Research and Learning has been a big area of focus at my company, we45. We pride ourselves in teaching and training, new and experienced cohorts who join our organization. Its not only a fun process to see someone learn a new skill, but incredibly rewarding to see it being applied extensively in their sphere of work. We have weekly training sessions with people speaking about something they have learned through the week. We have two Capture-The-Flag events through the year, where we deliver a pretty tough CTF for our pentesters to find and solve. We put the "Continuous" in "Continuous Education".
This year, we started something new at we45. This is the "Fedex Week". The idea of this week is that every team ships <something> by the end of the week. We start on Monday and end on the Friday of that week. Everyone divides themselves into teams of 1-4 people during Fedex week and they work on a project for a week, where they spend 80% of their time during that week on the project, and 20% of client deliverables (we pick a lean week). This is exactly the opposite during other times of the year. During Fedex week, they need to "ship"/deliver something. This something could be:
- A New tool
- A new methodology
- Something that helps their colleagues at we45
- Something that helps we45 itself (in terms of sales, etc)
At the end of the week, there's a showcase session followed by a small party to end a week of constructive "doing". We had previously conducted "Fedex Days" where this entire exercise was reduced to a 24 hour window, but we found that 24 hours was too short to "deliver" anything.
This year's week long project was a resounding success! We had some awesome projects being showcased by the teams. The teams largely consisted of penetration testers and security engineers, and they brought their "A" games to the table. Among the projects showcased, we saw:
- Smart Contract Security Project
- A Vulnerability Database with correlated Information
- Multiple Automated Recon projects
- A Mobile Security Automation Pipeline
- A world-class pentest automation framework
- A Methodology for Thick-Client Application Testing
Some of these projects will be open-sourced in the coming weeks. However, for me personally, this was an extremely rewarding experience for the following reasons:
- Most of the participants in the Fedex week were Pentesters, i.e. the "breakers" in the security world. Most of them created projects that required them to code extensively. Most of them reported that they had a great deal of respect now, more than ever, for what developers did. I am truly happy about this outcome. Empathy, in my opinion is a major success factor of what we do in Information Security.
- Most of them coded. A lot of security folks don't code. Its not that they don't want to code. Its just that they don't. Most of my team reported that having a clear goal and project made them pull up their socks and get codin'. As pentesters most of us see things as black-boxes. Ability to code, changes all that, for the better, by far.
- As Security folks, things often get tiresome (and sometimes depressing) when we are constantly finding flaws and getting pushback from teams for finding these flaws. This week gave everyone an opportunity to build something. And that is a different high from popping a meterpreter session on a remote host.
Overall, I think we had a great Fedex week at we45. Lots of learning for everyone. I see great potential for some projects coming out of the week.
On a side note, we45 is hiring Security Analysts for our Bangalore office. If you are interested, drop us a line and your profile here