On Saturday Dec 3, at BSides Cape Town we announced the winner of a prize for local information security research. The purpose of the competition was twofold. Firstly, to highlight interesting research produced in .za for the purpose of publicising up 'n coming security folks, since there are a few disparate communities (academic / industry is the greatest split). Secondly, to provide some degree of reward in the form of a cash prize. The prize is (unsurprisingly) not meant to compensate for time spent, but rather to give the typical researcher who conducts the work in their spare time some recognition and perhaps a cool gadget to associate with the work.
The competition was a little disappointing for a single, but significant, reason: the lack of nominations. In all, six people nominated three pieces of work from two researchers. Considering there were four security conferences this year in South Africa, it's not possible that even a reasonable minority of the research produced was considered for the prize. This was a no-strings-attached cash prize; there is no handover of IP or copyright, and no requirements on the winner (though we do offer an interview on our blog to publicise their work, should they choose to). With this in mind, it's strange how few nominations were received; for example, while the competition received some coverage on Twitter, very few nominations originated from there. The timing was tight (competition announced two weeks prior to BSides), but that only accounts for a smaller circumference, not a lack of involvement.
The two nominees were:
Thanks to the Pieter for organising BSides Cape Town and providing us a spot to announce the winners, and thanks to everyone who sent in a nomination. Compliments to both nominees for having their work recognised by others in the community, and congratulations to Etienne for winning the prize.
We remain committed to research and the sponsorship concept, so expect an announcement towards the end of next year and keep an eye open during the year for research that strikes you as interesting.
An education isn't how much you have committed to memory, or even how much you know. It's being able to differentiate between what you know and what you don't. - Anatole France
Jobs within Information Security, and indeed Information Technology, are often more than a 9-5 affair for many who choose them as their career. There is a wealth of different technologies, frameworks, approaches and information that you need to understand to perform your job to a suitable level. In IT security specifically, with the pace of technology constantly growing, keeping abreast is often easier said than done.
Local there is a severe lack of established courses catering for those new to Information Security, or those looking at obtaining a more meaningful qualification, which are few and far between. When Rhodes University announced they were offering a Masters course in Information Security here in South Africa, and asked SensePost if they'd like to present a number of modules, we were more than happy to be involved.
Barry Irwin asked us to deliver a weekend of application security: the whys, hows, whats and whens of all things application security. Armed with suitable vulnerable web applications for the students to abuse and use, I made the trip down to Grahamstown in April.
The course started with an understanding of why security has traditionally been hard to implement in the development life-cycle and then moved on to the various challenges faced by those responsible for developing applications. The course drew on the experience of those within SensePost, who have been involved in large application deployments and worked with customers in helping them produce secure applications.
Since all talk and no fun isn't the best approach for learning, students were let loose on commonly deployed applications and taught how to break them. Whilst many have heard the term "SQL injection", doing it correctly for the first time always brings an evil smile upon the face of who ever is doing it. As an industry, we are very quick to use acronyms and expect others to know what we are talking about, but often fail to realise this isn't always the case. From basic authorisation flaws to chained logic flaws, the main areas of abuse were talked about.
Besides being told by a few of the students that their brains had exploded, the course went well and everyone enjoyed hacking and learning, even if it was only for a weekend.
It was fantastic to see many reach the "aaah ha!" moment when it all made sense. SensePost have a large training offering, from beginner to advanced courses and nothing means more to the trainer than when someone understands something they've struggled with previously.
It's a great sign for the country knowing that Rhodes are producing some of South Africa's next Information Security champions and is even better knowing that SensePost was helping.
If you wish to learn how to perform security assessments the correct way, SensePost offers a comprehensive suite of training courses. We are also offering training at the Black hat security conference in Las Vegas in July.
Contact our sales team if you wish to learn more about the training offerings.