So you want to work in Vulnerability Research?
What is vulnerability research?
The core of vulnerability research (VR) is finding and exploiting bugs, but that’s an oversimplification of the work we do at Interrupt Labs. Finding and exploiting vulnerabilities in software and hardware targets is an involved, time consuming and often difficult process.
When asked how they’d describe vulnerability research, one of our researchers said the following:
"Taking a new device or piece of software, figuring out how it's supposed to work (down to the very lowest level) and then figuring out if it can be made to do things it's not supposed to."
We can distil this process into 3 main stages:
- Reverse Engineering – Figuring out how the target works
- Vulnerability Discovery – Seeing if we can make the target do something it’s not intended to do
- Exploit Development – Turning that knowledge into a reliable proof of concept exploit
For us, this is what vulnerability research is all about. It’s not just about finding bugs, we also want to gain a thorough understanding of how something works. The more you know about a target, whether that’s a specific piece of hardware, software or an operating system, the easier it is to identify things that may be interesting. This in turn makes it easier to identify where vulnerabilities may be present.
What does an average week look like?
Each of our researchers work on projects within a dedicated team. The individual projects and goals may vary, but within each team everyone is looking at the same broad topic, such as Android, iOS or embedded devices to name a few. This allows our researchers to become experts within their field, while still allowing for variety in the individual projects that are ongoing.
Project work is where our vulnerability researchers will spend the bulk of their time, typically on tasks which support one of the three stages of reverse engineering, vulnerability discovery or exploit development. That could involve examining a target in a disassembler (such as IDA or Ghidra), reading source code, writing tooling such as fuzzers, crafting an exploit or just learning about a new piece of technology.
Alongside working on technical projects, there are many ways our researchers can develop both personally and professionally. We encourage everyone at Interrupt Labs to identify and complete training to improve their skills, providing both the time and resources as required. We also encourage our researchers to share what they learn, for example by developing training which can be delivered both internally and externally. Within the wider VR community we attend talks, workshops and conferences, and researchers can support recruitment efforts by attending careers fairs and university outreach events.
That’s all well and good, but what does an average week actually look like? Steph, Sam, Luke and Mike had the following to say:
Steph E - "My week starts with a team stand-up, where we discuss the research we're doing and outline our goals for the week. Monday to Wednesday I spend most of my time doing research, typically reverse engineering, developing tools to help us understand how something works and looking for security weaknesses. Towards the end of the week I spend more time working collaboratively with our customers."
Sam J - "The average week revolves around unpacking and analysing different malware, developing small tools to help my workflow and working towards goals and OKRs."
Luke G - "In an average week, I am engaged with our technical teams, understanding their projects, the progress they've made and any challenges they're facing. Externally I'm engaging with our customers to make sure they are happy and that we're doing all we can to provide them with impactful value. I spend a lot of time planning and delivering ways in which we can improve the business, and especially how we can build more strategic partnerships with our customers."
Mike A - "I'd say a standard week would likely include studying source code, reading assembly, writing scripts/running experiments to test theories, learning a new protocol that the subject uses, writing up findings and mulling ideas over with others."
A key theme here is that alongside doing technical work, we’re all very focused on engaging with our customers and exploring how we can deliver the best work possible.
So clearly we’re all very busy people. But what’s the appeal of vulnerability research over any other job?
What do you enjoy about working in vulnerability research?
Everyone at Interrupt Labs is here because we enjoy the work we do. For me, it’s the challenging but varied nature of vulnerability research that appeals and it’s also pretty cool when your job revolves around working out how to break things.
Here are some of the other things our vulnerability researchers enjoy about working in this industry.
Luke G - "I enjoy that I get to work with loads of smart and driven people, and that we're providing a function to society that is demonstrably impactful."
Mike S - "I love diving into the unknown and knowing that something you come across will be a unique challenge."
Sam J - "I enjoy that the research is often quite open-ended meaning you have the opportunity to drill into the areas you find the most interesting or excel at."
Steph E - "Constantly being able to learn something new, that there is no shortage of challenging problems to solve and we have the freedom to be creative in solving those problems."
It’s pretty clear that the main things drawing people to the VR industry are how varied the work is and it’s unique challenging nature. As Luke says, vulnerability research can have significant real world impact, which makes solving those difficult challenges all the more rewarding.
How do I break into the industry?
One of the most common things we hear at Interrupt Labs is that people aren’t aware that vulnerability research can be a full time career choice. I was at university before joining Interrupt Labs, and when looking for a graduate job I noticed many organisations gave their staff time to do research but very few focused entirely on vulnerability research.
Once people realise full time VR is a career choice, the next question we tend to get is: “What do I need to do to get a job?”. Vulnerability research can be quite broad, so there’s no one size fits all answer, but some generic skills include:
- Reverse engineering and experience with associated tools such as debuggers (e.g. GDB) and disassemblers (e.g. IDA Pro or Ghidra). It’s also good if you’re inquisitive and want to find out how things work.
- An understanding of techniques for vulnerability discovery and exploitation, as well as an understanding of different types of vulnerabilities and how they could be mitigated. Example topics include buffer overflows, DEP, ASLR and fuzzing.
- Programming, both to gain an understanding of what code is doing and so you can write your own tools and exploits.
This might seem like VR is an industry exclusively for people with a Computer Science or Cyber Security background, but that isn’t the case. While technical skills like the ones listed above are important, they typically represent much broader underlying skillsets. For example, IDA Pro is one of many tools you might use for reverse engineering, but at its core reverse engineering is all about problem solving and discovery. Likewise, vulnerability discovery and exploitation techniques are about identifying weaknesses and working out how to abuse those weaknesses to make the software or hardware do something unintended. Problem solving and lateral thinking are not exclusive to Computer Science, Cyber Security or even STEM, and at Interrupt Labs we welcome people from diverse backgrounds.
Our vulnerability researchers come from a wide range of education, training, and experience. Some of us entered the industry recently, beginning our journeys as university graduates and career changers. Others have been working in the industry for over a decade. I asked our researchers what would you do differently if you were just starting your vulnerability research journey today and these were some of the answers:
Sam J - "If I were to start learning VR today, I would learn one tool/concept at a time instead of trying to learn multiple at once."
Luke G - "I would probably be more confident at demonstrating my passion and skills - get involved more. And I'd definitely ask more questions."
Rob H - "I would get as many different electronic devices as I could get my hands on and start taking them apart. Doesn't matter what it is, it could be a router, switch, bitcoin wallet, smart meter, smart toaster, anything. The more diverse the better. It's important to build up experience not just in specific technical concepts, but also how you approach problems, ones that you may never have come across before."
James S - "I came into VR from software engineering and so I mostly learnt in my spare time. If I was going through it again, I'd tackle it from two directions. First I'd identify what exactly interests me about VR and what I find fun, then I'd make sure to have time set aside to do those things. Secondly I'd make sure to find support in the community or from mentors, find someone who is around 2 or more years ahead of where you want to be in your career and ask them for support - they'll probably say yes."
Steph E - "I think I would look to develop more formal software engineering skills (particularly C or C++) instead of picking them up along the way. Being able to understand how something is built is a really helpful skill for reverse engineering."
I want to do this!
If you’ve read this far and think vulnerability research is an industry you’d like to get involved in, the good news is we are recruiting for researchers at all levels.
If you’re new to vulnerability research, perhaps you’re a university graduate or looking for a career change, then our Vulnerability Researcher Development Programme (VRDP) might be a good fit. The programme runs yearly and at the time of writing applications are open until the end of April for a September start. Successful candidates will complete a 3 month training programme which combines tutor led and independent training across a range of topics, followed by hands-on experience working on real projects alongside our experienced researchers. For more information and to apply, head over to our careers page. If you’ve missed the deadline for this year, don’t worry, we’ll be opening up applications for next year from August.
If you’re an experienced researcher, we also want to hear from you. Maybe you’ve got extensive experience reverse engineering a specific target, or maybe you’ve got a CVE or two under your belt. Whether you’ve got 1 or 10 years experience, we’re keen to talk to you.