"IRM has engaged with MDSec to provide ongoing training for our consultants. Overall we have been highly impressed by the feedback of all of our attendees whether they were new to the field, established testers, or working in a parallel field such as our PCI QSAs. We intend to use the training as a trusted benchmark for all newer technical consultants in the future."
Paul Midian, IRM PLC
"MWR believe that the continual development of its consultants is a fundamental part of its success in delivering value to its clients. The MDSec training labs have proven to be a successful complement to the internal development programme and has demonstrated a tangible ROI for MWR."
Dave Hartley, MWR
"My testers are more skilled and confident after using MDSec's online labs"
Randall works for a mid-sized consultancy, managing a growing team of pen testers. He has a few great people on his team, on whom he can always rely to deliver a great job. But the economics of the industry mean that he must also use less experienced testers. They all work hard and are keen to learn, but they lack the depth of experience that is needed to work without supervision and deliver consistent results.
Randall would love to send his whole team to a large training event like Black Hat, but he can't justify the expense. A couple of his guys had read The Web Application Hacker's Handbook, and found it to be a great help, but they wanted more hands-on experience of vulnerabilities that they weren't confident of finding when working on client engagements. Randall agreed a modest budget for them to use MDSec's online training labs while working through the book.
The results were impressive. The consultants who tried the online labs were able to quickly fill in the gaps in their knowledge, by targeting the lab exercises for vulnerabilities that they weren't already familiar with. They became more confident and proficient on tests, and could be relied on to work under their own steam, identifying issues in client applications which they might previously have missed.
Randall realised that for a few hundred dollars, he could provide his entire team with a high quality training experience, to improve both their skills and their motivation. He has now had all of his consultants work through MDSec's online labs, and uses this as his technical induction for all new recruits.
"I run a team of 12 developers, mainly working on in-house web applications. Historically, we’ve had a poor track record on security, with numerous issues being identified just prior to go-live and very often afterwards as well. I’ve now made 5 of my guys work through the MDSec online labs. The difference in their output has been remarkable, and I’ll certainly be doing the same with the rest of my team."
Susie Morse, Applications Development Manager, London-based bank
"I’m a seasoned network penetration tester, who missed the boat when web apps first rose to prominence. I was always afraid of learning new techniques, until a colleague told me about the Web App Hacker’s Handbook, and the online labs that go with it. I’ve never looked back."
Josh Coulsen, Network and App Tester
"I've reduced my reliance on outside security testers"
Sandy heads up a group of QA testers, with responsibility for all of the web applications developed in-house by a large US retailer. Traditionally, she has used outside consultants for security testing, with mixed results. Due to limited resources, security testers were brought in right at the end of projects, when applications were near completion and all of the key design and implementation decisions had already been made. She typically wound up trying to persuade stressed developers to make hasty code fixes to resolve the most important vulnerabilities, and compromising on the remaining issues in the interests of going live on time.
Sandy has assembled a great team of skilled and dedicated QA professionals, but they have previously been reluctant to get involved in security testing, regarding this mysterious area as off-limits. After noting the caliber of the average security professional, Sandy persuaded some of her testers to try their hand at basic security testing. They used MDSec's online labs to see first-hand what all kinds of security vulnerabilities looked like, and got to grips with the basic tools needed to find them. They began to report these issues to developers early on in the development lifecycle, when there was plenty of time to modify applications in order to fix them.
As a result, the security reviews that were scheduled at the end of projects began to report fewer and less significant issues. The last-minute scrambles to fix broken code are now in the past. Sandy has reduced the budget assigned to external security testing, and her QA people are happy to be broadening their skills and doing interesting technical work. After training themselves on MDSec's vulnerability labs, they realize that security testing isn't a mystery, and is fun!