Security Testing Learning

danielbilling · March 9, 2021, 1:01pm

I am (finally) working on developing an online security testing course.

This won’t instantly turn everyone into penetration testers, but will, I hope, start to enable, enthuse and develop our exploratory testing skills to include security more and more.

I know what I would want to produce in terms of content, however are there any specific areas of learning or interest that potential learners might want me to cover?

Cheers,
Dan

kristof · February 25, 2021, 3:02pm

Security testing is pretty broad so if you are asking people like what to cover, could you tell us a bit more about what you had in mind? Are you going to focus on Web Application Security Testing or Network, Phising, Bounty hunting or perhaps risk assessment / ISO’s?

If you are asking for anything I would love to see some War Dialing & Database security scanning

danielbilling · February 25, 2021, 3:21pm

Ahh…good point…it’ll be web to start with, and then broaden out from there.

meowy24 · February 25, 2021, 4:04pm

I just wanted to say ooooooooooooooooooo exciting

testthisout · March 3, 2021, 9:35am

Please please please, can you include suggestions on how to reproduce errors for attracting attention? I mean sometimes I recognize the problem, I test the thing, also fix it but then I do not find an understandable way to say: “look this was dangerous, we are safer now!”.

danielbilling · March 3, 2021, 11:10am

Can you be a bit more specific on what you mean by ‘attracting attention’? I’m not sure what this means in your context.

testthisout · March 3, 2021, 11:55am

I mean demonstrating the value of your test by demonstrating the risk the business would incur by not solving the issue.
For example, if your test reproduces the exploit of an IDOR, how should I report it to make clear its priority? Should I state the risks? Should I show a video in which I access a resource I should not be able to access with my permissions? Should I demo it to business and developers?

claire.reckless · March 3, 2021, 4:44pm

Perhaps something around how testers can be involved in , or even set up, threat modelling exercises

danielbilling · March 3, 2021, 4:48pm

This will definitely be part of it

bencf1 · March 3, 2021, 10:29pm

Yes! This would be great, I understand the concept but I’ve never actually taken part!

danielbilling · March 4, 2021, 9:56am

How about a live threat modelling? @heather_reid is this something we could organise? It’ll be more effective than a course, of which there are many

heather_reid · March 4, 2021, 6:04pm

Certainly potential Pop a proposal through to myself and @mwinteringham and we’ll chat about it.