How Kali Linux creators plan to handle the future of penetration testing
Offensive Security might best known as the company behind Kali Linux, the popular (and free) open-source pen testing platform, but its contribution to the information security industry is definitely not limited to it.
“Over 60% of Fortune 100 companies employ Offensive Security-trained professionals – that is definitely something for us to be proud of,” says its CEO, Ning Wang.
The company’s main goal, according to her, is to train millions of professionals to embrace the hacker mindset and the essential ethical hacking skills needed to break into and to succeed within the cybersecurity industry.
“Traditionally, we have focused on those with a fair amount of IT hands-on experience to gain the try harder mindset to become a professional penetration tester. Going forward, we will develop training for more people with more diverse backgrounds,” she told Help Net Security.
The right background for the CEO role
Offensive Security was founded in 2006, and for the last year and eleven months, it has been headed by Wang.
She studied and got a PH.D. in physics, but not long after she turned to business, and went trough a series of jobs that perfectly prepared her for the current CEO position: she was a finance, engineering, and operations chief of online education outfit Lynda.com, (now known as Microsoft’s LinkedIn Learning); served as chief finance officer of Eucalyptus, a cloud software-maker now owned by HPE; and most recently was second-in-command at HackerOne, a bug bounty startup that has had a major impact developing the market for ethical hackers.
Those positions provided her with experience in working with the open source community (and a deep understanding of the importance and support for Kali Linux) and online training, as well as the realization that traditional methods of security training are highly ineffective and that the key to address the security talent shortage faced by the industry is to attract people who are innately curious, train them to gain problem solving skills and develop the hacker mindset.
“Offensive Security is my first foray into leading a company and I am conscious of being a woman CEO in a male-dominated field. Furthermore 2020 has certainly presented its own set of unique challenges that have required innovation and creativity from the leadership team. However, I am proud to say that through it all, OffSec has maintained momentum, even accelerating in some areas, building out our product line and continually making new products available to the security community,” she noted.
Offensive Security under Wang
Since Wang’s appointment, the OffSec team more than doubled and the company trained more security and IT professionals and issued more certifications than any of the years before.
They also:
- Updated its most popular training and certification courses, including Penetration Testing with Kali Linux (PWK) and Advanced Web Attacks and Exploitation (AWAE)
- Launched a new security training course PEN-300, an advanced course designed to teach established security professionals new techniques for executing advanced attacks against hardened, mature networks. (Those who successfully complete the course and pass a 48-hour practical exam gain the Offensive Security Experienced Penetration Tester – OSEP certification.)
- Introduced the OffSec Flex program, a product tailored to enterprise customers, to help address the cybersecurity talent shortage, and Proving Grounds, new lab environments designed to allow security and IT professionals to experiment with hacking techniques, sharpen and maintain their security and pentesting skills, and get a sense of the experience of being enrolled in OffSec’s sought-after certification programs.
The Kali Linux distribution, designed specifically for penetration testing and digital forensics, is still offered free of charge. Under her leadership OffSec has formed a dedicated Kali team and made quarterly releases since January 2019, which has received positive reviews from the community.
“Kali and other projects like Exploit Database, the largest collection of exploits and vulnerabilities on the internet, keep us uniquely in tune with the needs of the security community and continue to inform our company direction,” she explained.
But the thing she’s most proud of is that OffSec has become a company with a clear set of well-defined core company values: family, passion, integrity, community and innovation.
“We live by these values as we scale, hire and operate. As a CEO, I found my own style through the support of our team members: have the courage to be authentic and vulnerable. We have cultivated an environment to embrace and practice a growth mindset, build vulnerability-based trust, and empower and enable our team to do their best. My job as CEO is about how to make our people happier in ways I or OffSec can influence.”
Pushing penetration testing to the next level
As mentioned before, OffSec is planning to develop training for people with diverse backgrounds – but the approach to learning will still be the same.
“We do not offer simple ‘check the box’ courses at OffSec. We put our students through intensive hands-on training and then make them apply the knowledge that they have acquired in challenging, immersive lab environments,” Wang explained.
“Anyone can learn how to operate a vulnerability scanner. At OffSec, however, we don’t just teach our students how to operate tools. The goal rather is to establish an adversarial mindset within the student body, training security professionals to look beyond the obvious, try harder and identify vulnerabilities before attackers do. OffSec is unique in its hands-on, practical approach. This kind of mindset, the way to think and work, is what is required to do a pen test engagement in the real world.”
And, as defensive controls become more and more effective, the company is meeting the need for more advanced penetration testing skills.
Ten years ago, the OSCP level of skills was sufficient to be a good pentester, but not anymore, Wang said, noting that pen test engagements increasingly involve web properties, and the improved antivirus software and monitoring tools prevent pen testers from getting into the target systems in routine ways.
“This is why we have recently launched our tier two courses – Advanced Web Attacks and Exploitation (AWAE) and Evasion Techniques and Breaching Defenses (ETBD) – and will soon launch Windows User Mode Exploit Development (WUMED). We believe that to be an effective pen tester in a modern environment, one needs to have skills at the ETBD level and also is proficient with web properties with skills at our AWAE level,” she opined.
“The Penetration Testing with Kali Linux (PWK) course and the Offensive Security Certified Professional (OSCP) certification remain the foundational level of skills for pen testers to gain, but operate as a baseline that will need to be built upon. We believe our new forthcoming OSCE3 certification is what is needed to work as a viable, skilled pen tester in the 2020s.”