Computerbeveiliging - Hoe je bad guys buiten de deur houdt

Gaining experience by contributing to open source

06-01-2019, 09:11 door itnithand, 6 reacties
I am currently an undergrad student studying computer science and while my university has no cybersecurity program or classes I have always taken an interest to security and would like to ultimately find a job in the field. I occasionally compete in CTFs and have done small development projects but have never had the opportunity to try to experience real world security issues. I was thinking that trying to find some open source projects to contribute to would be the best way to gain that sort of experience but I have no idea how to approach these projects with a security mindset. Any advice would be greatly appreciated!
Reacties (6)
06-01-2019, 10:09 door Anoniem
Find an open source project. Find problems in it. Say, look through open ticket, look through the source, run fuzzers at it, you name it. Patch them. Submit your solution as proper patches with a concise description of the problem and your solution.

It's not hard if you have the skills, but it's a lot of work. And perhaps, certainly in the beginning, you should focus on the collaboration, documentation, and writing code (in the style of the project at hand) parts, rather than strictly security. Of course, you do keep an eye open for security implications, and thus you slowly specialise. But you need many more skills than "security" to really be able to contribute.
06-01-2019, 11:40 door Bitwiper - Bijgewerkt: 06-01-2019, 11:41
A good way to start may be reading relevant threads in the archives of the "Open Source Security" mailing list, which can be found here for example: https://seclists.org/oss-sec/. Try to remember names of people with insightful contributions, like Hanno Böck (sometimes spelled Boeck).

If you're particularly interested in web application security, OWASP is the organization to start.

Furthermore, on the SANS.edu / .org websites, in particular in the "reading room" (https://www.sans.org/reading-room/categories), one can find a huge amount of security-related case studies.

It must be noted however that security.nl is a Dutch website. Not every visitor will be able to read, let alone write, English text. So it may be a good idea to find yourself an English-spoken forum (probably plenty exist, including https://isc.sans.edu/forums/).

Good luck!
06-01-2019, 12:41 door Anoniem
What does O.W.A.S.P stand for? Anyone who investigates these organizations?


jc
06-01-2019, 14:16 door Bitwiper
Door Anoniem: What does O.W.A.S.P stand for? Anyone who investigates these organizations?


jc
Maybe you don't know what G.O.O.G.L.E means?
06-01-2019, 15:32 door Anoniem
Door Bitwiper:
Door Anoniem: What does O.W.A.S.P stand for? Anyone who investigates these organizations?

jc
Maybe you don't know what G.O.O.G.L.E means?

Duh, Google is no abbreviation. So Google has nothing to do with G.O.O.G.L.E.
Actually "Google" is a wordplay coming from "googol" which is an immense number. (1 followed bij hundred 0s)

O.W.A.S.P. however is an abbreviation.
This webpage tells what it means: https://www.owasp.org/index.php/Main_Page


p.s.
06-01-2019, 19:37 door itnithand
[Verwijderd door moderator]
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.