Samuel Pritchard

The Department for Education is responsible for children's services and education, including early years, schools, higher and further education policy, apprenticeships and wider skills in England.

I have been contracted by the Department for Education to provide guidance on the Secure Software Development Lifecycle, penetration testing, vulnerability management, threat modelling, and security tooling. Key tasks include:

• helping to develop continuous assurance against common benchmarks in Splunk
• releasing and packaging a tool built by the team to package up and release Splunk Apps
• consulting on Secure by Design processes and the Secure Software Development Lifecycle to help DfE provide security services in support of the CDDO Secure by Design Principles
• contributing to the building of documentation and standards for secure by design
• producing threat models and providing assistance on building a threat modelling capability including automated threat models for scalability
• pen testing applications and infrastructure
• producing tooling, such as reusable workflows and templates to assist developers and security professionals in scanning and monitoring for threats with DevSecOps tools (SAST, DAST, SCA)
• helping to shape vulnerability management for development and security teams in a scalable way with automation and standards, including automated security.txt and thanks.txt deployments to Azure with terraform and github actions
• building standards for GitHub and Application Security

Helping people move forward with credit.

My position at NewDay helped me to further improve on my learnings from KidsLoop as an appsec engineer. I was a member of a bigger Application Security team and we worked together to improve the security of NewDays applications and infrastructure. This role included:

• leading the roll out of our DAST tool across our estate, inlcuding the PoV, planning automation, fixing bugs, drafting a rollout schedule
• building and maintaining GitHub Actions templates and composites to deploy tools across the org
• contributing to application security processes and documentation for pen testing and issue triage
• organising and scoping pen tests
• testing for issues and providing remediation assistance
• providing guidance and assistance to other teams and team members on application security and secure software development
• organising and running threat models/reviews
• scripting and automating to improve processes and provide visibility in response to known issues and incidents

We aim to transform early years education by providing the tools and asset libraries to digitize content, collect data, and make a personalized learning path for every student.

I began working for KidsLoop as their new Application Security Consultant to help them to test their applications and infrastructure for vulnerabilities and to provide security advice and threat modelling earlier on in the Secure Software Development Lifecycle. This included setting up the new Threat Modelling process as well as working with teams on creating code scanning options in GitHub Actions and providing advice to teams working on new product features. During my time at KidsLoop I worked on:

• developing and running the Threat Modelling process following STRIDE and DREAD
• pen testing web applications
• developing GitHub Actions reusable workflows and templates to scan code/terraform/containers for vulnerabilities
• automating reporting and scanning with scripts and APIs
• assisting teams to fix misconfigurations/issues
• contributing to the internal RFC processes
• providing security guidance to internal teams
• auditing EKS Kubernetes environment against CIS benchmarks
• reviewing AWS environments and testing suspected misconfigurations

We support the Prime Minister and ensure the effective running of government. We are also the corporate headquarters for government, in partnership with HM Treasury, and we take the lead in certain critical policy areas.

I was first employed by GDS (Government Digital Service) in January 2019 as the sole Ethical Hacker in a multidisciplinary team. The scope of the team later expanded by merging the team into the Cabinet Office CDIO (Chief Digital Information Office), our responsibilities expanding to the whole of the Cabinet Office, rather than just GDS. I became the technical lead for penetration testing in CDIO; scheduling tests, setting up the end-to-end processes, creating all of the team technical documentation, and leading a small team of testers.

My team currently performs:

• web application penetration tests
• AWS security reviews
• vulnerability scans (including for PCI compliance)
• terraform code reviews
• secure code reviews (languages include: Ruby, Python, GoLang, and Java)
• review of the CI/CD pipelines and secret management
• internal IT network penetration tests
• assisting colleagues with finding issues in our SIEM and advising on attack methods
• developing and editing scripts to improve our processes - examples of which include:
  • an installed packages CVE evaluation script that I forked and edited to cut our PCI scanning time down by adding automatic package collection and personalised reporting.
  • a bash script I hacked together to download, build and scan AWS ECR container images with Trivy.

During my time working with engineers, I also lead the development of our Nessus scanner running in AWS, deployed by terraform and concourse CI/CD, with all data automatically being sent to Splunk using our in-house log shipping tool.

All our testing is done via our Kali Linux testing machines deployed to AWS EC2 with terraform, with our traffic from BurpSuite being tunneled through it also using SSH tunnels.

Dionach is an independent, CREST approved global provider of information security solutions.

Dionach are a medium sized computer security company based in Oxford. They provide a wide range of security services to the public and private sector.

Dionach trained me as a penetration tester, during my time with them I:

• conducted a large number of penetration tests with detailed technical reports
• had an above average success rate on social engineering campaigns (phishing and physical)
• learned to use a wide range of security tools
• learned to conduct tests using manual techniques with a proxy to intercept requests
• lead the majority of tests but sometimes worked in a team to work on different areas of a larger project
• carried out a large number of security audits on client sites including IT Health Checks and Cyber Essentials Plus

Prigital is a company I set up to allow me to provide web development services to a single client, but has now been repurposed to provide application security consultancy.

Prigital was originally set up to provide digital services to a single client in the shipping industry. I came in halfway through a project to develop it further, bring on a sub-contractor on through my company and manage the delivery.

Prigital Ltd has since been repurposed to provide Application Security Constultancy and Engineering services.

The University of West London is a public research university in the United Kingdom which has campuses in Ealing and Brentford in Greater London, as well as in Reading, Berkshire. The university has roots back to 1860, when the Lady Byron School was founded, which later became Ealing College of Higher Education.

During my time at UWL, I learned the basics of computing and programming. It was in my security module, however, that I learned about the different career opportunities available in cyber security.

My dissertation was on Blockchain and Accounting Software Usability.

Our modules includes:

• Algorithms and Data Structures
• Database Design and Management
• Computer Security
• Distributed Systems
• Internet Technologies
• Knowledge Based Systems
• Object Oriented Modelling and Programming.