Full Report
An education isn’t how much you have committed to memory, or even how much you know. It’s being able to differentiate between what you know and what you don’t. – Anatole France Jobs within Information Security, and indeed Information Technology, are often more than a 9-5 affair for many who choose them as their career. There is a wealth of different technologies, frameworks, approaches and information that you need to understand to perform your job to a suitable level. In IT security specifically, with the pace of technology constantly growing, keeping abreast is often easier said than done.
Analysis Summary
# Main Topic
The primary narrative focuses on the continuous learning and depth required for professionals in Information Security and IT, specifically highlighting a hands-on training module presented by SensePost for the Rhodes University Master's course in Information Security.
## Key Points
- Information Security jobs demand non-standard work hours due to the vast wealth of technologies and rapidly evolving information needing comprehension.
- There is a noted lack of established, qualifying courses for newcomers in Information Security, making advanced training (like the Rhodes MSc) vital.
- The sense of accomplishment ("aaah ha!" moment) when professionals grasp complex concepts is essential to effective learning.
- The training module focused heavily on practical application security, moving beyond just theory.
- The experience emphasized the difficulty of keeping abreast of rapidly growing technology in the security domain.
## Threat Actors
- No specific malicious threat actors or APT groups were identified or detailed in relation to an attack campaign.
## TTPs
- The training specifically covered and demonstrated offensive techniques against applications, including:
- SQL Injection (explicitly mentioned as a key topic).
- Basic authorization flaws.
- Chained logic flaws.
## Affected Systems
- The training utilized "commonly deployed applications" and vulnerable web applications for students to practice exploitation.
- The general scope implies challenges within the **Application Development Life-cycle (SDLC)** where security is often hard to implement correctly.
## Mitigations
- Emphasis placed on proper security training and achieving a deep understanding of concepts (knowing what you don't know).
- Practical knowledge gained through hands-on experience breaking secure applications.
- Encouragement to attend comprehensive training courses offered by specialists like SensePost.
## Conclusion
The core message is that success in IT Security mandates continuous, deep learning—not just memorization. To combat the speed of technological change, professionals require practical skills demonstrated by hands-on training, specifically covering foundational application attack vectors like SQL injection and logic flaws, to better defend systems.
***
# Morning News Roll-up 16 May 2011
## Overview
The article serves as a retrospective on a practical application security training module conducted by SensePost for the Rhodes University MSc Information Security program, emphasizing the perpetual need for learning in the demanding field of IT Security.
## Top Stories
### Application Security Training at Rhodes University
- Summary: SensePost delivered a weekend module focused intensely on application security "whys, hows, whats and whens" as part of the MSc program, using vulnerable apps for hands-on exploitation practice.
- Source: SensePost | Rhodes MSc Information Security Weekend
### Demand for Qualified Security Education
- Summary: The author notes a severe local (South African) lack of established, meaningful qualification courses for those entering or advancing in Information Security.
- Source: SensePost | Rhodes MSc Information Security Weekend
### Importance of Practical Hacking Skills
- Summary: Students were taught how to correctly execute attacks such as SQL injection and identify logic flaws, highlighting that practical experience is crucial for true understanding ("aaah ha!" moment).
- Source: SensePost | Rhodes MSc Information Security Weekend