community and also to improve self esteem and public speaking
  • Be flexible, I moved for each job in the IT security field
  • for more networking I started to use twitter
  • Don’t give up, “Try harder”, the motto by offensive security also applies to searching for jobs and many more lessons in life, this attitude helped me also with my research
  • Working at a consultancy company is helpful, since it teaches you to be effective (time and costs), you learn to deal with pressure

Further reading:
https://danielmiessler.com/study/infosec_interview_questions/
https://netsec.ws/?p=517
https://coffeegist.com/security/my-osce-review/
https://master-digitale-forensik.de/

Coursera courses for free

Like for EDX, it is possible to take coursera courses for free. Here is a short example.

Login (or register if you have no account). Go to the course you want to attend to, in this example I take “Programming Languages, Part A”. Please note that the option described here are not possible for all courses.

On the course page select “Enroll”:

In the pop-up choose “Full course. No certificate” and continue.

And you can start:

Have fun!

EDX courses for free

EDX courses can be taken for free. Of course then you will miss the certificate, but the content is the same. Also you have a time limit for viewing the content, but in my experience it is more than enough.

Here is a short example:
After logging in with your account (register if you do not have one) search for the course you want attend to.

For the example I choosed “Introduction to Cybersecurity”.

Choose “Enroll now” on the course page:

Scroll down a bit and choose “Audit this course”:

One the next page you can just start the course. A dialog might be shown that you can earn the certificate, you can just ignore that or choose “Explore the course” here:

Enjoy and keep learning!

Start a Penetration Tester Career

This article is part of an article series about my personal experience and career in the penetration testing and security field.
Part 1: Start a Penetration Tester Career (this part)
Part 2: From Beginner to Expert as Penetration Tester
Part 3: Working at a CERT and shifting to Technical Lead

From Administrator to the first Penetration Tester Job

I am sharing this because people ask me often about how to get into information security and how to improve a career. In this post, I describe my personal career and learning path including recommendations for books and more learning material. This may not be perfect to other people, for me it just worked. In later posts, I will give some recommendations for a more idealized learning path for different careers, for example as a penetration tester or a forensics specialist.

When I was working as an administrator back in 2011, I began starting to think about how I might change my career. My job back then included some Windows and Linux administration as well as some PHP and VBA coding. Further, I had coding skills in C and Java. In October 2012 I started my first job as penetration tester.

At this time, it was not clear to me whether to go more into depth as a network admin or to security. Since it seemed to be a good idea to have some networking skills, I started to work out a plan for getting the CCNA. 

Network skills
I started with the Mikrotik MCNA, since there was a training possibility in the town where I lived, I only used the training material offered by this course, but if you want more information have a look at the official Mikrotik page: https://mikrotik.com/

Then CompTIA Network+ followed. For the test preparation, I relied on two sources. The first is the free video series from professor Messer, these are excellent and I used to make notes about the content and reviewed them before a new training session. After the videos, I bought the book
Mike Meyers’ CompTIA Security+ Certification Passport” that included some example questions for training.

The CCNA was my first “bigger” certification and I remember that I put a lot effort in it, for example I bought a bunch of old switches and routers for a home lab. This was not necessary, but of course, it added some fun at this time. Much easier is to use simulation software for doing some labs.

Besides my own experiments, I worked through the book CCNA Routing and Switching Complete Study Guide. The certification at this time included not only the multiple choice tests, but also lab exercises.

Security skills
Because it became clear to me that I wanted to go into Security in my career, I started the CompTIA Security+ certification. As like for Network+ I used the Professor Messer tutorials and the book Mike Meyers’ CompTIA Security+ Certification Passport. 

I wanted to work as a penetration tester; I decided to do the OSCP certification and I am happy I did choose it over the CEH. Here is my review in German, more reviews in English here.

I made the certification in 2012, and nowadays I do not think that you must have an OSCP necessarily, although I strongly recommend it. It is a great certification and it surely helped me especially when it comes to attitude, endurance and patience. However, it can be a frustrating experience and if you do not have enough time or motivation, it will be hard. For me it was fun!

During the OSCP preparation, I bought two books:
–      The German book “Hacking mit Metasploit” (Hacking with Metasploit) by Michael Messner, which helped me a lot because it also introduced some Exploit Development and Client Side Attacks.
–      Hacking: The Art of Exploitation by Jon Erickson 

After the OSCP, I was lucky to find my first Job as a penetration tester.

Besides the certifications I also did a course at coursera “Webapplication Engineering” which I liked but it seems it was not continued.

Together with a friend we published an article in the German issue of the pentest magazine about pivoting, which was good having it on my CV for the first job in the field.

Conclusion
If you want a job in this field, the most important thing for me is to show that you are motivated. Nowadays I had some job interviews “on the other side” from the perspective of an employer. So besides qualifying with certifications and courses you should consider:

  • Start your own blog
  • Start your own projects on github
  • Contribute to projects
  • Networking (when I looked for my first job as a penetration tester I used Xing and wrote to company owners and asking for a job, which was successful) 
  • Consider publish articles on platforms like Xing, LinkedIn, magazines etc.

In the next part, I will go from starting the first job to going for expert level.