I think there are different ways companies use to achieve the purpose of making their own software more secure, for example paying other dedicated companies to do penetration tests. Our approach was the same, initially…the most obvious problems were found and fixed. But there was something we weren’t buying. We weren’t satisfied, we knew it wasn’t enough.
Therefore, as the NetEye Research & Development team, we started a training course, in the hopes of first, finding all the vulnerabilities, and second and even better, of not introducing new ones during the design and development phase. One of the main characteristics of this process is that every member of the team is involved.
With this post I want to go back through the growth process – which is still ongoing – in the hopes of helping or just giving some ideas to other development teams who wish to improve their security knowledge and skills.
At the beginning, we relied on a company that offers IT security consultancy services such as penetration tests. We agreed on a basic course divided over a few days.
Initially the course was mainly theoretical: we were given a basic understanding of the typologies of vulnerabilities and how they can be exploited during an attack. From time to time we were given some “exercises”, to try to put into practice the concepts that they explained to us. The last day of the course was a sort of workshop where we were trying to find possible vulnerabilities in an old version of our NetEye software.
I must say that according to my personal experience, this type of training is very useful initially to give a beginner some basic concepts and to be more autonomous in learning. Unfortunately, without continuity in the learning path, the concrete results are likely to be poor.
As the second step of the training course, our Team Leader, who has always been a cyber security and hacking enthusiast, prepared a mini course concerning the vulnerabilities of the technologies that we use most frequently in NetEye development. This course lasted two full days.
Compared to the first course, the interactive/gaming aspect was enhanced by tackling a series of exercises, each preceded by a brief theoretical explanation. The explanation often included questions that kept the level of attention high by leveraging interest, while the exercises were designed to be solved by everyone in a short time, without giving us the chance to get discouraged.
In this phase we consolidated the basic principles we learned in the first course, going more deeply into the aspects that concern us directly, i.e. the possible vulnerabilities of the technologies we use everyday.
In my opinion, it was precisely at this stage that we became aware that there was lot of room for improvement in becoming autonomous in order to make NetEye safer, starting from development. But we also became aware that the end goal was completely reachable.
Well, that’s all for today. To find out more about the next steps of our training course on Cyber Security,
let’s make an appointment for next week with the second part of this post :).
Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find security issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.