3 minute read
a rewarding profession
MARISE ALPHONSO
TECHNICAL SECURITY RESEARCH – A REWARDING PROFESSION
by Marise Alphonso, Information Security Professional
Cybersecurity incidents and data breaches typically result in bad actors getting rich—or aiming to do so—by requesting ransomware payments, conducting scams or selling data on the Dark Web. For the good people working to stop them getting rich a number of—rather more modest—rewards are available, particularly in technical security research.
Software development is an expensive exercise and, despite rigorous and agile approaches to software development, security vulnerabilities are frequently uncovered. Security researchers play a pivotal role in discovering zero-day vulnerabilities in the infrastructure, technology and applications that power systems around the world.
Google’s Project Zero is an example of a security research program that provides details on vulnerabilities discovered in proprietary or opensource software. It gives developers 90 days to address an issue before making the vulnerability public. Many software companies run bug bounty programs offering a reward or recognition to encourage security researchers to find vulnerabilities in their products.
Bugcrowd and HackerOne are platforms that pool the skills of the world’s ethical hackers and security researchers to enable organisations and governments around the world to benefit from their skills in finding software vulnerabilities. According to the June 2022 Australian Cyber Security Centre (ACSC) Cyber Threat Report, rapid exploitation of critical security vulnerabilities was widespread in the 2022 financial year with attackers targeting various technical systems. These findings highlight the need for more cybersecurity professionals skilled in identifying vulnerabilities.
IMPROVING SECURITY RESEARCH SKILLS
Numerous resources can be used to improve knowledge and skills in security research. HackerOne offers Hacker101, a free educational resource to empower the hacker community. While some knowledge of programming or networking may be useful, Hacker101 caters for the beginner, introducing
platform and programming requirements. Another reference is Mossé Cyber Security Institute’s vulnerability research training resources which include certifications individuals can earn.
Capture The Flag (CTF) competitions provide a great environment and opportunity for hackers or security researchers of various skill levels to solve challenges and improve their understanding of security vulnerabilities ranging from cryptography and programming to process exploitation and reverse engineering. These competitions are typically run at security conferences or via online portals. Competitors can be individuals or teams who solve challenges to uncover software vulnerabilities.
CTF101 provides introductions to each challenge area typically covered in a CTF competition, and CTF Time has a listing of worldwide CTF events that individuals or teams can sign up for. Every December, SANS holds a Holiday Hack Challenge which is a festiveseason-based CTF that is a lot of fun.
Knowledge of threat modelling techniques such as STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege), developed by Microsoft, can assist a researcher to understand how to target a system. By performing reconnaissance, a researcher can build a picture of a technical system or environment and target certain parts based on attack techniques in line with STRIDE.
Use of STRIDE together with the Open Web Application Security Project’s (OWASP) list of the top 10 vulnerabilities facilitates a structured approach to discovering software vulnerabilities. Threat modelling by software development teams is powerful because it enables security to be built-in not bolted-on. However, for security researchers, penetration testers or red teamers, these techniques are equally useful for finding weaknesses in the design, implementation and operation of a system.
As technology continues to power our lives, security research will continue to require skillsets and capabilities able to discover weaknesses in technical systems used by individuals, organisations and governments worldwide. The Common Vulnerabilities and Exposures (CVE) system used to rate technical vulnerabilities will live on for years to come as the basis for remediation activity. The world needs more people focused on the good side of technical security research. Kudos to today’s security researchers and those aspiring to the profession.
www.linkedin.com/in/marisealphonso
