Learning Update-Week 5

Whoops! A day late posting this, as it was a statutory holiday on Monday here in Canada.

Week 5! This means I’m past the halfway point in this challenge. So far, it’s been a really interesting opportunity to reflect on my learning. As well, it’s kind of forced me to document ideas that might otherwise have stayed in my head.

What learning did I do this week?

Security Testing an Open-Source Application

After digging through the code repository, I found the webserver. Based on the current check-ins, I think this is custom-built. From a security standpoint, I can see both upsides and downsides. Besides not being vulnerable to existing CVEs for more common webservers, a custom-built solution is less likely to have unnecessary features or services associated with it, which can increase the attack surface. In this particular case, the biggest risk I can see is that this is primarily developed by one person. Depending on the developer’s background and skillset, they may not have considered all the possible security-related issues that can come with a webserver. As a software tester, I’ve observed that developers tend to be focused on a mindset of “build the thing”; this is critical to getting things done, but can lead to misses on bugs.

Security Blue Team-Intro to Network Analysis

I took the first of the quizzes, and while I passed it, I wasn’t happy with the result. After reviewing the module associated with the quiz, I think that there’s a bit of a mismatch between the materials and the quiz.

The module materials are focused on being an introduction, and I think they do a pretty good job of being a general overview. However, several of the questions in the quiz are well beyond anything specifically covered in the module. As an evaluative method, a quiz offered at the end of a short introductory module should be presenting the learner with an opportunity to do a quick check-in on whether or not they have absorbed the relevant key points. I wouldn’t expect a learner to do more extended thinking at this point, particularly as an introduction is usually intended as a level-set.

I can see three potential solutions to this problem:

1. Adjust the quiz to make it more of a “repeat back what you’ve learned so far” type of check-in
2. Add feedback to the quiz, to provide hints or direction on both correct and incorrect answers
3. Adjust the materials to cover deeper material

Option 1 would likely be the easiest, and most sensible considering the structure of the module. Option 2 would require a little work, but would still be relatively easy. Option 3 would likely mean a fair bit of work.

Ultimately, I think any organization that is creating training materials needs to give serious consideration to their evaluative methods. There are a lot of different ways to evaluate the degree to which a learner understands the materials presented, and effectively matching the training materials to the evaluative methods is going to lead to better outcomes for everyone involved.

Planning and implementing a Security Incident Response

Sadly, still no progress on this. Tried to get back into it this week, and it just wasn’t keeping my attention.

PentesterLab-Essential Badge

I hadn’t specifically planned to work on the badge this week, but the mood struck me to tackle a couple of exercises. After the 5 authentication exercises, the next batch is focused on authorization.

TryHackMe

I forgot to include this one in last week’s update. I decided to take a look at this site, as it kept appearing on my LinkedIn feed. Not surprising I suppose, considering what I’ve been looking at recently there. So far, I like their approach of keeping evaluative tasks small. For someone who is trying to squeeze training in between other tasks, this can be very helpful. While I tend not to get too into the gamification stuff (badges don’t really do much for me), I do think that the focus on small, frequent wins is a good model for some learners (including myself).

Reading-Explore It!: Reduce Risk and Increase Confidence with Exploratory Testing

Progress is slow, but ongoing. My usual time for reading is before going to sleep, so there are times when I get through 5-10 pages in a night, and others where I get through 1.

What Learning Is On The Agenda This Week?

PentesterLab-Essential Badge

I’m aiming for at least 3 exercises with PentesterLab this week.

TryHackMe

I expect to finish off the Intro to LAN and OSI Model modules this week.

Reading-Explore It!: Reduce Risk and Increase Confidence with Exploratory Testing

Over the weekend, I made some headway, so I’m hoping to have the book finished by the end of this week, or early next.

Training Backlog

Security Testing an Open-Source Application

I’ve got a pretty busy (and shortened) week on the agenda, and I want to carve out some dedicated time to dive deeper on this task, so I’m going to put it on the backlog for the moment.

Security Blue Team-Intro to Network Analysis

Before I proceed with this one, I want to go do some digging into more around analyzing PCAPs, since that’s what this module seems to be pretty heavy on.

Planning and implementing a Security Incident Response

While the topic is interesting to me, I’m not finding the course all that engaging. I’m going to take a break from it, and see if that helps.