Positive Education is in touch, and we are continuing a series of publications about professions in the field of cybersecurity. The need for such experts is growing at breakneck speed, and now it is no longer one profession "information security specialist". Narrower specialties have been formed within the industry (previously published the scheme of professions), and we decided to tell you about the 10 most trending professions in the field of cybersecurity. Today we want to introduce you to a white hacker — a person who has been developing this field in Russia for the past 15 years.
Hello, Habr!
My name is Dmitry Serebryannikov, and I'm a hacker. Correction: white hacker. First of all, I am a researcher — I check technologies for security. Good specialists in our profession are worth their weight in gold. Do you want to upgrade yourself and become the best? Then read on: I'll tell you what you need to do to get into the world of white hackers — ethically and without hacking.
Dmitry Serebryannikov — Director of Security Analysis at Positive Technologies. Specializes in finding vulnerabilities in the software code of web applications, analyzing the security of network infrastructure and systems on different platforms. Dmitry was repeatedly thanked for discovering vulnerabilities by Adobe, Apple, Google, and Red Hat. Имеет сертификаты Microsoft Certified IT Professional (Enterprise Administrator on Windows Server 2008) и OSCP (Offensive Security Certified Professional).
The field of activity of white hackers is impressive: applications, networks, hardware, Wi-Fi... Let's look at the example of web applications. Let's say we get a task to analyze the security of an application. They can only give us the site and, if there is an authorization form, accounts with rights (user, administrator). Then we test different scenarios, but we mostly search at random: something is found, and something may go unnoticed. It's another matter if they provide source codes: we can see how the application is written, and we can study specific crawling mechanisms — the analysis turns out to be deeper, and the results are more reliable. After checking, we prepare a detailed report, where we describe in steps what we did, what methods we used, what we found, and how to fix it.
Now the situation with information sources has changed dramatically: its flow is extensive, reviews and messages in social networks can be found in any direction — as soon as someone publishes an interesting article about an attack, it is quickly distributed. It is important for us to be aware of everything that is happening, and especially what is "under the radar", but does not receive wide publicity. For example, the Chinese segment has recently received a lot of good content, but they are little known.
How to achieve success in the profession? First, it is important not to stop. New techniques, technologies, languages... In just a couple of months, there are a lot of changes in the industry, and if you don't learn them, then you will have to catch up for a long time. Secondly, of course, there should be practice on real tasks. You can't just go through training and hone your skills on the stand — you need to face live systems many times, learn how to break them in real projects. Third, and this is key, it is important to have enough views. The more different cases you meet and can win on your own, the easier it will be to solve new tasks.
The race between those who attack and those who defend has always been and always will be. Its complexity, technological equipment, and response speed are increasing, after all. The level of security that was, for example, 10 years ago, can not be compared with the current one. Accordingly, the threshold for entering the profession becomes higher. However, the fundamental principle — the same hacker view of the system from the position of being able to bypass it-remains unchanged.
It is useful to understand the code — to understand where it is bad in terms of security. Learn programming languages. The more you know, the better. This expands the boundaries of thinking, and it is more important for a white hacker than anyone else to constantly develop.
As I wrote earlier, a white hacker is a rare profession, and specialists need to be raised and developed. And we are ready to do it. This year we plan to launch training for the development of white hackers — lectures, training materials, skills development on stands. At the same time, the threshold for entering the program will be minimal: our task is to guide a person from the initial "I know what an IP address is, and I can install Windows" to the level of an advanced specialist. And the best ones should be invited to join your team.
(c) Dmitry Serebryannikov
Hello, Habr!
My name is Dmitry Serebryannikov, and I'm a hacker. Correction: white hacker. First of all, I am a researcher — I check technologies for security. Good specialists in our profession are worth their weight in gold. Do you want to upgrade yourself and become the best? Then read on: I'll tell you what you need to do to get into the world of white hackers — ethically and without hacking.
Dmitry Serebryannikov — Director of Security Analysis at Positive Technologies. Specializes in finding vulnerabilities in the software code of web applications, analyzing the security of network infrastructure and systems on different platforms. Dmitry was repeatedly thanked for discovering vulnerabilities by Adobe, Apple, Google, and Red Hat. Имеет сертификаты Microsoft Certified IT Professional (Enterprise Administrator on Windows Server 2008) и OSCP (Offensive Security Certified Professional).
Who is the white hacker
In simple terms, a white hacker is a computer security specialist who examines IT systems and looks for vulnerabilities in them, but, unlike black hackers, acts ethically-helps companies detect and eliminate security gaps in order to prevent real attacks in the future.The field of activity of white hackers is impressive: applications, networks, hardware, Wi-Fi... Let's look at the example of web applications. Let's say we get a task to analyze the security of an application. They can only give us the site and, if there is an authorization form, accounts with rights (user, administrator). Then we test different scenarios, but we mostly search at random: something is found, and something may go unnoticed. It's another matter if they provide source codes: we can see how the application is written, and we can study specific crawling mechanisms — the analysis turns out to be deeper, and the results are more reliable. After checking, we prepare a detailed report, where we describe in steps what we did, what methods we used, what we found, and how to fix it.
What does "hacker approach" mean?
For myself, I have formulated three components of the hacker approach:- The first is critical thinking, the ability to look at any IT system from the point of view of its weaknesses. It's not enough to know how the system works — you need to be able to formulate hypotheses (for example, how to cause atypical behavior of the program, which the developers may not have foreseen).
- The second component is the willingness to develop. New conditions will always arise in the hacker's work — you won't be able to follow the same pattern every time. Let's say you've learned how to hammer nails and you do it well. But there is a task to hammer a nail in zero gravity — and now you need to apply your skills in a new environment, and most importantly-to figure out how to do it.
- Finally, the third is passion. A white hacker is a rare profession. As a rule, these are people who have turned a hobby into a job. Strictly speaking, there is no classic linear path to the profession. The scheme "I want to be a lawyer — I'll go to law school, they'll teach me there" does not work in our field. Everything comes from interest. You start learning, get more involved, devote a lot of your free time to hacking... and then you realize that you can do it all the time, make it your job.
Now the situation with information sources has changed dramatically: its flow is extensive, reviews and messages in social networks can be found in any direction — as soon as someone publishes an interesting article about an attack, it is quickly distributed. It is important for us to be aware of everything that is happening, and especially what is "under the radar", but does not receive wide publicity. For example, the Chinese segment has recently received a lot of good content, but they are little known.
How to develop a white hacker
We have a very honest profession. People work together on projects, and you can immediately see who is doing what, what vulnerabilities they find, and how deep they dig. Here you will not be able to pretend to be a super cool person, your real level will be visible already on the first projects. In general, our field is very creative. Often, at the start, only the image of the result is clear — what needs to be achieved. For example, during external penetration testing, a client sets the task of "breaking through" the company's perimeter, but how to do this is unknown. If there is a "boxed" product in the perimeter, you can explore it. If authorization forms are provided, you can try to choose a password. If the code is self-written and is not identified as a vendor's solution, creativity is enabled. In any case, the goal is the same — to gain access to the internal network, and everyone acts as they can. As artists, we search, try, and combine approaches, methodologies, and styles to create a work of art. At the same time, we act as a team.How to achieve success in the profession? First, it is important not to stop. New techniques, technologies, languages... In just a couple of months, there are a lot of changes in the industry, and if you don't learn them, then you will have to catch up for a long time. Secondly, of course, there should be practice on real tasks. You can't just go through training and hone your skills on the stand — you need to face live systems many times, learn how to break them in real projects. Third, and this is key, it is important to have enough views. The more different cases you meet and can win on your own, the easier it will be to solve new tasks.
The race between those who attack and those who defend has always been and always will be. Its complexity, technological equipment, and response speed are increasing, after all. The level of security that was, for example, 10 years ago, can not be compared with the current one. Accordingly, the threshold for entering the profession becomes higher. However, the fundamental principle — the same hacker view of the system from the position of being able to bypass it-remains unchanged.
Bonus! How to become a white hacker: step-by-step instructions
- First of all, decide on the direction. White hacker is a common profession name, and there are many specializations: penetration testing, web application security analysis, mobile application security analysis, and RBS security analysis. Choose what you are interested in and what you want to develop in.
- Read articles in your chosen field. Find people who regularly write about attacks and vulnerabilities, subscribe, and join the community. Hackers, as a rule, communicate on Twitter: information spreads very quickly there. As soon as a new vulnerability appears, someone will post about it, and many will retweet. For example, take a look at our PT SWARM blog and see who we read.
- I need practice. If you want to learn about web application security, start with the PortSwigger Academy: it is free and offers a lot of training materials, including laboratory work. The main thing is to try to do something yourself: even the most profound theoretical knowledge will not be able to give a full-fledged pumping in the profession. There are no theoretical hackers.
- Do you feel ready for real challenges? Test your skills by taking part in the bug bounty program, where white hackers search for vulnerabilities and earn money from it. At the same time, you can evaluate your real level.
It is useful to understand the code — to understand where it is bad in terms of security. Learn programming languages. The more you know, the better. This expands the boundaries of thinking, and it is more important for a white hacker than anyone else to constantly develop.
What challenges do white hackers face?
The main challenge for us today is the personnel shortage. Take, for example, my team: the workload on projects is so high that in December we have a full schedule for the first half of next year. We don't physically have time to process the entire request flow.As I wrote earlier, a white hacker is a rare profession, and specialists need to be raised and developed. And we are ready to do it. This year we plan to launch training for the development of white hackers — lectures, training materials, skills development on stands. At the same time, the threshold for entering the program will be minimal: our task is to guide a person from the initial "I know what an IP address is, and I can install Windows" to the level of an advanced specialist. And the best ones should be invited to join your team.
(c) Dmitry Serebryannikov
