"Good Guys" that Hack
It’s easy to forget that the backbone of securing systems is the hundreds of thousands of people working every day behind the scenes. The headlines typically focus on data dumps, compromised systems, rumors of government backdoors and other issues, but it’s becoming increasingly important to highlight the people who help prevent even more of these headlines!
During our recent Hack Through the Holidays event, we saw several skilled security testers (aka hackers) that outperformed all others. To help demystify what an ethical security tester looks like, and to encourage others to start exploring security careers and training, we’ve put the spotlight on these “good guys who hack” to help us all. Please share these with colleagues, friends, and students in your life who may be thinking about a career in security, but aren’t quite sure where to start!
Today, we are highlighting Andre Gott, a former programmer, and current, release manager who enjoys finding web vulnerabilities and telling others how to fix them. Andre scored a whopping 9,745 points during the CMD+CTRL Cyber Range event and solved 45 of 48 challenges before being pulled away for a vacation in England. Great job Andre!
Q: How did you get into security testing?
Andre: I taught basic attacks such as SQL injection, working for a dominant static analysis vendor and am now performing security assessments and secure SDLC consulting full time with the Denim Group.
Q: What is the most interesting exploit, vulnerability, or finding that you’ve discovered (and are willing to share)?
Andre: I’ve found that using SQLmap makes Blind SQLi much more exploitable and ‘fun’.
Q: It can be difficult to build up the knowledge and skills needed to become a good hacker. How did you learn these skills?
Andre: I regularly participate in various Security Innovation CMD+CTRL Cyber Range events. I also leverage the knowledge of co-workers and the LinkedIn community.
Note: We promise we didn’t nudge Andre to say this, but we’re excited our CMD+CTRL Cyber Range events leave such a good impression on him!
Q: What recommendations would you have for others that are interested in learning more about security and hacking?
Andre: “Just Do It,” as the slogan goes. There are numerous deliberately vulnerable websites you can download and install for free (preferably on a VM!) and so many tutorials and videos to be found online.
Q: Other than Cyber Ranges like CMD+CTRL, what tools would you recommend to others looking to extend their skillsets?
Andre: Start your education with Burp, Zap, SQLmap, and Shodan, but don’t stop there.
Q: What were the main factors that drove you to become a top scorer in the CMD+CTRL Cyber Range?
Andre: Approach assessments with a quality engineering mentality. For example, don’t just test one or two pages for SQL injection, but test EVERY route. That means spidering and status accounting, to ensure all routes are found and tested, are even more important than ‘cool new exploits’. Remember that it only takes one missing annotation or configuration setting to bring down a production site.
Q: What other guidance do you have for anyone interested in building their hacking skills?
Andre: Don’t overlook BrightTalk, YouTube, and security blogs as a source of anything you might care to know.