Learn ethical hacking: Insights from YesWeHackEDU users

Categories
Talent Development

In 2019, we launched YesWeHackEDU, providing a complete environment to learning ethical hacking. YesWeHackEDU is the educational portal of our Bug Bounty platform and a unique training ecosystem on cybersecurity best practices. A global Bug Bounty leader, we have leveraged our expertise in coordinated vulnerability disclosure and our ecosystem of clients and researchers to create the world’s first educational Bug Bounty platform. YesWeHackEDU thus allows users to practice vulnerability hunting and management in real-world scenarios, as they would do in production environments.

The COVID19 pandemic kept students away from the classroom; hence YesWeHack decided to provide free YesWeHackEDU licenses to all schools and universities. Doing so enabled teachers to resume instilling cybersecurity skills despite the pandemic and through an innovative platform.

Providing two-month free licenses for YesWeHackEDU resulted in more than 3,000 student accounts enrolled in 180-plus schools and universities around the world. We have been learning a lot from the ways those budding talents perused the platform. So, we sat down with representatives from universities—here’s to fresh insights on how one learns ethical hacking with YesWeHackEDU.

We talked to:

  • Damien Naviliat is the Head of the IT curriculum in charge of the cybersecurity section at CFAI84, France.
  • Driss Essayed-Messaoudi is the Head of Cybersecurity and Network in charge of the cybersecurity section at ESAIP, France.
  • Eileen Yeo is a Senior Lecturer at Singapore Polytechnic.
  • Boris Choo is a Lecturer at School of Computing at Singapore Polytechnic.
What motivated you to include the YesWeHackEDU platform in the curriculum you lead?

Damien Naviliat (DN): I was already familiar with Bug Bounty, and I heard about YesWeHackEDU from a colleague. The two-month free licenses offer was really timely; we needed to make a pedagogical change during that period. With the pandemic, we needed to change the way of teaching to keep the students involved and focused. Of course, I knew what I was getting into. YesWeHack has an excellent reputation, so I knew the platform would be up to standard.

Boris Choo (BC): We held a YesWeHack workshop last September, and it was a great success. Our students greatly enjoyed the teaching and the challenges on the bug hunting exercise. Following this, our teaching team decided to evaluate the YesWeHackEDU platform to see how it can be integrated into our curriculum and take into consideration the learning experience of the students. We capitalized on the “COVID offer” to make our first steps with the platform.

Eileen Yeo (EY): Among different topics in the curriculum, our students also learn web programming. So, they need to be aware of the potential problems in those applications. Learning about web application vulnerabilities is thus part of the cybersecurity curriculum.

How did you introduce YesWeHackEDU in your school? What was the students’ reaction?

DN: Getting started was very easy thanks to the provided documentation. I invited students from all grades. I also told them that those able to find bugs and who would give a proper report would get one to two points on their lowest grade (depending on the quality of the work submitted).

Driss ESSAYED-MESSAOUDI (DEM): We kicked off by providing the first scenario to 80 graduate students. They had to submit their reports to me, and I was in charge of qualifying them. The students who took over the platform immediately embraced its format. They were highly motivated and committed to the platform without any problem. Indeed, the platform and the scenarios are what they would be facing in an actual business environment.

DN: The freshmen rushed to the platform; they thought it was awesome even though it was a little bit complicated for them. The vulnerabilities are very well thought out for beginners, even with the instructions, they were challenging. The students spent a lot of time poking around though, trying to develop their logical sense and so on, which is very good.

The sophomores were a little lazier (laughs); they were like: “oh no, more extra work…”.  Still, a few students, especially those in apprenticeship, spent time on hunting on YesWeHackEDU and had excellent results. A student interning at Airbus used to do this on an internal company platform. He found all vulnerabilities in one weekend and told me he had a wonderful time.

The juniors were best equipped for this exercise. Still, they could not participate as at the time we were launching YesWeHackEDU, they were in the process of completing their OCSP.

In your opinion, what are YesWeHackEDU’s main strengths?

DEM: YesWeHackEDU offers an ambitious and exciting program. It allows students to face real-world cases from actual cybersecurity scenarios. Allowing our students to deal with the issues that companies face is the main strength of YesWeHackEDU.

An example of a vulnerable website homepage on a dedicated training environment.

YesWeHackEDU makes it easy to confront them with a wide range of actual scenarios and enrich their cybersecurity culture. The more real-world cases they face, the faster they acquire a certain level of expertise in solving the problems they encounter. In short, we instil them with the right instincts to detect and address vulnerabilities.

EY: The students’ YesWeHackEDU instance is on the Internet, so it spares us the trouble of having to set it up locally, which is the case for other platforms. On the content side, the platform covers specific web vulnerabilities. Thus, we can expose the students to different types of bugs in contemporary web applications.

DN:  For beginners, it is very well done. You have all the documentation you need. There are several paths: some obvious and some less so. From the teacher’s point of view, the platform is great, too. There are Bug Bounty report templates so you can see what you can expect and also some suggested solutions for the instructors.

Additionally, you can interact with the students as you would with hunters on an actual Bug Bounty program. In that aspect, the tool is very well designed. I asked some of the students to rewrite their reports and make them more accurate. I expected them to produce qualitative reports, to a level which a company would expect, with a POC, like in a real-world context. For the students who played along, it clearly illustrated how a professional Bug Bounty platform works.

An example of a vulnerability reporting timeline on a training environment.

What is also really great about YesWeHackEDU is that there are individual instances per student. Thus, one will not break everything for others. Focusing on the development of expertise instead of managing hiccups with the tool is a huge advantage.

And finally, the real advantage is that it is all turnkey: the platform is easy to handle, and – importantly – it’s not overpriced. It’s created by Bug Bounty experts and obviously, infrastructure specialists too. The product is top-notch.

What does YesWeHackEDU bring to your teaching methods?

DEM: YesWeHackEDU challenges students with real-life scenarios. Something that doesn’t exist elsewhere. The platform allows us to consolidate our programs with access to a flexible and modular tool specialized in Bug Bounty education and more broadly in cybersecurity. 

The program allows us to start with a very guided and supervised approach. Then, it is effortless to leave the students to their own devices once they are capable and thus encourage them to train on their own. Our pedagogical vision is to encourage learning through experimentation. YesWeHackEDU enables that approach throughout the entire Bug Bounty value chain.

What’s next?

DEM: If we used YesWeHackEDU from the beginning of the school year, we could imagine that the experienced graduate students would take over the role of program managers and the juniors and seniors would act as ethical hackers. Not only does this type of approach create healthy competition among students. It also allows students to learn how to disclose vulnerabilities and how to manage Bug Bounty programs as they might do in their professional lives. Our students have very technical backgrounds. Teaching them how to manage and organize Bug Bounty programs undeniably gives them the managerial edge they will need in the future.

DN: We will definitely try to continue the YesWeHackEDU experience and include exercises on the platform throughout the year. Thank you for creating this platform; it broadens the horizon of what’s possible in terms of teaching.

Anything else you would like to add?

DN: I would also like to mention the ethical and social added value. It’s rare to have French people, or Europeans, doing good things in the sector, which is often dominated by Americans. YesWeHack is one of the Bug Bounty world leaders, and not all youths necessarily know that it exists and that it’s French. It’s good to know that the French, or rather non-Americans, build things just as good. If you can do it, we can do it too 🙂

Thank you!