Hands-on training for tomorrow's security specialists
As part of a bug bounty education program with GObugfree (EDU program), students at the Fernfachhochschule Schweiz (FFHS) hack their own university and gain first experiences as bug bounty hunters. With this educational initiative, GObugfree and FFHS want to attract more talent to the field of cyber security and develop the next generation of security specialists.
First of all, Daniel and Oliver, who are you and what are your main tasks at the FFHS?
Oliver: I'm Oliver Ittig and I've been Program Head for Computer Science and the practice-integrated Bachelor's program in Computer Science at the FFHS since 2014. As of this August, also for the newly developed BSc Cyber Security degree program. I am primarily responsible for the strategic and operational implementation of the study programs, i.e., everything to do with focus, content design, and implementation. Naturally, I am supported by our faculty, technical experts and academic staff from the research and teaching departments.
Daniel: I'm Daniel Eggel, and I've been the CISO at FFHS since 2020. I am responsible for the very broad subject area of security in information technology. This includes many conceptual tasks that are aimed at integrating the issue of security wherever possible right from the start. An essential aspect is also the sensitization of employees, because the vast majority of attacks can be attributed to the human factor. Because of their curiosity or their willingness to help, people can often be deceived quite easily.
Daniel, what is the EDU program?
The EDU program aims to introduce the topic of security vulnerabilities and their mitigation to students at an early stage of their education. In corresponding modules such as software development or security, we show the students how a bug bounty program works and how it can contribute to achieving greater security. After a few introductory examples, the students are allowed to test the security of our systems and seek out vulnerabilities within a defined framework. In return for finding and confirming vulnerabilities, students will receive a certificate from the FFHS, as well as vouchers in various amounts from well-known online stores.
What is the program’s scope
We have released some interesting systems for the search for vulnerabilities. Anyone with a ffhs.ch mail address may participate in the program.
As Chief Information Security Officer, what do you see as the benefits of having your systems tested in this way?
By reporting potential vulnerabilities, we expect to improve the security of our systems. We see this as a good complement to other ongoing measures such as penetration testing, vulnerability management, and monitoring.
With the EDU program, GObugfree has established an interesting practical offer for the Swiss educational landscape.
What prompted the FFHS to partner with GObugfree?
With the EDU program, GObugfree has established an interesting practical offer for the Swiss educational landscape. GObugfree also provides very interesting conditions for educational partners. The cooperation with GObugfree is highly beneficial for both sides.
Oliver, what are the goals of the bachelor's degree program in cyber security that FFHS is launching in the fall of 2023?
The aim is to address the great need for specialists in the field of cyber security. We are trying to achieve this with the new study program, in which we teach the relevant skills and areas in as much depth and breadth as possible. From cryptology, IT forensics, Internet and reactive information security, secure coding and reverse engineering to topics such as IT trust, governance, law and security management, we fill the students' knowledge backpacks as thoroughly and practically as possible. More than half of the 180 ECTS of the bachelor's program deal in depth with cyber security, which is certainly unique in this knowledge density.
What is the makeup of the program? How are GObugfree's expertise and resources integrated into the curriculum?
The program is very practice-oriented. Over 90% of our lecturers are industry experts who strive to convey theory in a hands-on manner. Because our study model is especially suited for part-time students, they can apply the content directly to their day-to-day work and put what they have learned to good use in their own companies.
Programs like the EDU program of GObugfree allow students to delve even deeper into the subject matter and serve as an additional test of knowledge. In addition, we will offer events such as hackathons, which we will organize together with partners like GObugfree. For us it is important to establish strong connections between the economy, the university and the cyber community and to promote the topic and the necessity of IT security.
What specific skills or knowledge will students gain through the EDU program?
The students will learn about bug bounty programs and gain hands-on experience in identifying and analyzing vulnerabilities. By actively participating in the program, they'll deepen their understanding of secure coding and software design. Additionally, they'll have the opportunity to apply their knowledge to real-world scenarios on live systems.
We believe that bug bounty programs - such as those offered by GObugfree - should be adopted more widely, thereby improving the security of more companies.
What does the future hold? Are there any plans to expand and develop the collaboration further?
As previously mentioned, we're planning to host more events, including hackathons, webinars on specific topics, and other community gatherings. We believe that bug bounty programs - such as those offered by GObugfree - should be adopted more widely, thereby improving the security of more companies.
Oliver and Daniel, what advice would you give to educational institutions interested in creating their own bug bounty education program?
IT security is an ever-evolving field, and threats continue to change daily. As we've seen in recent news, no institution or company is safe from attacks. That's why we recommend bug bounty programs for everyone and encourage educational institutions to establish specific bug bounty education programs as an additional measure to keep their IT security up to date.