Wednesday, July 21, 2010

It's only just begun.....

Now that it has been a few months since the highly anticipated mentor/mentee pairing, I wanted to touch base with a few of the participants to see if the rose is still on the bloom or if the honeymoon is over. Over the course of a few weeks I’ll be interviewing both mentors and mentees and get their thoughts on the process so far. Since the InfoSecMentors program is in its infancy, this may help identify strengths and weaknesses to better improve the experience of everyone involved. Also for those contemplating joining, they will have a better idea of what to expect or what to do differently.

I’ve chosen for the interviewees to remain anonymous to both the general public reading this blog and those within the InfoSecMentor’s leadership so as to encourage more candid responses.

Sample Questions:

  • Prior to being matched, had you known of your mentor/mentee either personally or through social media forums?
  • Was your pairing made public on the various social media outlets?
  • Were you given any “homework” or assignments to complete and did you actually do them?
  • Do you feel the mentor you were paired up with was an accurate match?
  • Was gender a concern when envisioning who you’d be paired with?
Stay tuned as the mentors & mentees reveal their experiences with the process thus far.

If you are interested in being interviewed, please contact me securityindepth {at} gmail or @diami03

Thursday, July 1, 2010

Advice from an InfoSec Mentor

The InfoSec Mentors Project is off to a great start. While some participants are familiar with the process, others are just getting their feet wet for the first time. This week, we are very excited to show our readers what one mentor has been doing with his mentee, and the kinds of topics they're exploring.

Earlier this month, InfoSec Mentor @SecurityNinja volunteered to be matched with mentee @JackWillK. Jack was looking for someone to help him hone his skills and to help him engage the community. David began creating a list of things they could work on with Web Application Security to build up his knowledge/profile.

  1. Introduction email
  2. David Rook to do a Follow Friday just for Jack from the Security Ninja account
  3. David Rook to review Jack's resume and give feedback
  4. Suggested Jack set up his own blog and begin blogging
  5. Suggested that a joint/guest blog post on the Security Ninja blog might be useful
  6. David suggested that Jack does a series of blog posts based on the PHP ESAPI from OWASP
  7. David Rook to introduce Jack to Mike Boberski (lead for the PHP ESAPI project)
  8. General advice: conferences are expensive, see if you can volunteer to help out at conferences such as BlackHat in future
  9. General advice: conferences are expensive, see if any other local conferences are going to have some of/the same speakers - i.e. DEF CON has a lot of the BH talks for about 1/10th of the price
  10. Suggested lab exercises for Jack to carry out such as using the Damn Vulnerable Web Application, Web Goat etc
  11. Give a "suggested reading" list of books/articles

So far, Jack and David have made some great progress on this list. In addition to being more animated on Twitter, Jack has also begun his own blog. He followed through on the suggestion to do a series of posts based on the PHP ESAPI project from OWASP. This brought some new attention to the project, and Jack was even mentioned for his work at an OWASP meeting. Then Jack's blog was picked up to be a member of the Security Bloggers Network. Success!

David was nice enough to also share with us his suggested reading list of books and articles that focus on general security knowledge for a good foundation.

"If I were trying to get started in web app security right now I'd have a read of some of my own presentations (*might be a biased statement haha) on the Principles of Secure Development and my DEF CON presentation from last year.
The Principles of Secure Development is basically a root cause analysis approach to secure development. It focuses on the real issues behind vulnerabilities rather than getting caught up in the FUD and media hype of specific vulnerabilities, top "X" lists, etc.

I would also begin playing with vulnerable applications such as the Damn Vulnerable Web Application. Learn about the vulnerabilities in them and try to figure out how you would prevent them yourself. I would also recommend a few books as well (I own them all so I genuinely do personally recommend them):

XSS Attacks: Cross Site Scripting Exploits and Defense by Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov

SQL Injection Attacks and Defense by Justin Clarke

The Security Development Lifecycle by Michael Howard and Steve Lipner "

We're looking forward to seeing some more great things from Jack, and hopefully he'll keep us in mind when he becomes a Security Rockstar :)