I am (finally) working on developing an online security testing course.
This won’t instantly turn everyone into penetration testers, but will, I hope, start to enable, enthuse and develop our exploratory testing skills to include security more and more.
I know what I would want to produce in terms of content, however are there any specific areas of learning or interest that potential learners might want me to cover?
Security testing is pretty broad so if you are asking people like what to cover, could you tell us a bit more about what you had in mind? Are you going to focus on Web Application Security Testing or Network, Phising, Bounty hunting or perhaps risk assessment / ISO’s?
If you are asking for anything I would love to see some War Dialing & Database security scanning
Please please please, can you include suggestions on how to reproduce errors for attracting attention? I mean sometimes I recognize the problem, I test the thing, also fix it but then I do not find an understandable way to say: “look this was dangerous, we are safer now!”.
I mean demonstrating the value of your test by demonstrating the risk the business would incur by not solving the issue.
For example, if your test reproduces the exploit of an IDOR, how should I report it to make clear its priority? Should I state the risks? Should I show a video in which I access a resource I should not be able to access with my permissions? Should I demo it to business and developers?