|  BlueWolf's Howl   | Comics and Art  | Higher Level  | Photography  | Poetry and Stories  |
|  Chess  |  Letterboxing  |
|  2003 Blogathon Archive  |   2005 Blogathon Archive  | 8th Layer Archive  | Blue702 Archive  |

BlueWolf's Howl

« Almost there and Road Maps | Bluewolf's Howl | Fish Tank Lessons Learned »

March 08, 2018

WhiteHat Secure Developer

The Security field has many facets. There are multiple areas which require various skill sets. The Security Engineer configuring a vpn needs different skills than the Security Auditor checking for compliance. However, from the "outside" some people expect Security people to cover all areas and all skills. Currently I find myself in Risk Management. Yes, it relies upon my CISSP training more than the CCNP Security training. One of the more interesting things in Risk Management is the emphasis on Application Security.

Here's how building skills and creating a career path can lead you in an unexpected direction. While working as a network engineer, I often performed packet captures. This lead to Wireshark training - along with training on OpNet ACE Analyst, Network Observer and CACE Pilot. When you expand your learning to fit the environment and experience, it leads you to things like application performance. All those "slow network" complaints were investigated fully - to include digging after the root cause and not just absolving the network of any slowness. I learned about application turns and messaging, packet sizes and how to use IT Guru to do "what if" analysis for applications. It was more efficient to give the customer answers than to just push them off with a "not our problem - the network's fine" response. And I learned a lot.

Then I became more involved in Security. Security training (especially the CISSP) touched on application security quite a bit. It taught me what to look for - but not really how to find it or fix it. That was the developer's responsibility. I knew about SQL Injections and Cross-Site Scripting, but not how to exploit or fix it. Then I started into the OSCP [Pentesting with Kali]. Here's where I learned how to really test for these things and exploit them. Between my fiddling with the code for this site to make it do what I want and the OSCP - I really started digging into being able to read and modify code. But still, the emphasis was on testing and proving exploits and not really how to fix things.

And with my work in Risk Management, I find myself wanting to know more. So I started looking for training. I started with Veracode and found that they have some free webinars, but no free training. The training is geared towards corporate consumption for their developers. Then I happened across an email from WhiteHat Security. They do the same scanning of code as Veracode and they did have a free training course. There was only one - WhiteHat Certified Secure Developer. It took a bit of emailing and registration, but I did manage to sign up. The course was awesome. There were 5 solid webinars that specifically addressed secure coding. They discussed common attacks, how they happen, what in your code allows it to happen, and how to change your code so that it can't happen anymore. Along with those 5 webinars, there are 5 CBT modules that cover similar items very deeply. And there is a test at the end that will earn you a certificate. The 10 CPEs are good towards my CISSP, C|EH and WCNA requirements.

WhiteHat also has regularly scheduled webinars on various topics. They also offer the same paid developer training (for corporate consumption) as Veracode. But the CSD training is really worth the time and effort. I never expected to be able to say that I'm a Certified Secure Developer.

Posted by BlueWolf on March 8, 2018 12:08 PM