Thursday, July 1, 2010

Advice from an InfoSec Mentor


The InfoSec Mentors Project is off to a great start. While some participants are familiar with the process, others are just getting their feet wet for the first time. This week, we are very excited to show our readers what one mentor has been doing with his mentee, and the kinds of topics they're exploring.

Earlier this month, InfoSec Mentor @SecurityNinja volunteered to be matched with mentee @JackWillK. Jack was looking for someone to help him hone his skills and to help him engage the community. David began creating a list of things they could work on with Web Application Security to build up his knowledge/profile.

  1. Introduction email
  2. David Rook to do a Follow Friday just for Jack from the Security Ninja account
  3. David Rook to review Jack's resume and give feedback
  4. Suggested Jack set up his own blog and begin blogging
  5. Suggested that a joint/guest blog post on the Security Ninja blog might be useful
  6. David suggested that Jack does a series of blog posts based on the PHP ESAPI from OWASP
  7. David Rook to introduce Jack to Mike Boberski (lead for the PHP ESAPI project)
  8. General advice: conferences are expensive, see if you can volunteer to help out at conferences such as BlackHat in future
  9. General advice: conferences are expensive, see if any other local conferences are going to have some of/the same speakers - i.e. DEF CON has a lot of the BH talks for about 1/10th of the price
  10. Suggested lab exercises for Jack to carry out such as using the Damn Vulnerable Web Application, Web Goat etc
  11. Give a "suggested reading" list of books/articles

So far, Jack and David have made some great progress on this list. In addition to being more animated on Twitter, Jack has also begun his own blog. He followed through on the suggestion to do a series of posts based on the PHP ESAPI project from OWASP. This brought some new attention to the project, and Jack was even mentioned for his work at an OWASP meeting. Then Jack's blog was picked up to be a member of the Security Bloggers Network. Success!

David was nice enough to also share with us his suggested reading list of books and articles that focus on general security knowledge for a good foundation.


"If I were trying to get started in web app security right now I'd have a read of some of my own presentations (*might be a biased statement haha) on the Principles of Secure Development and my DEF CON presentation from last year.
The Principles of Secure Development is basically a root cause analysis approach to secure development. It focuses on the real issues behind vulnerabilities rather than getting caught up in the FUD and media hype of specific vulnerabilities, top "X" lists, etc.

I would also begin playing with vulnerable applications such as the Damn Vulnerable Web Application. Learn about the vulnerabilities in them and try to figure out how you would prevent them yourself. I would also recommend a few books as well (I own them all so I genuinely do personally recommend them):

XSS Attacks: Cross Site Scripting Exploits and Defense by Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov

SQL Injection Attacks and Defense by Justin Clarke

The Security Development Lifecycle by Michael Howard and Steve Lipner "

We're looking forward to seeing some more great things from Jack, and hopefully he'll keep us in mind when he becomes a Security Rockstar :)

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)