Flying high in the Web Security Academy

We caught up with three high-flyers in our Web Security Academy - at the time of interview, they were ranked 2nd, 4th, and 6th out of thousands of users. If you want the full story, including some insider information and fantastic advice - check out our interviews with:

• Kamil Vavra - an AppSec engineer from the Czech Republic.
  

• Johnny Villarreal - a Californian offensive security researcher.
  

• Andres Rauschecker - a Munich-based cybersecurity enthusiast.

Naturally, given their ranking, our three high-flyers have completed all 197 of the labs currently available. Clearly proving themselves a force to be reckoned with, we wanted to get some tips and advice from them to share with the rest of our community.

Getting started

When it comes to getting started with working your way through the Web Security Academy, Kamil had some great advice:

For people who are just starting out, or maybe don’t have a security background, the solutions are really great as they allow those people to follow it through step by step. That way they get a proper understanding of what needs to be done. For people just learning, I’d definitely recommend that they work with the solution as they get the right guidance then, and they’ll be able to understand the exploit they’re pulling off much better.

If you are thinking about having a go at the Web Security Academy, make sure you read through our suggested learning path. We've lined up each topic so you can work through them one by one, and build up your skills as you progress through each of the labs.

Staying ahead of the game

Working your way through all 197 labs may at times feel like an impossible feat. When we asked Andres about whether or not he used the solutions, he was very clear:

There are lots of places where you can practice exploiting vulnerabilities, but none of them are quite as good as the Web Security Academy. Generally as a hacker, the ethic is that you provide all of the information. It's not like the solutions are giving you the exact answer though, they just help me to develop my knowledge without the process being a huge drain on my time.

Kamil is equally as adamant about using the solutions in what he considers to be the right way, even going so far as to create his own "solutions" for other members of the community:

When I do the labs, I work without the solutions, but quite often when I've completed one I get a whole bunch of messages on Twitter with people asking me to help them and tell them how I did it! I never give the answers away, I usually just give them one or two words that they need to think about to help them work it out for themselves. For me, the most important thing about doing the labs is that you need to think about them, really deeply, so just telling someone the solution or revealing it without trying ruins the whole point of it.

However you decide to approach each topic within the Web Security Academy, our high-flyers all believe that just making a start is the most important thing. We've put together some resources to help you get started on your journey.

Seeing the benefits

Our mission at PortSwigger is to enable the world to secure the web. Providing our Web Security Academy free of charge, and continually updated, is just one of the ways we're working toward achieving that mission. If you're looking for ways to improve your skills, take Johnny's advice and get started on your first topic:

The Web Security Academy has a full range of lesson plans, and it's also accessible to anybody. From a newbies perspective, or for someone who can't afford to pay for Burp Suite, technically anybody can solve the majority of the labs without it. The Web Security Academy is one of the most realistic representations of some of the vulnerabilities and findings that we discover, in real life at real companies.

Not sure where to begin? We've got a learning path ready and waiting for you.

Connecting with the community

The community of Burp Suite users, and Web Security Academy experts, seems to grow every single day. Kamil, Johnny, and Andres all talk at length about sharing their knowledge, and staying connected with the community.

As he was working through the Web Security Academy, Andres created a working document with helpful hints and learnings:

I've actually created an internal document, that I share with other people in my organization, to help them understand how to get the most benefit from using the amazing feature-set within Burp Suite.

Kamil on the other hand, has seen a different benefit from the community. As a non-native English speaker, he's found that the community has helped him to get his blog posts and security write-ups out there.

Whenever I post blogs and things, sometimes I get people commenting when I've shared them saying that they don't understand them. I explain to them that I'm not a native speaker and they all offer to help me write things more clearly in English. I love the community, they're always there to help.

Continuous learning

As is evidenced by the Web Security Academy itself, in that we're always able to find new topics and vulnerabilities for our users to learn to exploit, we know that the learning journey is never going to end.

Johnny spoke about this during our interview, particularly in terms of revisiting topics to keep your knowledge fresh and up to date:

I go back to the labs and topics for review, because I know full well that I don't retain everything, so it's always good to revisit them and brush up on my knowledge.

For people who are near to the start of their learning journey, Kamil had this final piece of advice to share:

Don't get overwhelmed with the amount of labs, because you have to start somewhere. When I decided I wanted to complete them all, I set myself a target to complete one lab every week. I failed at that to begin with, so I changed my target to be to complete one or two labs every two weeks. I slowly saw my progress, and I saw myself getting there bit by bit, so don't be scared and just go for it at your own pace.

Your Web Security Academy journey

No matter where you might be in your security journey, whether you're a newbie or a professional with years of experience under your belt, our Hall of Fame high-flyers are in unanimous agreement on at least one thing. There's always something new to learn.

Check out our interviews with Kamil, Andres, and Johnny, to learn more about their journeys, or read our getting started guide to find the best approach to beginning your own journey.

If you fancy trying your hand at the Web Security Academy, and perhaps bagging a place alongside the high flyers in our Hall of Fame, sign up for free now.

Emma Stocks