Globally, the information security industry is facing a shortage of talent. According to Cyberseek, the U.S. alone has nearly 500,000 unfilled information security positions. And, while Kansas and Missouri fare better than the national average for supply vs demand of cybersecurity professionals, there are still an estimated 10,000 information security jobs left unfilled in our region.
Security PS created the Cyber Apprentice Program to help address this gap and to invest in the next generation of cybersecurity professionals in the Kansas City metro area. The program begins with an Internship designed to train and mentor students and young professionals who want to build a career in cybersecurity but lack the hands-on experience often required for entry-level positions in the business world. By providing strong coursework, personal mentorship, and practical hands-on projects, the program gives high-school students, college students, and early career professionals an incredible opportunity to gain practical experience and accelerate their growth and career development in cybersecurity.
In April, Security PS reviewed over 50 applications and took on 7 Interns into the program. With diverse backgrounds, walks of life, and interests, all of our Interns shared a strong drive to learn and grow in cybersecurity knowledge and skills. None had experience in application-layer security testing or analysis, which was the focus of this Internship term. Last week, 6 Interns completed the program, having stretched themselves to keep an accelerated pace of learning, collaboration, mentorship, and practical hands-on projects that proved their growth and experience achieved.
“I really appreciated that this was an actual real-world experience. Many internships have you watch people do their jobs. It was really beneficial to do the programming and analysis myself, to have the deadlines and meetings myself - all of it was beneficial to learn exactly what it means to do this type of work.” -- Shelby J.
Through the 13-week term, the Interns received training, direction, and mentoring from our Security PS Application Security team. Each Intern pushed themselves to learn new software development platforms and technologies and develop their own applications demonstrating those technologies. They then learned how to analyse their applications to understand how they work internally so they could have thoroughly informed conversations about the security implications of their application. Gaining experience with these technologies, industry favored tools, and a rigorous analysis and documentation process, each of these Interns arrived at security conclusions beyond what automated testing tools can identify.
The difficulty and criteria required to complete these tasks set a high bar. The program's training and mentoring combined powerfully with this group's relentless tenacity to learn, propelling each Intern to complete the term and chalk up experience of 3 application security projects in total to name as their own. Ultimately, we set high expectations for the Interns to demonstrate professional levels of communication, documentation, and teamwork. To their credit, they delivered.
The internship culminated in a final project where each member of the Cyber Apprentice Intern team was given a real, production application with wide-ranging, diverse, and complex technologies, some of which they had never seen before. Their objective: research, analyze, and assess the application to determine its inner machinations and clearly communicate how the application worked to a seasoned Security PS Application Security team member.
“From the beginning of the internship to now, I definitely wouldn’t have been able to do this level of analysis without going through the first two projects … I had never assessed this type of application before … it took me two days to research and figure it out … but once I got through that point it became really fun … It was a lot of fun to figure out what was going on once I got my feet on the ground.” -- Grant S.
The program put an emphasis on learning to analyze how an application works, which is the critical foundation of security analysis. Using the analysis processes taught by their mentors, the Interns naturally began identifying security problems in their applications including session fixation, weak and improper OAuth grant types, reflected XSS, credential harvesting, and bypass of authentication process steps. ...Not your average vulnerabilities for newcomers! So proud.
“It was really exciting to analyze a real application. ... I really enjoyed doing the analysis because this is something that is real, it isn’t fake or theoretical, and I really learned it. I have never done analysis like this before this internship... I have the confidence now that, yes, I can do this. If anyone asks me how this application works, I can be confident in what I’m saying, because I’ve worked it out and documented it.” -- Quentin K.
These Interns made a strong stride down the path of learning the specialized area of cybersecurity analysis and pentesting called Application Security. They've gained firsthand practical skills and enough experience to be able to consider whether they would like to continue pursuing this fascinating specialization or to explore other areas of cybersecurity. Those who have the time and desire to push further in and aim for a career in Application Security can apply for the second term of our Cyber Apprentice Program, which builds further understanding of application security vulnerabilities and how to find them.
Security PS started this program to address a growing skills and candidates gap in the information security industry. The goal was to identify capable, bright young people and train and mentor them to perform basic web application analysis. The inaugural class of interns performed very well and the Security PS professional team thoroughly enjoyed providing mentorship and training to this group of individuals. In the future, we hope to increase the number of interns we can take on as we work to find, train, and equip the next generation of information security talent.