Experiences from Educating Practitioners in Vulnerability Analysis
This paper presents a vulnerability analysis course especially developed for practitioners and experiences gained from it. The described course is a compact three days course initially aimed to educate practitioners in the process of finding security weaknesses in their own products. After giving an overview of the course, the paper presents results from two different types of course evaluations. One evaluation was done on-site at the last day of the course, while the other was made 3–18 months after the participants had finished the course. Conclusions drawn from it with regard to recommended content for vulnerability analysis courses for practitioners are also provided.
KeywordsTest Suite Software Tester Post Evaluation Pseudo Random Number Generator Vulnerability Analysis
- 1.Bastille Linux. The Bastille hardening program: Increased security for your OS. http://www.bastille-linux.org/, Accessed January 23, 2007.
- 2.Common Criteria Implementation Board. Common criteria for information technology security evaluation, version 3.1. http://www.commoncriteriaportal.org/, September 2006.
- 3.Ethereal, Inc. Ethereal: A network protocol analyzer. http://www.ethereal.com, Accessed January 23, 2007.
- 4.Insecure.org. Network mapper. http://insecure.org/nmap/, Accessed January 23, 2007.
- 5.S. Lindskog, U. Lindqvist, and E. Jonsson. IT security research and education in synergy. In Proceedings of the 1st World Conference in Information Security Education (WISE’1), pages 147–162, Stockholm, Sweden, June 17–19, 1999.Google Scholar
- 6.L. A. Martucci, H. Hedbom, S. Lindskog, and S. Fischer-Hübner. Educating system testers in vulnerability analysis: Laboratory development and deployment. In Proceedings of the Seventh Workshop on Education in Computer Security (WECS’7), pages 51–65, Monterey, CA, USA, January 4–6, 2006.Google Scholar
- 7.Mixter. Gut behütet. C’T–Magazin für Computer Technik, pages 202–207, June 17–19, 2002.Google Scholar
- 8.National Institute of Standards and Technology (NIST). NIST statistical test suite. http://csrc.nist.gov/rng/rng2.html, Accessed January 23, 2007.
- 9.Nessus Project. Nessus vulnerability scanner. http://www.nessus.org/, Accessed January 23, 2007.
- 10.Oxid.it. Cain & Abel. http://www.oxid.it/, Accessed January 23, 2007.
- 11.Openwall Project. John the ripper password cracker. http://www.openwall.com/john/, Accessed January 23, 2007.
- 12.University of Oulo. PROTOS security testing of protocol implementations. http://www.ee.oulu.fi/research/ouspg/protos/index.html, Accessed January 23, 2007.