Learning Update-Week 4

Well, that was quite a week! Some of my regular work took longer than anticipated, so I didn’t get in as much learning as I had planned. That being said, I did do some interesting research!

Something I haven’t really discussed is how I plan my work. Generally, I try to follow the OKR (Objective-Key Result) model of planning the maximum amount of work I think I can get done, and taking 70% or better as success. Even if I don’t hit the 70% mark,

What learning did I do this week?

Security Blue Team-Intro to Network Analysis

No progress on this one for this week.

Planning and implementing a Security Incident Response

No progress on this one for this week either.

PentesterLab-Essential Badge

I was able to get through 4 exercises this week! Learned a few interesting things about web-based authentication.

Reading-Explore It!: Reduce Risk and Increase Confidence with Exploratory Testing

Started reading about some interesting ideas around how to vary your testing to find interesting bugs. One that was highlighted that caught my attention in particular was Persona Testing. From what I’ve gathered, the idea originated as an approach for designers to have a kind of template of a type of user, to work from while they build their designs. In software testing, Personas can really help you better understand the kinds of workflows a user might go through in your application, which can help you not only identify obvious errors, but also points of friction that might prove to be irritating enough that a user abandons your application.

Security Testing an Open-Source Application

After a discussion with my Cybersecurity mentor, I’ve picked an open-source application to test for security issues. I’ve conducted a tour of the controls for the built-in optional webserver on Windows, since enabling this feature increases the attack surface of the application. So far, I haven’t been able to locate the webserver code in the project’s code repository.

I also did some preliminary research on existing bug reports, as well as forum posts, to understand the current user base. It seems like some users are definitely not savvy when it comes to networking, which would suggest that there are opportunities for either misconfiguring the application, or misconfiguring network controls that might otherwise be in place to protect the user (eg. the built-in firewall on Windows).

As per the project’s owner, any bugs I find will be kept private to them. Once they’re addressed, I’m hoping to do a full write-up of the project.

What Learning Is On The Agenda This Week?

Security Testing an Open-Source Application

This week, I’m going to continue digging through the code repository to find the webserver code. If it’s a 3rd-party library, I’ll see if I can find any known vulnerabilities. If it’s some custom code from the project owner, I may have to do a bit more digging to see if I can find any potential risks.

Security Blue Team-Intro to Network Analysis

As a carry-over, I’m planning on finishing this course this week. There’s only a couple of quizzes, and a capstone project.

Planning and implementing a Security Incident Response

The plan here is to finish off the section review questions for Threat Modelling. If I finish off the Building a Computer Security Incident Response Team module, that’ll be a bonus.