30 Days of Security Testing

New year, new challenge!

Below is an image with the list of challenges for each day of the month.  Save it somewhere. Print it out. Stick it on your wall. Let’s do this?

What are the rules?

We have a list of 30 challenges, plus a bonus one   Each one has a number. The goal is to tick off as many of the challenges as you can within your own specified timeframe.

You can do this in your own time, or you can join us as a community and share your results or progress.  You may have an image to share, a blog post, a video, status update, whatever it is!  Come and participate!

Here is how you can share your progress:

WARNING: Hacking is illegal. Ministry of Testing does not advocate or condone illegal hacking. Some of these suggestions should be done in safe environments or with the express permission of the websites or applications under test. Try: Hack Yourself First if you need a safe environment to test with.


30 Days Of Security Testing, the text version:

  1. Read a security blog
  2. Select and read a book related to security testing.
  3. Use a security tool - Examples:  ZAP or BurpSuite.
  4. Learn anything about Vulnerability Scanning.
  5. Learn about Threat Modelling (ie like the STRIDE Model).
  6. Explore these sites: Google gruyere; HackYourself First; Ticket Magpie; The BodgeIt store. 
  7. Learn one or more things about Penetration testing.
  8. Use a proxy tool to observe web traffic in a web or mobile application.
  9. Discover the process and procedures around Security Auditing.
  10. Read and Learn about Ethical hacking.
  11. Try to figure out the Posture Assessment for an application.
  12. Read about security testing and discuss where it best fits in an SDLC. 
  13. Perform a Security analysis for requirements in a story.
  14. Develop a test plan including security tests.
  15. Write and share ideas for security testing via twitter or a blog
  16. Research how to build a Tiger Box.
  17. Research a recent hack/security breach
  18. Learn about Security Headers.
  19. Research Script Kiddies and/or packet monkeys. 
  20. Read about DOS/DDOS attacks. Share examples/stories via social media. 
  21. Read about network vulnerability and apply it to your tech stack. 
  22. Read about System Software Security and apply it to your tech stack.
  23. What are the top 10 security threats of 2016?
  24. Use a suggestion from the OWASP Web Application Security Checklist
  25. Find and use a mobile security tool.
  26. Compare and contrast, on social media, web and mobile security testing. 
  27. How could BYOA (bring your own application) play a part in security? 
  28. Share security testing ideas for specific domains 
  29. Research security regulations regarding a specific domain. 
  30. Discover the difference between White, Grey, and Black Hat Hacking.
  31. BONUS: Take part in a bug bounty.