This document discusses upskilling engineers in cybersecurity. It recommends determining engineers' current security knowledge level, generating interest in security topics, and managing ongoing learning to improve knowledge over time. Specific steps include leveraging capture-the-flag exercises for hands-on learning, mapping performance to online courses, and tracking individual progress. Attending webinars about how attackers audit software and common attack vectors can also help engineers learn. Both free and commercial options for online training and security challenges are listed. The goal of upskilling is to create a culture where engineers are security-conscious in their roles without needing expert knowledge.

2. Upskilling engineers
in cybersecurity
Aditya Kakrania
akakrania@securityinnovation.com
linkedin.com/in/adityakakrania
8 Apr 2020

3. Aditya Kakrania
• Held most roles in SDLC
• Information security since 2002
• Delivered talks and taught classes at Fortune-100
companies
• Created a lot of learning content for SDLC security
• Lately doing SDLC Gap Analysis:
• Upskilling is part of improvement roadmap
• Created upskilling programs for many orgs
About me

4. Upskilling
Core steps
DETERMINE LEVEL of security know-how
Know where to start
Avoid making engineers repeat content
GENERATE INTEREST in security
No learning happens without interest
Reward learners
MANAGE LEARNING to improve level of security know-how
Learning platform should retain interest
Platform should support scoring
Progress should be trackable

5. Upskilling
Webinar Agenda
1. Understanding how attackers “audit” your products
• What can be learned from them
2. Leveraging CaptureTheFlag (CTF) solutions
• Engineers will understand attack vectors
• Engineers will understand weaknesses
• You identify strengths and weaknesses of team
3. Enabling Effective Learning
• Map CTF evaluation to online training courses
• Track progress and scores
GENERATE INTEREST
GENERATE INTEREST
DETERMINE LEVEL
MANAGE LEARNING
MANAGE LEARNING DETERMINE LEVEL

6. How attackers ‘audit’
Attackers are people too
Turn Use-cases into Abuse-cases
•Leverage tools and scripts
•View software differently
•Speculate code & design behind features
•Observe and take great notes

7. How attackers ‘audit’
From Use to Abuse
Observe &
Note
Make/Refine
Attack Vector
Execute
Attack Vector
Use Case
Abuse Case

8. How attackers ‘audit’
• Mindset of turning use-cases into abuse-cases
• How to disable abuse cases in code and design
• Common attack vectors
• How to mitigate them
• Observational skills – what cues do attackers look for
• Curtail those cues as much as possible
• Understanding the tools attackers use
• What information is available to them
• How tools can manipulate software
What can be learned from them

9. Leveraging CTF Events
• CTF platform should have 50%+ vulnerabilities that are easy to find
• Participants are not hackers, point is to learn
• Group activity with small teams
• Good to have multiple roles in a team (Ex: Architect + Dev + QA)
• Great team building exercise
• One physical location preferred, remote works
• Cross learning through interaction
• Helps in maintaining interest
• Track progress and scores
• Common scoreboard promotes friendly competition
• Award participants
• Participation/Rank certificates, Gifts
How-To

10. Leveraging CTF Events
• Commercial:
• Security Innovation’s Cyber Range:
securityinnovation.com/training
• Free:
• Security Scenario Generator: github.com/cliffe/SecGen
• Google Gruyere: google-gruyere.appspot.com
• CTF Learn: ctflearn.com
• OWASP Juice Shop: owasp.org/www-project-juice-shop
Options

11. Managed Learning
• Rank group CTF performance on available learning topics
• Database security: Low
• Injection attacks: Medium
• Cryptography attacks: Low
• Map to learning content based on
• SDLC role
• Content difficulty level
• Offer support
• Have quiz and exams at end of courses
• Enable tracking course progress at individual level
• Offer learning support based on progress tracking and score data
• learning platform, security champion, email group etc.
How-To

12. Managed Learning
• Commercial
• Security Innovation Courses: securityinnovation.com/training
• SANS Online Cyber Security Training: sans.org/online-
security-training
• Free
• Web Security Academy: portswigger.net/web-security
• John Hammond’s videos: youtube.com/user/RootOfTheNull
Options

13. Upskilling engineers in cybersecurity
• CTFs and Training can help create a culture of security
• Not security experts, but security conscious engineers
• Designers will be aware of insecure mechanisms and patterns
• Developers will recognize bad practices, fewer defects in code
• Testers will know how to find security defects
• Expect incremental improvement
• Not everyone will learn improve right away
• Continuous cycles of CTFs + Training
• Create security champions in each team
Finally

14. The Security Innovation Difference
• Blended Learning → Attack & Defend
• Attack: Hands-on simulation with CMD+CTRL
• Real, purposely vulnerable applications for hands-on learning
• Discover team capabilities and kindle interest in security
• Defend: Progressive computer-based training
• Role-based training for Architects, Developers, QA, Operations, IT, and Analysts
• Modular courses provides a clear path that grows with leaners
• Quarterly releases ensure content addresses current technologies and attack vectors
• Rich Reporting
• Real-time assessment of your team’s capabilities
• Quarterly program analysis to adjust learning paths, cadence, and metrics

15. community.securityinnovation.com
Training videos
Hacking practice
Career planning
Security tools