Let’s look at the next two key pieces of the cyber security education triangle ™.
Firstly, courses need to be pragmatic, that is, practical and grounded in the real world. In the same lecture the lecturer assumed we needed to be taught about truth tables, while at the same time know about some obscure vulnerability in some framework. I’ve also been told to build my own tools and learn how the existing ones work. I appreciate the sentiment, I really do. You should be able to write scripts, build tools to suit your needs and know how the existing tools work. But that said, why reinvent the wheel, sure, build a dns brute forcer, but an intercepting proxy? “Know how the tools work and how to use them, let me just neglect teaching you that so I can take you through a contrived example without explaining it.”
I don’t mean to be cynical, but this bring me to the point of pragmatism. When learning webapp security you’ll be using burp suite (or zap or whatever), I think we need to be learning how to actually do our jobs, and that means learning how to use the industry tools. It means running through examples of realistic (even if simplified) examples. This ties into the bigger picture as well. Like, what are we actually doing? “Put this string into every form field and it might throw an error,” why? Is that the whole job? What else do I do? and how should I approach a fresh target?
Let’s get practical instead of spending an hour just saying “go be a hacker.” Let’s learn the what to actually do, how things actually work, why they work and how to use the tools to exploit them. Security education is aimed at people who already know the lesson, but haven’t earned their right of passage. Let’s skip the hazing and actually teach kids how to be a pen tester or red teamer or reverse engineer instead of saying “go and learn it yourself,” that’s why we’re taking the course.
Secondly, it needs to be systematic. We need to be going through the material. Like actually going through what you need to know, look at the vulnerability class and how to exploit it, and all the techniques and defenses, why it happens, how to fix it and how it fits into the bigger picture. I can’t tell you how many lecture I’ve been to where the lesson is just a haphazard jumble of tips, let’s go over the concept and then cover everything related to it, and what to do when you’re approaching a fresh target. Let’s methodically learn the technique and how to exploit the vulnerability, even if we’re going in blind, or there’s a waf, or it’s nosql, or script tags are blocked instead of “if I put this string in here I can log in, or there’s a pop up, oh also, there’s sometimes blacklists, you should look into that, just be creative.”
My Portfolio 