One of the biggest challenges facing the AppSec industry today is the lack of skilled people. No matter how many firewalls are stood up, scans are run, or courses attended, almost all security efforts require highly trained practitioners. Whether it’s penetration testers, developers, hiring managers or release engineers, there are thousands of unfilled roles waiting for the right hires.
Unfortunately, not enough of those people exist. The need for talent has far outgrown the supply, leading to the natural emergence of new training mechanisms. The trend the Security Innovation team is most excited about is that of Cyber Ranges - simulated environments that help educate through hands-on attacking. We strongly believe that there is a huge community of smart, curious and driven talent that just hasn’t had a chance to learn! That’s why we run events like our March Hackness Tournament to help those with an interest in hacking build a skill set for it.
Today’s profile is especially exciting because it highlights how an engineer with minimal security background can quickly unlock their hidden talent. Brandon Evans is a Senior Software Engineer at Asurion who attended our Capture The Flag event at AppSec California 2019. To everyone’s surprise, including Brandon, he ended up winning the Gold Standard challenge, quickly mastering the skills needed to exploit a variety of vulnerabilities including XSS, SQL Injection and CSRF, while also being particularly adept at crafting phishing attacks. Brandon is the type of emerging security champion we like to see!
SI: What is your day job?
Brandon: I am a Senior Software Engineer at Asurion. I work on our Tech Expert service, which offers personalized help, guidance and tips across all of the customer’s connected devices. Currently, I lead the team that powers the payment system for the Anywhere Expert platform.
SI: Had you ever participated in CTF or Cyber Range events before?
Brandon: I didn't even know what a CTF was! I knew that it had something to do with hacking, but beyond causing some mischief as a teenager, I didn't have any practical experience in the field.
SI: Did you feel nervous or concerned about joining the CTF? If so, what would you recommend to others who may feel the same way?
Brandon: Absolutely! When I talked about it with my team, I learned that Asurion holds an internal Capture the Flag event annually. Apparently, one of my coworkers managed to win the last one despite never participating in such an event. This inspired me to give it a shot. To other CTF newbies, I say you should just go for it! Penetration testing is all about experimentation. You'll try doing something that no normal user would think of, find a way to take advantage of the result, use that exploit to get further into the system, and repeat. Unlike in a production system, you won't get caught and booted off the network, so never be afraid to try anything.
SI: What did you enjoy most about the CMD+CTRL Cyber Range?
Brandon: I loved how interactive the system was. When you find an exploit, you immediately get a pop-up that tells you how many points you've earned. It feels a lot like a video game. Very addicting.
SI: What would you recommend to others who are interested in thinking like an attacker but don't know where to start?
Brandon: At Asurion, our customers and partners have entrusted us with protecting their data, and we take this very seriously. As such, the engineers play the role of defenders, creating new features and products while employing best practices to minimize our associated risks. To think like an attacker, I simply need to imagine myself being on the other side of the battlefield. What mistakes would the engineer most likely make? Which parts of the system would have received the most care and attention for its design? What user activity would tip off the engineer that I've penetrated the system? Learning how to think like a defender will inform you how to think like an attacker and vice-versa.
We hope Brandon’s experiences help encourage many others to give hacking on the CMD+CTRL Cyber Ranges a try. The upcoming March Hackness Tournament from March 20-24 would be a perfect time to do so!