Shaping the future: Rana Khalil and her pen testing academy

Rana Khalil (Application Security Team Lead at C3SA) has a track record of building robust security operations for organisations in the public and private sectors. In her current role, she’s focused on application security – but she’s also deeply involved in shaping the future of cybersecurity in Canada. 

Khalil founded an online penetration testing academy where she provides affordable, cutting edge education to the next generation of dedicated pen testers. We caught up with her after Black Hat MEA 2023 to get a glimpse at her career and her perspective on security. 

Could you briefly share your career journey so far?

“My career journey began with a foundation in software development, holding both bachelor’s and master’s degrees in computer science. The turning point for me was when external consultants were brought in to test the applications that we were creating. This sparked my interest in cyber security, and I have been in the field ever since! 

“There have been many pivotal moments during my career beginning with securing my first cyber security role, obtaining the Offensive Security Certified Professional (OSCP) certification, forging my path as a thought leader and educator in the application security space, starting my educational YouTube channel and academy, having the privilege to speak at various local and global conferences, and earning several awards and honorable mentions for my research and contributions to the cyber security community.

“It's been an exciting journey and I look forward to what the future holds.” 

When you first start working with a new organisation, what are the first things you do to understand their strengths and vulnerabilities?  

“As an Application Security Engineer, my primary focus when joining a new organisation is to understand their application landscape and the security integrations within their processes, pipelines, and overall culture. 

“This involves reviewing existing documentation and engaging with the appropriate stakeholders. Once this is understood, the next crucial step is to conduct asset discovery, cataloguing all applications, APIs, and related assets within the organisation. It's surprising how some organisations lack a comprehensive catalogue of their web services – introducing a significant risk, since you can't effectively secure what you're not aware of! 

“Following this categorization, the next step involves prioritising applications based on factors such as criticality, sensitivity, and regulatory requirements. 

“Once applications have been prioritised, we usually develop an application security program that outlines the specific security activities each application must go through. This outlines not just the technical assessments that the application must undergo, but it also includes the security tools, processes and activities that will be integrated as part of every phase of the software development life cycle. 

“This comprehensive strategy ensures that security measures are tailored to the unique characteristics and risks of each application, and it establishes a robust and proactive approach to implementing application security. “

We’d love to know more about your pen testing academy.  What inspired the decision to launch it, and what have you learnt through teaching web application pen testing to others? 

“Three years ago, I embarked on a journey of creating an educational YouTube channel dedicated to web application penetration testing.  

“The channel quickly gained popularity and accumulated over 2,000,000 views globally. People liked the content and suggested I take it a step further by starting an academy.  

“So, I did just that!  

“The academy offers quality education at an affordable price, and currently has a course called the Web Security Academy Series. This course contains over 50 hours worth of content covering 15 critical vulnerability categories. We break down the technical details of each vulnerability, show how to spot it, exploit it, and defend against it. We also get hands-on experience with labs that mimic real-world applications.  

“Across all my teaching platforms, I have over 27,000 students; and the reviews have been nothing but positive. It's been an incredible journey so far.”

What's one thing you wish everyone knew about cybersecurity?  

“One crucial aspect of cybersecurity that I wish organisations understood is the importance of making security an inherent part of their processes and organisational culture. Waiting until a cyber security breach occurs to start contemplating cybersecurity is a reactive approach that can lead to serious consequences and cause substantial technical and reputational harm to the organisation.  

“By integrating security into the very fabric of our operations and making it an integral part of our organisational culture, we create a proactive defence against potential threats. This ensures that we’re not merely reacting to incidents but actively working to detect and prevent them, fostering a more secure environment.”

And finally, why are events like Black Hat MEA valuable to you?  

“Participating in events like Black Hat MEA is incredibly valuable to me because they offer a unique opportunity to connect with professionals from all over the world. Living in Canada, it's not easy to meet and engage with the folks I've been following from the Middle East. Black Hat MEA provided me that chance to build real, in-person connections with people I've known virtually for years.  

“Beyond the networking aspect, conferences serve as a forum for cybersecurity experts to share their latest research and insights. I had the opportunity to attend various presentations and contribute to a panel discussion on how to get into the mindset of a hacker. 

“So not only did the conference help me expand my professional networks; it also helped me stay up to date on the latest research and developments in the industry.” 

Thanks to Rana Khalil at C3SA. Join us as Black Hat MEA 2024 to learn more from the world’s top cybersecurity leaders.