More and more highly educated young people are opting for a professional career as an ethical hacker at a cyber security company. The aim of this role is to help companies to protect themselves against cyber-attacks. But what are the quality requirements for this new generation of ethical hackers and how do you ensure that as a security company, you are delivering the best specialists to clients? Security specialist Matthijs Melissen is responsible for training new ethical hackers at Computest Security. He explains how the training process has been designed and explains why Computest only uses security specialists for clients once they have proven that they can find the same results as experienced testers.
Training process
As soon as people are taken on at Computest, they start an intensive training process which takes three to six months to complete. Melissen explains: “Our new employees sometimes come from very different backgrounds. They may have studied cyber security, but they may have also studied something entirely different such as aerospace engineering or mathematics. We also often take on developers wanting to become security specialists. What they all have in common is that they have at least a higher professional (HBO) or University education and they are able to think systematically. During our training process, we see whether they are actually able to demonstrate these skills in practice too.”
Four-phase training process
The standard training process for junior security specialists in training consists of four phases. They must successfully complete all phases before they can start working for Computest clients.
Phase 1: Development of a web application
In this phase, the security specialists in training learn how to develop their own web applications. This way, they learn how developers think when developing an application. This is important knowledge when investigating potential vulnerabilities in an application in a later phase.
Phase 2: Intensive security training
During a three-week whole-class training session, the participants learn how security works and how hacking works. Security specialists in training are given practice exercises which they learn to solve with the help of experienced trainers. At the end of this phase, they must pass a number of challenges which involves them having to find known vulnerabilities in existing software. These challenges can be found in a special training portal which Computest has set up for this purpose. They are only allowed to continue on to the next phase of the training process once they have successfully completed all of these challenges.
Phase 3: Shadow testing
Now it’s time for the really exciting work to begin. The ethical-hackers-to-be conduct the same security tests as Computest’s experienced hackers. Once the tests have been completed, a check is carried out to see whether the results match those of the experienced specialists. Extensive evaluations are carried out to raise the knowledge of the specialists in training to an even higher level. Participants must successfully complete these tests at least five times before they are allowed to continue to the final phase of the process.
Phase 4: Testing for clients
It is not until this phase that a specialist in training will start working for Computest clients. At this stage, all the tests that they carry out are checked first by experienced hackers before going to the client, therefore guaranteeing the quality of the security tests at all times.
More than just technology
In addition to all the technical skills acquired by the specialists in training, they also learn how to help clients as effectively as possible, how they should conduct an effective report discussion or how they should make the transition from technique to practice.
Only once all the phases of the training process have been completed can the new security specialists start working for Computest clients independently. And not everyone is successful. Up to a quarter of the hackers in training drop out during Computest’s training process. Thanks to this intensive training process, Computest is, however, always able to guarantee to clients that they work with experienced top-quality security professionals who are guaranteed to deliver good tests.
Lifelong learning
Once the official training process has been completed, the security specialists continue their development. In a quality assurance context, experienced ethical hackers are constantly carrying out quality checks after each test which has been carried out independently by a junior security specialist. This allows junior ethical hackers to continue to learn from more experienced people and the quality remains guaranteed for Computest clients at all times. Internally, too, a lot is done to keep security specialists’ knowledge up to date. For example, knowledge sessions are organised on a regular basis and information on the latest developments in the field of security is shared via various communication channels.
Quality guarantee for Computest clients
Matthijs Melissen on the importance of an intensive training process for ethical hackers: “We believe that our clients need to be able to rely on the quality of our security tests at all times. Computest has a strong reputation to maintain in that area, so we don’t want important vulnerabilities to be missed due to a lack of experience or too much attention to be paid to vulnerabilities that do not form a genuine problem. This is why we put so much time and energy into training our new staff as effectively as possible.”