Featured Cybersecurity Professional: Vincent Hopson – Web Application Security
What were the Web Application Security skills or knowledge you were looking to develop and why?
It had been a while since I had worked with security from a web-based perspective. This training course was a prime opportunity to learn about new strategies and techniques used in that world, and to see how those techniques relate to networked application security.
What was it about the Web Application Security Essentials training course that made you decide to attend as part of your visit to AppSec EU?
Many new products are deployed with the Graphical User Interface (GUI) distributed as a web interface. Those same products use a Role Based Access Control (RBAC) system to allow various users visibility into the diagnostic information derived about their product. The effectiveness of the security of that information is very relevant to any product offering; especially if there are enterprise level security concerns to be addressed.
What made the Web Application Security Essentials a good learning experience?
The course used a popular vulnerable web server that is easily deployed and examined (OWASP’s Web Goat). All of the lessons inside of Web Goat are directed to particular vulnerabilities and how to attack using them. The student is given each vulnerability from a theoretical perspective, and directed to delve into the practical implementation in Web Goat. Some of the answers are not obvious, and the thinking to attack the server is somewhat “outside the box”. Having an instructor available to help move the student along enhances the learning experience, and reduces the amount of time in pursuing the correct approach. Understanding, and time savings… what’s there not to like?
Would you recommend the Web Application Security Essentials with Cycubix to other IT / Cybersecurity Professionals – why?
The class brings professionals together to discuss the vulnerabilities in Web Goat and how they can be exploited. Much of the value of the class comes from the instructor’s ability (Mr. Cerullo was great) to impart knowledge of the exploits, and to guide the discussion afterwards. Many of the Engineers present had very good information about some of the exploits as seen in the “wild”. Mr. Cerullo listened to what the students had to say about each exercise and added to their comments in a constructive manner. *This* area was the most instructive of the class. It cannot be obtained from simply downloading a Docker image of Web Goat and experimenting. Professionals helping other professionals in a professional manner. Great experience.
How has/will the Web Application Security Essentials contribute to how you carry out your role?
Many of our customers deploy Internet facing applications, and it helps to know the challenges they face in their job. By understanding the vulnerabilities that are exposed and some of the strategies an attacker would use, finding out more about the security posture of the application makes more sense. What to fix immediately, what to fix soon, and things to repair in the future. Many tools will help you understand the vulnerabilities in your application. However, the generalized nature of tool findings cannot be completely relied upon to protect your application. Only an understanding of the business nature of the application, and security exposure findings as understood by the Engineer can shine a bright light on vulnerable areas. An Engineers’ critical role in any business begins by understanding the potential vulnerabilities and likely attacks your application will face.
Read more about Web Application Security Essentials. Benefit from our highly engaging training seminars based on the most up-to-date official content, delivered by an Authorised (ISC)² Instructor with a deep understanding of the subject matter and the ability to explain it effectively.