Podcast #2: Anouk Vos, Cyberworkplace

Anouk Vos is founder of Revnext, a strategy consultancy firm in Technology Driven Strategies in Netherlands and chairman of Cyberworkplace a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market (see my article about it here).

If you want to know more about:

  • Cyberworkplace and how to help reduce the shortage of cybersecurity expert
  • Cybersecurity from a former diplomat point of view
  • Listen to this podcast! (you can download the file in mp3)

    Listen in your browser

    Podcast #1: Melanie Rieback, Radically Open Security

    Melanie Rieback is co-founder and CEO of Radically Open Security the world’s first not-for-profit computer security consultancy company (see about my internship with them here).

    If you want to know more about:

    • The first not for profit computer security consultancy company
    • The vision of Cybersecurity of social entrepreneur

    Listen to this podcast! (You can download the file in mp3)

    Listen in this page

    My internship at Radically Open Security

    One of my goal in this ethical hacker challenge was to volunteer for a GREAT organization. This is what i did with Radically Open Security who welcomed me as an intern for six months.

    How did i get this opportunity?

    When i started to work in the IT I quickly had concerns about the lack of safety on the Internet.
    Therefore, my curiosity and thirst for learning led me to wonder about the construction of a safer cyberspace.
    This quest has shaped the type of company I wanted to be involved with. This is when I discovered the existence of ROS (Amsterdam, Netherlands) and Melanie Rieback in a press article.
    This initiative was an evidence and in line with the values I want to promote.
    Transparency is the central point of this company and its business model is a promise of a better social future.

    What is Radically Open Security?

    « Radically Open Security is the world’s first not-for-profit computer security consultancy company. We are prototyping an innovative new business model – using a Dutch « Fiscaal Fondswervende Instelling » (Fiscal Fundraising Institution) to provide a commercial front-end that sends 90% of our profits tax-free to a backend foundation (Stichting NLnet) that has supported open-source, Internet research, and digital rights organizations for almost 20 years. The other 10% of our profits will go to an employee profit-sharing scheme, in which the secretary accumulates profit-sharing rights as quickly as the CEO. Additionally, due to our low management/overhead costs, we can afford to pay competitive wages to our computer security consultants.  »
    At ROS everybody works remotely.
    (source: https://radicallyopensecurity.com/business-model.htm)

    Wait! Not for profit?

    Yes not for profit! Let Melanie Rieback co-founder and CEO explain this to you:

    What service do they offer?

    • Penetration testing, ethical hacks and social engineering
    • Malware reversing and analysis
    • Network monitoring and threat detection
    • Forensics
    • CSIRT and incident response
    • Code audits
    • DDoS Testing
    • Cryptographic analysis
    • Custom R&D Projects
    • Workshops, trainings and mentoring
    • Misc: Embedded, Android and RFID Security

    (source: https://radicallyopensecurity.com/services.htm)

    What did i do?

    Participation in the creation of a Capture-The-Flag (CTF) game

    ROS helped to build a CTF for the CyberHeroes week of the non profit organization Cyberworkplace (see my article about the CyberHeroes week here).
    The theme of the week was Heroes in cyber, I build a list with many heroes from the cybersecurity world, cryptography and cybersecurity resources.

    Observation of pentests

    I was added to some pentesting channels on RocketChat a chatroom that was used for communication for work purposes. This way, i was able to peek over the shoulders of pentester and see how they work, how they communicate with the client as the pentests are completely available to the clients from the begining to the end (this is one of the core principle of ROS).

    Review of pentest reports

    I was able to read and review some pentests reports. This really helped me to see how proper pentest reports are build, what pentesters look for while pentesting and which tools they use.

    Improvement of the onboarding manual for new staff members

    When i onboarded i was provided with an onboarding manual. As i encountered some little problems to set up my work environment i added some entrees in the onboarding manual in order to help future onboarders who had the same configuration i had.

    Creation of a wiki page with relevant onboarding information for new staff members

    ROS wanted to improve the onboarding process and provide the onboarders resources and useful informations.
    This is why i created a wiki page with many resources for every type of positions (project management, software development, pentesting, …). I also added a section for general informations about ROS.
    After the set up of this wiki i invited everyone to contribute and share their knowledge with relevant links like their favorite tools that help them in their tasks, great articles they’ve read, anything they would find relevant.

    Submission of a process for improving internal training

    We wanted to improve the internal training that is why i created a documentation to propose some ideas on the subject.

    Helping a coworker with the use of Gitlabs (Radically Open Security’s file storage system)

    One of the other intern was new to Gitlabs. As i had previously encountered Git and worked with it, i was able to provide my help.

    Organizing folders in Gitlabs

    ROS puts their projects and documentation on an internal Gitlabs system. I updated the organization of the folders.

    Use of Pentext and XML

    « The OWASP PenText XML documentation project can help your software security company produce offers, reports, invoices and generic documents by offering a well-structured and easy to maintain documenting system you can modify to your liking. »
    This tool was created by ROS they open sourced it and made it available on Github.
    In order to use Pentext you need to know XML.
    I really enjoyed using pentext. XML is really useful and you get to generate great looking documents. This saves a lot of work mainly for pentesting reports but it can also be use to save time on other types of reports.

    What did i get from this experience

    As I plan to build a company, ROS was an inspiring and innovative model for tomorrow’s companies.
    More specifically, I learned how a holocratic system works in a company. This system in which everyone has a place and a voice has been a beautiful discovery.
    On a more technical aspect I have used many tools such as Pentext.
    Finally, I have appreciated working remotely because it requires a personal work organization that invites to be autonomous and rigorous.

    (source cyberheroes week flickr) During the CyberHeroes week i had the opportunity to meet Daan, Steven, Melanie and Anh from ROS.

    To go further

    CyberHeroes week by Cyberworkplace

    During my internship at Radically Open Security, i had the opportunity to help with the building of a CTF made for the CyberHeroes week of Cyberworkplace.
    I found Cyberworkplace’s initiative so great that i asked if i could volunteer for the CyberHeroes week. They did not only accepted that i volunteered, but also invited me to come as a participant.

    What is Cyberworkplace?

    Cyberworkplace is a dutch initiative based in Rotterdam. It « is a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market and provides much-needed 21st-century skills to vulnerable young people (dropouts/ gamers/students, who lack practical experience in their study programs).
    The training/lessons given at Cyberworkplace are inspired by modern teaching methods such as peer-to-peer techniques and project-based learning. » (source: https://cyberworkplace.tech/wat-is/)

    What is CyberHeroes ?

    « CyberHeroes is a one-week training program that brings together twenty talented youngsters from The Netherlands and New Mexico, USA. Together they will be trained in ethical hacking skills to address current security threats. Over the course of one week they will take on hacker battles, work on CSI-type cyber challenges with local police, study the history of cryptography, learn to fight cyber crime alongside international hackers, and much more. » (source: Cyberheroes booklet)

    (source: Cyberheroes flickr)

    What happened?

    Day 1: Cryptography and Lockpicking

    (source: cyberheroes booklet)

    Philip Zimmerman made a great talk about cryptography and data protection.
    He exposed the evolution of the Internet and the impact it had on privacy.

    (source: cyberheroes booklet)

    (source: Oscar Koeroo’s slides)

    Oscar Koeroo started his workshop by a talk about his work at KPN and how they handled security.
    On 2012 KPN got hacked, this year they decided to set up a Security Operation Center to handle better such incidents.
    KPN CISO Strategy and policy is made available for everyone here
    After this introduction, he started explaining cryptography concepts.
    He then detailed RSA encryption.
    Finally we practiced RSA encryption and encrypted with our own messages and numbers.
    He mentioned a very good tool to help us for the assignments:

    (source: Cyberheroes flickr)

    We ended the day with lockpicking, now i really want to buy my own lockpicking set! 😀 It reminded me of the video game called Skyrim, except it is much easier with a joystick^^

    Day 2: CTF with Radically Open Security

    (source: screen of the CTF platform made by Daan Spitz from Radically Open Security)

    In the morning, Daan Spitz was introduced and the CTF started.
    Daan works for Radically Open Security who sponsored the event and gave a CTF that he made.
    In the afternoon, Melanie Rieback CEO of Radically Open Security was introduced she presented ROS and gave a great demo talk about cracking passwords.
    We cracked the password « TreeHouse1234 » in less than 33 seconds!
    Demo and slides can be found on ROS’s github.

    (source: Cyberheroes flickr)

    Day 3: On a boat with the dutch Police

    (source: Cyberheroes flickr)

    On day 3, we spent all day at the Seaport Police of Rotterdam.
    We had the opportunity to meet Dirk-Jan Grootenboer, Peter Duin and other great police officers. They presented the Seaport Police and their work.
    The Cyber Resilience unit has different goals:

    • Awareness of cyber threats and risks by citizens, corporations and other organisations
    • Know how to act: reactive, preventive, pro-active
    • Work together to share knowledge and new opportunities offered by technology
    • Resulting in continuous growth of cyber resiliency
    • From cyber security to cyber resilience
    • From reactive to pro active thinking and acting
    • Catching the advantages of cyber with an open eye for the risks

    (source: Police officers talk)

    Then, we had a CSI like challenge and a Police Patrol Boat Adventure. We were able to work on our social engineering skills and see the huge port of Rotterdam (largest in Europe).

    On the afternoon, Floor Jansen and Marinus Boekelo joined us to present the Hack_Right initiative and explain the amazing take over of Hansa Market a dark web marketplace.
    Hack Right is an initiative to help young hackers who commited a small crime, to get back in the right path and use their skills for ethical hacking.
    It consists of 4 modules

    1. Restorative justice: if you commit a crime you break your connection with the victim to repair this boundary you have to do something for the community. In this module, cyber criminals are confronted with the damage and possibly even with the victims.
    2. Training: ethical and legal boundaries
    3. Coaching: personal connection between coach and offender. This involves providing longer guidance to the offender, linking them to someone from the community.
    4. Alternative: indicates the opportunities on the labour market and teaches young people where to develop their talents

    (source: Floor Jansen’s talk and Mediawijzer’s article)

    Day 4: Cybersprint at The Hague Security Delta and US Ambassador residence

    In the morning, we worked on « Make it Smart » Maarten van Duivenbode introduced us to smart objects and how to use them. We were able to program lights and their colors.

    In the afternoon, we visited Cybersprint at The Hague Security Delta.
    Cynthia Schouten made an introductive talk and gave us a tour of the campus. We visited: Hogeschool Leiden’s IOT lab, we were introduced to a mixed reality tool that aims to train student in forensics with simulated crime scenes

    (source: Cyberheroes flickr)

    Then, we visited Splendo that introduced us their smart bikelock project for X-bike.

    After the tour, Peter van Eijk who works at the municipality of the Hague presented the Hack Den Haag CTF. A CTF to help the city of the Hague to be more secure.
    Finally, Soufian El Yadmani made an amazing talk about his adventure to cybersecurity. He explained that he was hired as a cybersecurity analyst at Cybersprint by winning a CTF. His team and him travel to many CTF competitions.
    His secret to be a good ethical hacker? Practice, practice, practice!

    After our visit to The Hague Security Delta Campus we went to the US Ambassador’s residence for a reception for the Cyberheroes program. There, Peter Hoekstra the Ambassador of the US, Anouk Vos from Cyberworkplace and Charles Ashley III from Cultivating Coders talked.
    The Ambassador, is now a proud hacker in a beautiful Cyberworkplace hoodie and the owner of a CyberHeroes medal!

    (source: Cyberheroes flickr)

    Day 5 and 6: Trip to Leeuwarden, no escape possible 😀

    (source: Cyberheroes flickr)

    On the last two days of CyberHeroes, we were invited to Leeuwarden for a CTF at the amazing Hacklab.
    Leeuwarden is a beautiful historical city in the north of Netherlands that has been European Capital of 2018.
    The CTF gave us the opportunity to learn a lot.
    After all this hacking we did we had to go to jail… joking we just spent the night in a former prison: Alibi Hostel

    But before going to sleep, we took part in a great escape game made by Henk Van Ee founder of Cybersafety4u in which we had to unlock a hacker’s phone.

    (source: Cyberheroes flickr)

    To conclude this awesome week, we all got a certificate and a CyberHeroes medal.
    Needless to way i was very proud to participate and help for this great adventure.
    I would like to take the time to thank Radically Open Security (Melanie and Anh) without whom i would not have heard about Cyberworkplace.
    Thanks also to Anouk, Nasya and Maria from Cyberworkplace that welcomed me for this week.
    They all made an amazing work and i would definetely recommend everyone who has the opportunity to take part in a week like this.
    Volunteer or help Cyberworkplace any way you can, they do such an amazing work for students and cybersecurity lovers.

    (source: Cyberheroes flickr) Volunteers for the CyberHeroes week: Adelle, Anh, Maria, Anouk, Me, Nasya

    To go further:

    About the forum / A propos du forum

    Note: Le forum n’ayant pas attiré beaucoup de monde, je réfléchis à une autre façon de proposer un échange de connaissances et une entraide ouvert à tou.te.s.

    Note: As the forum did not attract many people, I am thinking about another way to offer an exchange of knowledge and a mutual support open to all.

    Faire défiler le texte pour lire la version française

    A Forum to self-study cybersecurity collectively

    A few days ago I published my article in peerlyst about how to create an open education degree for free in cybersecurity. In a comment, someone tackled a very important issue : how stay focused when you study alone online?

      • you can easily be distracted,
      • We tend to scatter ourselves,
    • It is not always easy to learn alone.

    To answer to these questions, i first suggested this very good Mooc by Dr Barbara Oakley (McMaster University, University of California San Diego): Learning how to learn on Coursera.

    This Mooc is really helpful to understand the process of learning. You get tips and tricks to learn more efficiently.

    I also answered that what helps a lot is to make lists of objectives. For instance you can make a list of things to achieve for the day, the week or the month.
    The most important thing is to define what you want to learn and where you want to go. Then write it down as objectives you’ll like to fulfill in the end at a certain time pace.

    And to break the loneliness while self-studying, I decided to create a forum to gather people who want to learn collectively. It is a place open to everyone who want to learn and share knowledge no matter your age, gender, level, country and so on.

    In brief it is a forum that can be use to learn a specific subject or lookup for an answer when you tackle an issue.

    picture of the forum

    Here is a picture of the forum as it currently is. It is not it’s final look, it will evolve with users and their needs.

    As you can see there is an english and a french part for now.

    If you speak another language you can ask me to add a category. This would open the forum even more to everyone no matter where they live and which language they speak.

    private part for women

    This part is only for women or people who identify as women to feel more comfortable learning together. This part is private and you need to ask me the access for it.

    Feel free to make this forum a place where learning is free and open to everyone. Learning with peers and meeting for a specific topic or Mooc would be easier to achieve.

    Finally, people from the industry and experts are welcome to share their experiences and build a community for open education in cybersecurity.

    So let’s build a safe internet by learning together cybersecurity.

    Un forum d’auto-apprentissage collectif pour la cybersécurité

    Il y a quelques jours, j’ai publié un article sur peerlyst pour décrire le processus de création d’une formation complète en cybersécurité. Dans un commentaire, une personne a évoqué un point important: comment rester concentré lorsque l’on apprend seul?
    En effet:

    • On est facilement distrait
    • On peut avoir tendance à se disperser
    • Et ce n’est pas toujours évident d’apprendre seul

    Pour répondre à ces questions, j’ai d’abord suggéré l’excellent Mooc du Dr Barbara Oakley « Apprendre à apprendre » sur Coursera (disponible sous titré en français).

    Ce Mooc est vraiment très intéressant pour comprendre le processus d’apprentissage. Vous repartirez avec des outils et des astuces pour apprendre de façon plus efficace.

    J’ai ajouté qu’il était utile de faire des listes d’objectifs. Par exemple, vous pouvez lister vos objectifs pour la journée, la semaine ou même le mois.

    Le plus important, c’est de bien identifier ce que vous voulez apprendre et vers quoi vous souhaitez vous diriger. Ecrivez ensuite cela sous forme d’objectif à accomplir dans un délai prédéfini.

    Aussi pour casser la solitude que peut parfois apporter l’auto-apprentissage, j’ai décidé de créer un forum pour réunir les personnes qui souhaiteraient apprendre collectivement. Il s’agit d’un espace ouvert à tous ceux qui veulent apprendre et partager leur connaissances quels que soit leur niveau, leur âge, leur genre, leur pays, etc.

    En bref, c’est un forum qui peut être utilisé pour apprendre un sujet spécifique ou répondre à une question lorsque l’on rencontre un problème.
    visuel du forum
    Voici une photo du forum tel qu’il est. Ce n’est pas son aspect final, il évoluera en fonction des utilisateurs et de leurs besoins et envies.

    Comme vous pouvez le voir il y a pour le moment une partie en français et une partie en anglais.

    Si vous parlez une autre langue vous pouvez me contacter pour ajouter une catégorie pour cette langue. Ceci permettra d’ouvrir le forum plus largement.
    forum privé réservé aux femmes
    Cette partie est pour les femmes ou les personnes s’identifiant au genre féminin afin de se sentir plus à l’aise et d’apprendre ensemble. C’est une partie privée pour laquelle il faut me demander un accès.

    N’hésitez pas à faire de ce forum un endroit ou l’apprentissage est gratuit et ouvert à tous. Apprendre avec ses pairs ou se rencontrer pour échanger sur certains sujets sera facilité.

    Pour finir, les professionnels et experts sont les bienvenus pour partager leur expérience et construire une communauté d’apprentissage ouverte pour la cybersécurité.

    Allez, construisons un internet sécurisé en apprenant ensemble la cybersécurité!

    Ressources / Resources

    Scroller un peu pour la version française

    To go further in my challenge, I have built a panel of open resources.
    The collection of these resources was done progressively, I looked up French and foreign university programs, job descriptions in cybersecurity but also unconventional profiles that I had the opportunity to meet.
    Indeed, my last six months have been punctuated by Moocs, CTF, a summer school, cybersecurity conferences and job interviews.
    The adventure continues with an internship in which I will have the opportunity to test this knowledge.

    I wanted to share the results of my research here in order to give other people the opportunity to be able to train themselves.
    This page is divided into several parts:

    – « Moocs » on specific topics,

    – « Webinars » and « videos » for a more visual format,

    – The « books, reference articles, tutorial sites, associations, conferences and useful blogs » section provides resources to turn to, in different subjects, to complete the learning of Moocs.
    It also contains a list of very specific conferences that I found on Wikipedia and for women a list of women’s communities in cybersecurity,

    – Finally, the CTF and games part allows you to put it into practice and offers moments of relaxation.

    Not all links are completely free, but I have tried to find resources that are at least partly free and open for everyone to use.

    Feel free to comment if you have other references or events (workshops, bootcamp, summer school,…) around the world.

    Please help me to complete my list of women in cybersecurity communities if you know any.

    Pour avancer dans mon défi, j’ai construit un panel de ressources ouvertes.
    La collecte de ces ressources s’est faite au fil de l’eau, je me suis imprégnée des programmes universitaires français et étrangers, des fiches de poste dans la cybersécurité mais aussi des profils non-conventionnels que j’ai eu l’occasion de croiser.
    En effet, mes six derniers mois ont été rythmés de Moocs, de CTF, d’une summer school, de conférences en cybersécurité et d’entretiens d’embauche.
    L’aventure continue par un stage où j’aurai l’opportunité de tester ces connaissances.

    J’ai souhaité ici partager le résultat de mes recherches afin d’offrir la possibilité à d’autres personnes de pouvoir s’auto-former.
    Cette page se distingue en plusieurs parties :

    – Des « Moocs » sur des sujets spécifiques,

    – Des « webinar » et « vidéos » pour un format plus visuel,
    La partie « ouvrages, articles de référence, sites tutoriels, associations, conférences et blogs utiles » permet d’avoir des ressources vers lesquelles se tourner dans différents sujets pour compléter l’apprentissage des Moocs notamment.
    Elle contient également une liste de conférences très précises que j’ai trouvée sur Wikipédia et pour les femmes une liste d’associations de femmes dans la cybersécurité.

    – Enfin, la partie CTF et jeux permet la mise en pratique et offre des moments de détentes.

    Tous les liens ne sont pas forcéments complètement gratuits, mais je me suis appliquée à rechercher des ressources au moins partiellement gratuites et ouvertes pour que tout le monde puisse s’en emparer.

    N’hésitez à compléter en commentaire si vous avez d’autres références ou des events (workshops, bootcamp, summer school, …) à travers le monde.

    Aidez moi, s’il vous plait, à compléter ma liste d’associations de femmes dans la cyber si vous en connaissez.


    Introduction à la Cybersécurité / Introduction to Cybersecurity

    Cybersécurité avancée / Advanced Cybersecurity

    Cybersécurité et humanités numériques / Cybersecurity and digital humanities

    Cryptographie / Cryptography

    Données / Data


    Réseaux et sécurité des réseaux / Networks and networks’ security

    Programmation / Programming

    Autres / Others




    Ouvrages, articles de référence, sites, tutoriels, associations, conférences et blogs utiles / Books, papers, articles, useful websites, tutorials, communities, conferences and blogs

    Lois et normes / Law and Policy

    Economie / Economy

    Cryptographie, mathématiques / Cryptography, maths

    Systèmes d’exploitations / Operating System


    Géopolitique / Geopolitical

    Surveillance, protection des données, fuite de données / Surveillance, Personal Data protection, data leaks

    Techniques et outils de cybersécurité, Conférences, Ressources pour apprendre / Cybersecurity techniques and tools, Conventions, learning resources

    Initiation à la cybersécurité ou outils pédagogiques d’initiation/ Initiation to cybersecurity or initiation tools

    Social Engineering


    Labos et machines virtuelles / Labs and virtual machines

    Humanités Numériques / Digital Humanities

    Développement d’application, reverse engineering, revue de code / Software development, reverse engineering, code review

    Evènements / Events

    Jeux, CTF, Wargames, sites à hacker ou app à hacker, guides pour CTF (organisation, participation), Challenges (en crypto ou autre) / Games, CTF, Wargames, vulnerables apps and websites, guides for CTF (organization / participation), Challenges (crypto or else)

    Bug bounty platforms

    Engensec IT Security Summer School

    (Article disponible en français plus bas)

    To move forward in my challenge, I decided to attend a Summer School. That is how in july, i had the great opportunity to attend a European Program in Cybersecurity in the beautiful city of Lviv (Ukraine).
    This program was held by the Lviv National Polytechnic University and the classes were organised in a beautiful annexe of the University.
    view from the outside
    entrance hall
    Many students from different countries were attending this studious week: Ukraine, Sweden, Poland, Netherland, Luxembourg and France.

    Presentation of the IT Security Summer School in the Lviv National Polytechnic University.

    Why a Summer School ?

    Well, a Summer School is a short and intensive way to gain skills quickly plus you get to meet people from all over the world.
    Also, it seemed important to me to confront my knowledge with practical exercises in group to give an interactive dimension to my learning in self-training. Finally, being coached by cybersecurity experts during the summer school allowed me to consolidate the knowledge acquired during the previous months.

    What did we learn ?

    On the first day, we had a first assignment which was fun. We were given a list of teams named after malware. The goal was to find our team mates with the help of this list. It was a very good ice breaker to first meet attendees. To go further with the social interactions we also had a team quest to do in order to get to know each other better and discover the city.

    The high quality courses were taught by professors from leading European universities such as Sweden, Poland and Ukraine.

    The four main subjects discussed during the week

    Malware Analysis

    First, the history of ransomwares (first ransomware: AIDS trojan 1989) was discussed.
    Then we reviewed different ransomwares: their encryption method, how they interact with the user and for some of them how to decrypt files.
    The practical exercises allowed me to understand the necessary steps to analyze malware.
    However, there is no single way or infallible method. This field requires great patience and perseverance to gain more experience.

    Software Security

    This course was about : Programming problems and buffer overflows, Defensive programming, Revision control systems and Good practices.

    About the part « good practices », i wish i had such a course during my training as a programmer. Good practices in development for security is, in my opinion, a must known for every developer.

    The lab about buffers was really helpful to better understand the buffer overflow error and how it can make a software very vulnerable. I had another Lab in which i had to manipulate and debug a program in order to find a password.

    Web Security (including web app vulnerabilities)

    Web security is quite an important piece in cybersecurity.
    This class gave me an overview of the most common vulnerabilities on the web. With this course I was able to complete my list of tools and Websites related to Web security.

    I really enjoyed the practical exercises because they were divided into several stages and allowed me to progress naturally according to the level of difficulty. More precisely during these exercises I tested the vulnerabilities during authentication, SQL injection, XSS vulnerabilities and ethical hacking.


    This course gave a good overview of the duties of the pentester.
    First we discussed several elements such as technical terms, the different types of hacker, pentesting tools and methodologies.
    We also worked on the methodology to follow when writing a pentesting report.
    Also, I learned the techniques of malicious hackers in order to propose a good defense strategy.

    Finally, all the practical exercises allowed me to get use to the tools used during pentests, analyze vulnerabilities, test web applications and put social engineering methods into practice.

    A step in the workforce

    At the end of the fourth day two professionals came to share their experiences in the Security Operation Center of a Ukrainian business. They described their work and the issues they had to tackle every day.

    This presentation gave us an inside point view of cybersecurity professionnals.

    A place of culture and full of history

    The City of Lviv

    Lviv is a city in western Ukraine which was founded in the 13th century but has roots since the 6th century. Needless to say it is full of history.

    Opéra House of Lviv Opera House of Lviv

    You’ll have many opportunies to widen your culture:

    • Go to the Opera and see a beautiful piece
    • Visit beautiful churches
    • Just walk around in the streets of the old town
    • Eat and discover local gastronomy

    The city tour

    Engensec organized for us an amazing city tour with historic reconstitution and actors in costums in many corners of the city.
    It was very a good break from the classes and a good entertainment.
    sword fight
    guided tour

    Why you should attend Engensec?

    – The organizers are very welcoming and helpful
    – You get to have social interactions with people from all over the world
    – If you want high quality classes for a great value this is totally the place to go
    – You get a certification in the end of the week and ECTS for a total of 60 hours
    certificate example

    To go further

    Pour avancer dans mon défi, j’ai décidé de suivre une summer school. C’est ainsi qu’en juillet, j’ai eu l’opportunité d’assister à un programme européen de cybersécurité dans la belle ville de Lviv (Ukraine).
    Ce programme a été organisé par l’Université Polytechnique Nationale de Lviv et les cours avaient lieu dans une magnifique annexe de l’Université.

    view from the outside
    entrance hall

    De nombreux étudiants de différents pays participaient à cette semaine studieuse : Ukraine, Suède, Pologne, Pays-Bas, Luxembourg et France.

    Présentation de Engensec security summer school à l’Université polytechnique nationale de Lviv.

    Pourquoi une summer school ?

    Une summer school est un moyen court et intensif d’acquérir rapidement des compétences et de rencontrer des gens du monde entier. Aussi, il m’a semblé important de confronter mes connaissances à des travaux pratiques en groupe pour donner une dimension interactive à mon apprentissage en auto-formation. Enfin, être accompagné par des experts en cybersécurité pendant la summer school, m’a permis de consolider les connaissances acquises durant les mois précédents.

    Qu’avons-nous appris ?

    Le premier jour, nous avons eu un premier exercice assez amusant. On nous a donné une liste d’équipes portant le nom d’un logiciel malveillant. Le but était de trouver nos coéquipiers à l’aide de cette liste. C’était une très bonne façon de briser la glace. Pour aller plus loin dans les interactions sociales, nous avions aussi une quête à faire en équipe pour mieux se connaître et découvrir la ville.

    Les cours de qualité étaient encadrés par des professeurs de grandes universités européennes telles que la Suède, la Pologne et l’Ukraine.

    Les matières abordées dans la semaine

    Malware Analysis

    Dans ce module nous avons abordés l’historique des ransomwares (premier ransomware: AIDS trojan 1989).
    Ensuite nous avons passé en revue différents ransomwares: leur méthode d’encryption, la façon dont ils se manifestent pour l’utilisateur et pour certains comment décrypter les fichiers.

    Les exercices pratiques m’ont permis de comprendre les étapes nécessaires pour analyser un malware.
    Pour autant, il n’existe pas une seule façon de faire ni une méthode infaillible. Ce domaine implique une grande patience et persévérance pour laisser place aux tâtonnements et à l’expérience.

    Sécurité des logiciels

    Dans ce cours nous avons abordé : les erreurs de programmation dont le buffer overflow, la programmation défensive, les systèmes de contrôle de révision et les bonnes pratiques en programmation.

    En ce qui concerne la partie « bonnes pratiques », j’aurais aimé avoir un cours comme celui ci lors de ma formation de développeuse. Selon moi, il est indispensable de connaître ces bonnes pratiques afin d’être en mesure de livrer des logiciels sécurisés.

    L’exercice pratique sur les buffer a été vraiment utile pour comprendre comment l’erreur buffer overflow peut rendre un logiciel très vulnérable. Dans un autre exercice, il fallait manipuler et débugger un programme afin de trouver un mot de passe.

    Sécurité Web (dont vulnérabilités des applications Web)

    La sécurité Web est un élément essentiel de la cybersécurité. Ce cours donne un aperçu des vulnérabilités les plus courantes sur le web.
    Aussi grâce à ce cours j’ai pu compléter ma liste d’outils et de sites Web relatifs à la sécurité du Web.

    J’ai beaucoup apprécié les exercices pratiques car ils étaient découpés en plusieurs étapes et permettaient de progresser naturellement en fonction du niveau de difficulté. Plus précisément lors de ces exercices j’ai testé les vulnérabilités lors d’authentification, l’injection SQL, les faille XSS et le hacking éthique.


    Ce cours donnait un bon aperçu des missions qui incombent au pentester.
    Tout d’abord nous avons abordé plusieurs éléments comme les termes techniques, les définitions des profils de hackers, les outils et les méthodologies du pentesting.
    Nous avons également travaillé sur la méthodologie à respecter pour la rédaction d’un rapport de pentesting.
    Aussi, j’ai pris connaissances des techniques de pirates malveillants afin de proposer une bonne stratégie de défense.

    Enfin, tous les exercices pratiques m’ont permis de me familiariser avec les outils utilisés lors des pentests, d’analyser des vulnérabilités, de tester des applications web et de mettre en pratique des méthodes de social engineering.

    Un aperçu des opportunités d’emploi

    A la fin de la quatrième journée, deux professionnels sont venus partager leur expérience dans le Security Operation Center d’une entreprise ukrainienne. Ils ont décrit leur travail et les problèmes auxquels ils étaient confrontés au quotidien.

    Cette présentation était intéressante pour avoir un point de vue de professionnels de la cybersécurité.

    Un lieu de culture et plein d’histoire

    La ville de Lviv

    Lviv est une ville de l’ouest de l’Ukraine qui a été fondée au 13ème siècle mais qui a des racines depuis le 6ème siècle. C’est donc une ville pleine d’histoire.
    Opéra House of Lviv Opera de Lviv

    Ainsi, vous aurez de nombreuses occasions d’élargir votre culture :

    • Aller à l’Opéra et voir une belle pièce
    • Visiter de belles églises
    • Marcher dans les rues de la vieille ville
    • Découvrir la gastronomie locale

    La visite de la ville

    Engensec a organisé pour nous une visite avec une reconstitution historique faite par des acteurs en costumes dans de nombreux coins de la ville.
    C’était une très bonne pause des cours et un bon divertissement.
    sword fight
    guided tour

    Pourquoi vous devriez venir à Engensec?

    – Les organisateurs sont très accueillants et serviables.
    – Vous aurez des interactions sociales avec des gens du monde entier.
    – Si vous voulez des cours de haute qualité pour un prix abordable, c’est l’endroit idéal.
    – Vous obtenez une certification en fin de semaine et des ECTS pour un total de 60 heures.
    – Le programme est ouvert à tous sans condition de niveau ou d’âge.

    certificate example

    Pour aller plus loin

    Certified Secure online training

    When i pre-registered for the ICSS 2018 i got access to a website called Certified Secure which is an online training website. In which you can even get some certificates.
    With my account, I have temporary access to everything, even premium content.

    Panel of the premium content

    Panel of the premium content

    User Profile

    Here is what a user profile looks like screen of user profile

    On the left, you have all the certifications you can get.
    The panel in the middle shows what to achieve to get the selected certificate (Here the Essential Security certificate).
    This is mostly quizzes, CTF, games.
    To know how to answer to the quizzes or get help with games and CTF, you can watch the videos or read the provided content (cheat sheet for instance). You also have a forum in dutch (but you can translate it peacefully with Deepl ) and an irc channel with a an active community that is always willing to help.
    Finally, on the right, you have the extra content (not mandatory to get a certificate).
    With the arrow on the top right, you can swipe between each certificate’s content.

    When you succeed and get a certificate, you can download it as PDF and you’ll have something looking like this:

    Certificate for Essential Security certificate

    The challenges

    You have a few challenges. But don’t worry if you don’t know anything about how to achieve those they provide videos to help you out.
    Some of those challenges are free other are premium.

    – This is a platform where you can learn things pretty quickly and get certificates for it.
    – If you don’t want to pay you still can have access to many things.
    – Fun, entertaining, engaging.
    – Great helpful community.
    – Even if some content and challenge are only in dutch you can still complete them with a good translator like Deepl

    – Some challenges are only in dutch
    – The community forum is only in dutch

    To conclude, i would recommend it because it his helpful to learn basics. Even if some challenges are only in dutch i managed with Deepl to complete them.
    Like i said this training is challenging in a fun way. The challenges are well made and the tutors in the videos are really helpful.

    OECD’s 2018 forum « What brings us together »

    On tuesday the 29th of may 2018, thanks to Led by Her i was invited to the OECD’s forum and went to three talks.


    This panel was moderated by Cyrille Lachèvre, a macroeconomics reporter from the french media « L’Opinion », who asked questions to every person of the panel.
    To introduce he said that cybersecurity is such a big subject that they decided to focus only on the following question:

    “How can public and private sector cooperate to enhance cybersecurity and especially government and private actors?”

    Moderator’s question to David Martinon “What is the french strategy and how do you handle the cybersecurity question from the government point of view?”

    • Organize the state so that it can ensure the security of critical infrastructure
    • The Diplomatic Strategy consists, through multilateral negotiations at the United Nations, in trying to stabilize cyberspace.
    • We need to find diplomatic’s answers to cyberattack and new and hybrid cyberattack.
    • No state are invulnerable but also no state are not able to conduct attack
    • It is not a block to block confrontation but a multi polar context, everyone can act. And beyond the states, private actors are incredibly efficient. For each of them the expected benefit of a cyber attack is far beyond the initial investment. This is why we need to find a way to stabilize the situation.
    • The United Nations is trying to clarify the rules of international laws applicable to cyberspace.
    • In the OECD we are trying (it is a french initiative) to engage in a multi-stakeholder debate. It is essential to involve a certain number of private actors whose role has a systemic scope.
    • There is a digital battlefield created by vulnerabilities in computer products (software or devices) of the market that can be exploited.
    • Three main ideas:
      • We want to achieve a better recognition by software and tool manufacturers of their economic, political and moral responsibilities.
      • Preventing the proliferation of the cyber arms trade
      • The need to ensure that a certain number of practices such as reverse hacking or hack back are prohibited. That enable private actors to conduct private wars on behalf of private actors.

    Moderator’s question to Casper Klynge “ How can today governments and private actors work hands in hands with private company to enhance private security?

    • Wake up call twelve month ago with the NotPetya attack
    • Two weeks ago launch of a new cybersecurity strategy which focuses on multilateral collaboration. How can we cooperate multilaterally on cybersecurity issues?
    • Increase dialog with the private sector not only GAFAM because we have a global mandate we also take a global view on the industry including in China, Asia and Europe.
    • Fundamental task: Make sure that the companies will assume the responsability which is proportional to the influence they exercizing over our societies.
    • We need to have a public private partnership to find common solutions. We need the private sector to help us solve this problem.
    • We need to include Artificial Intelligence and Machine learning into that equation. There’s a common misunderstanding that Artificial Intelligence will be part of the solution and will help us solve the cyberattacks but A.I is going to increase the capabilities of the state and non state actors that are not necessarily well intentioned.

    Moderator’s question to Tarah Wheeler: As you well know private actors what is your opinion with this relationship with governments?

    • She is afraid of an attack that has no name yet. What would be the Pearl Harbour of cybersecurity? What would be the attack that is so devastating that it has a new name?
    • The public sector does not often listen to the best resource it has for determining in advance where risk lies. Many of the same vulnerabilities are still present in american and global internet infrastructures.
    • There’s a lack of partnership between private and public resources in the United States and beyond.
    • She hopes for the wisdom to reach a hand out and provide the kind of wisdom that private security tries to gather as well as information about the potential for devastating attacks. She calls for the public sector to listen carefully to the words that are coming from the information security about the vulnerabilities that they have discovered.
    • Public sector should listen to the information security community instead of prosecuting them, instead of frightening them with threats of lawsuits.

    Moderator’s question for Renata Avila: We have developed countries that are seen as ambassadors about these cybersecurity questions but we see a lot of developing countries with a lot of people getting use to the Internet so danger could come from here also.

    • Cybersecurity is a global problem it is something that brings us together and we are not bringing the right pieces into place because the two ambassador here are describing the public private partnership but the consumer side, the citizen side is neglected. Usually civil society find closed doors. Why do we perpetuate this exclusion of civil community from security? If you exclude community from a security problem you end up with a flaw.
    • Who ever we are, we are walking asleep in this interconnectedness
    • We need to follow top down bottom up combined, open up our spaces be open about the problem and be more creative for the solutions. We have a responsibility to not delay this problem.

    Moderator’s question to Shane Curran: “Are you afraid of the protection of data? Or is it something that is getting better and better?”

    • He used to think to think that cybersecurity is mostly a human issue and that education is the best way to correct it. But that is not the case.
    • Data security is not something people want to learn about only a small amount of people have a keen interest on it and are sort of developing their own knowledge of it.
    • In the example of Facebook everybody cares about data privacy. Even with the cambridge Analytica problem people have a lack of care for the data privacy.
    • That is why he developed with his company a platform that allows third-party services to process personal data without ever seeing or handling it
    • The difficult thing for government is to bring things out of academia and bring them in to a real world use case. With cybersecurity in particular there’s a lot of research happening but the solutions government are trying to do are mostly regulatory. Over time this is not a feasible solution.

    Moderator’s question to the two ambassador: Do you fear a global attack? What kind of attack do you fear? How can we enhance education? How to work with customers?

    David Martinon

    • A global attack is something we fear. Even though we have already face that kind of attack.
    • But there may be at some point cyber terrorist attack. Skills are on the market so if you are a mafia you have the means to hire people and make a cyber attack.

    Casper Klynge

    • We do fear global attack and with the grow of iot vulnerabilities are going to increase. This is a real issue and we need to do something about it.
    • We are trying to enable company to say that they have been attacked without their image being impacted
    • The international dimension is a critical part of it. We need to talk together but we also need to bring the private sector.
    • The digital inequality is an important part of it, it is damaging for company but for people it is a life or death issue.

    Question’s of moderator for every panelist: Who should pay for cyber protection? State? Companies? Citizens?

    Tarah Wheeler

    • Cybersecurité is a public good
    • It’s not just private company not just private sector or private citizens who have the responsibility of paying for cyber protection it’s much like removing pollution. Each responsible person has the responsibility to not pollute.
    • Cybersecurity is a public good that involves a partnership among industry, among governments and among citizens all of whom bear the responsibility of the ecosystem we are all affected by.

    Renata Avila

    Security should not be a plus in the product it should be the standard. Technology industry should redesign standard for everyone.

    David Martinon

    • Everyone should take responsibility for cybersecurity.
    • Government can not cover for everyone.
    • We don’t see insurance market growing in Europe as it grows in US because the pricing for insurance contracts based on cyber risk is impossible.
    • How do we make sure that everyone including private companies behave correctly when they protect themselves?

    Shane Curran

    • He is a supporter of personal data monetization. There should be something similar as bank for data privacy.
    • Individual should definitely not pay for it

    Moderator’s question: How can we trust NSA and how can we trust the government to help us? How can we cope with this trust problem?

    Tarah Wheeler

    • If your incentive are misaligned with who you should trust you probably have a problem.
    • What is that trust based upon? For companies incentive needs to based around serving their customers and sometimes customers and users are not the same thing.
    • Don’t trust where you don’t have to. Cause you don’t know who you’re delegating that trust to as a third-party.
    • The digital battleground is not only real but it is very difficult to adjust proper weights to it in terms of risk and if you can’t tell what your risk is if you can’t tell what your problem is and the people around you are not even sure about what you’re talking about is real it is going to be difficult to trust them with your life, your security and your future.

    Casper Klynge

    • Part of the solution is to have standards for devices
    • Difference between EU and US in the trust issue in Eu we tend to trust governments this a difference of culture approach to where trust lies
    • We need to find a common approach of regulation also in the cybersecurity issue.

    Poll for the audience: Do you trust your government to handle cybersecurity?

    I made a big summary of this round table because i am really fascinated about the subject and i felt like it was tackled in a different way than it usually is that is why i think you should also have a look at the video.
    Every panelist was really interesting. I was particularly fascinated by Renata Avila which put into light very important issues regarding inequality.
    Finally as Tarah Wheeler said it is necessary to listen to the information security community because they know very well what is happening in the field and could bring a lot to citizen, governments and private companies.

    Universal digital rights and digital inclusion

    For this round table i will only make a quick summary of what has been said.

    • There is insufficient transparency regarding human rights in the digital.
    • We outsource our own way of doing things as humans. Silicon Valley is telling us the speed is the right way.
    • Everyone has the right to learn and work as an adult all along their lives
    • You don’t need to choose between privacy and AI anymore. You can use modern technic without giving up privacy. We invented a way to create fake data and use it to train the AI. This method works even better.
    • With AI the real risk is bias.
    • The future has already arrive in marginalized communities too. They have to trade basic human rights for other rights (ex privacy for food)
    • The way that data flows has everything to do with who has powers
    • Companies start with the best of intentions with the time things happen and go wrong. How do you make sure that policies are being made on the values of company
    • How to you take care of integrity and make sure that it is not questioned. Humans rights are in critical stake
    • You can’t blame propaganda for being powerful because we all use it. But the drivers of all of this remain the humans. We’re living in a world governed by us not robots. Our values are what need to be challenged
    • We need to move our business model from targeted advertising. We need to take responsibility.

    I really invite you to follow every people of this panel as everything that was said was really interesting. The best thing to do though if you want to have a nice sum up of the subject is to watch the video

    Meet Tarah Wheeler the author of “Women in Tech: take your career to the next level with practical advice and inspiring stories”

    Meet Tarah Wheeler
    Interviewed by Sarah Box Counsellor, Doctorate for Science, Technology and Innovation OECD.
    This presentation of Tarah Wheeler really made me want to read her book. She is really inspiring. She presented her book and gave us some advices.
    Here is a quick summary of what has been said:

    • Most of technology is interrelated in a way that we do not often pay attention to. It is overwhelming but being a women in tech can be overwhelming too.
    • With her book she hopes she has been a voice for other women. There’s a reason why she and seven other women talked about their experiences: “you are not alone”. There are women everywhere all of us have different stories but ultimately it is all the same: we all face the challenges and we all overcome and we are not alone.
    • The problem is there and it does not seem to get better. She keeps having the same questions again and again about the subject which means that those question are not being answered properly by the companies that we are working for.
    • She then gave some advice:
      • Money is power don’t turn it down. When you negotiate a salary: Don’t name a number first, the first person to name a number always loses. Don’t say yes to the first offer. Think and talk about always being a good member in the team and use that as a negotiating strategy.
      • If you feel like you are not being treated well in your current position: get out. It is not your job to make it better. Find the company that will treat you well or create your own.
      • How do you have a family and work life at the same time? As Sheryl Sandberg said there is no more important career choice a woman can make than her choice of a partner
      • If you have that sense of joy in tech don’t let anyone tell you to leave.

    To conclude people from the audience asked her questions and advices.
    If you want to see the full interview which i encourage you to do you can find it here.
    You can also buy her book here

    To go further

    CTF Field Guide by Trail of Bits

    What is Trail of Bits?
    trail of bits logo
    Trail of Bits is an independent information security company that aims to build better security for organizations over the world.
    You can learn more about them here

    When you want to learn more about how to become an ethical hacker and how to get your hands dirty and start to practice it is quite hard to know where to start.
    Of course you have plenty of information online but it’s hard to find a way to start from scratch.
    The CTF Field Guide will explain everything in a very structured way and you’ll  find plenty of resources (books, CTF, wargames, websites, courses,… ).
    Also you’ll be able to learn the differences between CTF and Wargames  and the basics you should know about those.
    Besides, they explain what type of Employers you have in the field and what kind of jobs. This is  a good point because I had quite a hard time to find a proper knowledge about this. I was only able to find out more when I talked to professionals and experts in the field.
    Furthermore they make a good point in the chapter about certification. I let you find out about it but it made me think and reform my challenge.
    When you’ll be done reading the intro you’ll have a great base to continue the practice in a well structured way with few main themes: Vulnerability discovery, Exploit Creation, Forensics, Toolkit Creation and Operational Tradecraft.

    To conclude, I would totally recommend this guide if you are the kind of person who like to learn things in a structured manner. Also you’ll find a bunch of great advise.