Sunday, October 4, 2020

Workshop Experience: Web Application Security Testing

 

This writing is my experience report of the workshop Web Application Security Testing conducted by Verity Software with Rahul Verma as a trainer. I had attended this workshop in November 2011. I registered for it again and was part of the workshop for the second time in September 2020. I thank Vinay Baid and Anil Nahata of Verity Software for coordinating and helping me to attend this workshop.



I and Web Testing for Security


I started testing for web applications in 2008 by learning what the browser is, its internals, and by understanding the web technologies. While doing this, I was working on projects which built web systems for -- SalesForce, Healthcare - Insurance, Reporting, and BI Reporting systems.  


One of the projects was supporting only for IE (IE6 & 7). The other projects web was supposed to support desktop Firefox, Chrome, and Safari. In the project, my task was to test for functionality.


In parallel, I picked testing for the security of these web applications. I referred to OWASP and its contents. I was building my mindset for security testing; I tested for web application security. I found the security bugs!



Disclaimer


I'm not paid by anyone to write this post and no one asked me to write one. I'm writing it has my workshop experience and learning I made out of it. I'm writing it to document my experience from this workshop.



About the workshop


I saw the post in 2011 from Rahul Verma about his workshop -- Web Application Security Testing, two days workshop. I registered for it in 2011; it helped me. In 2020 September, I did attend the same two days workshop from Rahul Verma and conducted by Verity Software this time. The detail of this hands-on workshop is available in the Verity Software's website.

  

I did not feel it is a repetition. In these eight years, my thought process has changed. I see that I have progressed in my learning in these eight years. Yet, I did not experience it as a repetition. 


The only differences that I could see are:


  • In 2011, it was in a hotel at Kormangala; 2020's workshop was online as an effect of the COVID19 pandemic.
  • In the physical workshop, the trainer moved around each table and looked into the trainee's practicing; in an online format, he helped by asking how we are doing the hands-on exercises.
  • In the physical workshop then, the trainer had given a laptop if needed with software that needs to be used and installed; in an online format, we trainees had our laptop and seated at home, and accessed the practice system hosted on a cloud via remote desktop.
  • In the physical workshop, he could see us, our eyes and our face, and understand what's happening with us; in an online format, he had turned on his camera, and trainees had turned off their camera.
  • In the physical workshop, there was networking between the trainees; in an online format, no networking, and sharing between the trainees.
  • In the physical workshop, he wrote on whiteboard and in a projected text editor and explained; in an online format, he used the Sublime editor to write and explained his thoughts on the shared screen.
  • In the physical workshop, there was silence, we trainees listened to him; in an online format, at times we had trainees microphone turned on and could hear the background sound (I don't call it as noise!).
  • In the physical, we did not see any break or lag in the trainer's voice; in an online format, we could see the lag in the trainer's and trainee's video and voice (latency, bandwidth, streaming & internet!).


Otherwise, I made my notes as I listened to him then and today. It was the first online workshop for the trainer Rahul Verma.



Why did I attend this workshop?


Here are my reasons why I attended this workshop:

  • To check on my fundamentals, thought process, and mindset in Web Application Security Testing.
  • To see the difference in me and my practice after I attended the previous workshop.
  • To learn certain concepts better from a practitioner who practices web application security testing.
  • To listen to Rahul Verma:
    • He doesn't do sugar coat.
    • Says what he knows and what he practices.
    • His way of explanations and the way he looks at the fundamentals before security.
    • His experiences and what kind of security information he finds and how.
      • I did not connect to it well in 2011 as I connected to it today.  I was grasping slowly and thinking about what I do as Rahul Verma spoke.  I did not repeat this mistake in the 2020's workshop.
      • Today, I received it better as I'm practicing it, and I could relate my work when he discussed subjects and topics in the workshop.



What I made out of this workshop?


I said to myself to unlearn and not to think with what I know as I listened to the trainer. I went with an open and listening mind to this workshop. I did make sure to keep myself attentive in the workshop. I share a few of my learning here:

  • My fundamentals got revisited; registered it better in my thought and mind.
  • Understanding and the way I see what I see is with more clarity and observations.
  • The topics which look buzzy and complicated have become much simpler now to understand and work on it.
  • My mindset is realigning with the unlearning I had in the workshop.
  • I wanted to re-arrange my thinking here if I had to, and I did it listening to Rahul Verma for the second time.
  • Before learning security testing, the fundamentals of the web were taken seriously and discussed it.
  • I cannot write in detail about it here. Probably if I do that, it may impact the trainer and organization conducting the workshop.
  • The fundamentals he discusses here are needed -- stepping stones.
  • As we know, tools assist in testing better, but it does not test on behalf of a tester. Yet using the tool in security testing is helpful in context up to a limit, and later it is human who has to test for security. 
  • I did not see anything I listened to as a repeat for me.


I got what I wanted from this workshop. It is on me now how I practice and lead myself ahead.



My experience and learning


What the trainer spoke is available in books and on the web. What's not available is the thought process and how to approach it by understanding. The demonstration of a practitioner has to be experienced in person if possible; it brings a different and unique value in the trainee. My peace is paced well and tuned. 


The value added by the security testing of a Test Engineer/SDET and Security Testing specialist is unique and needed. My idea of encouraging and assisting the Test Engineer/SDET to practice Security Testing is much strong and clear now. I will continue to practice Security Testing as a Test Engineer/SDET, and sure I will add my unique values early in the work I do.


I have got the confidence now that if I attend it another time, I won't experience it as repeated to me.  It will be new and unique.


If you can afford and attend this workshop from Rahul Verma, do attend.  It will help to build the fundamentals and mindset needed for the Security Testing and Web Application Security Testing.




Posted by Ravisuriya at 10/04/2020 09:20:00 PM
Posted under Labels:

No comments:

Post a Comment

Please, do write your comment on the read information. Thank you.

Subscribe to: Post Comments (Atom)