Interview with a PRO user: Pamela O’Shea
Tell me a bit more about yourself? Current occupation? Aspirations? Twitter?
I run my own security business called Shea Information Security and I’m @pamoshea on twitter. We are a security consulting company based out of Melbourne, doing penetration testing and security consulting for our clients.
My aspirations are to see more women working in technical security roles. To help progress this I spend a lot of time running haXX (@haxx_group), which is a learning group providing free technical security classes for women who wish to break into the technical security field. If you want to learn tech, you just have to type enough kilometres on the keyboard!
How did you get into computing/security?
I was super lucky as a kid, my father worked at Wang Laboratories and had a side business of building computers from scratch. From a young age of about 11, I was helping my father make custom desktop builds for his business. We were putting in RAM, CPUs, hard disks and cabling it all up in little assembly lines with my siblings, and then testing they booted into an OS like Windows 3.1 or DOS. So I guess I started on the hardware side. Living in the country in the middle of nowhere it was hard to find tech people but I really really wanted to learn how to code. A typical Irish story but my father met a farmer in the local pub whose son was an embedded C programmer, so I got a list of topics to study from him, bought C by example and I was hooked from there. Once I found IRC in the mid 90s I discovered the security channels and was hanging out with lots of interesting people, installed Linux from a CD-ROM in a book and started playing wargames online. Once I read TCP/IP Illustrated volume 1, I was hooked on security too and instead of doing homework I was learning as much about the Internet as possible.
What is your current setup? Computer? OS? …?
I like using Ubuntu because I do some software defined radio (SDR) related research (Pamela co-organises the Melbourne’s SRD meetup @sdr_melbourne), a lot of these radio packages just work out of the box from the apt repos now. I use Dynamic Window Manager (DWM) for my window manager and VIM for editing (I used to be an EMACS user — that’s another story!).
How do you use PTL PRO?
At work we use PentesterLab PRO internally to keep up to date but also recommend it to our clients.
I also lecture on the masters in cyber security programme at RMIT University and run free penetration testing classes for women (@haxx_group).
I love PentesterLab for classroom exercises as its progressive style fits very well for hands on exercises. After classes, students are then ready to move onto Pentesterlab PRO.
For learning as well as teaching, we cannot recommend PentesterLab more highly. We see developers who try it for the first time and love it, getting hooked on the sense of achievement working through the challenges and being able to work more closely with their security teams as a result.
What have been your favourite exercises so far?
I had fun doing the JWT exercises, especially with abusing the “kid” field. The serialisation exercises are excellent and I love seeing challenges related to new technology pop up too, for example GraphQL.
What exercises did you find the most challenging?
The CTF ones! These are super handy because I enjoy dabbling in CTFs when I have time at weekends and coffee can only do so much :P
What exercises/areas do you think PentesterLab should cover in the future?
Some editor and parsing issues. For example, editor bugs where you see weird syntax being used and ways to achieve execution from this or bypassing their filters.
Parsing issues such as intermediate devices like virus scanners, cache servers etc.
Also, more authentication issues like OAuth implementations and SAML.
To be honest, there is so much on PentesterLab PRO already, it will keep you entertained and challenged for a very very long time!
