“Hello everyone, my name is Quynh. I am a senior at the Academy of Cryptography Techniques, Hanoi, and a security researcher, a job focusing on vulnerabilities in the Java platform.”
That was how Quynh introduced herself at a security webinar last October.
Over the past five years, the 23-year-old had to repeat this introduction during many lectures since few thought a girl in her early twenties could detect as many as four vulnerabilities with high severity in less than a year, transforming her into a favorite speaker at various information security events.
The four Common Vulnerabilities and Exposures (CVE), the general term for security vulnerabilities, Quynh has found are CVE-2020-14625, CVE-2020-14825, CVE-2020-2883, and CVE-2020-2798. Of these, three vulnerabilities rated 9.8 out of 10 by experts on Oracle WebLogic Server in terms of severity. The other rated 7.2.
Oracle’s WebLogic Server application is used by tens of thousands of companies around the world, bringing billions of dollars in revenue to the U.S. technology giant. If not detected early, the vulnerabilities above could be exploited by hackers and might cause unpredictable consequences.
With Oracle publishing a list of vulnerabilities and patches for its products every quarter, the name of the senior college student popped up thrice last year.
Getting hooked by chance
To be able to detect her very first CVE in two weeks, it took Quynh four years of schooling and two months of research.
But she admitted she did not enter this industry because of her passion or with a specific goal, but simply found it “cool.”
“I decided to study IT since I have always had a curious mind and the program has a study abroad option,” she recalled.
Surprisingly, the first-year college student who loves literature and knows how to play the piano had completed her study program with good results and earned a study slot abroad. But when she achieved her initial goal, Quynh realized she really loved information security and later decided to continue pursuing this field.
At the end of her sophomore year, Quynh learned and sought wisdom from older college students and later earned an apprenticeship at the information security center of state-owned telecom firm Vietnam Posts and Telecommunications Group (VNPT).
“I was mesmerized and really got hooked. Initially, I just wanted to learn about the field from older students, but later became interested in this industry.”
When she discovered the first Oracle vulnerability in late 2019, she screamed for joy, but later worried someone may have detected the flaw before her.
According to Quynh, these are emotions she would never forget since her passion produced results and got recognized.
Dream of heading overseas
To find a vulnerability, information security personnel like Quynh spend months researching the problem and looking back at the discovered vulnerabilities. So sitting in front of the computer for tens of hours a day is not a strange thing for this girl.
Even though finding the problem is already a challenge, proving it a threat is even more difficult, with the hardest step writing codes to hack into the system.
“Just like saying an old lock is bad for securing things. We also need to show how the bad guy can potentially break the lock,” Quynh explained.
She said an IT engineer “must really understand the software and vulnerability” in order to detect the CVE.
All the vulnerabilities she found relate to Oracle’s WebLogic, which was written using Java programming language.
Focusing and specializing on problems related to serialization in Java, most of the vulnerabilities Quynh has detected are associated with this mechanism. Some errors can be found in a week, while some may take her up to a month to discover.
Once found, it can take months to come up with the patch to fix the CVE, with solutions needed as soon as possible to minimize the impact on clients.
Quynh revealed she wishes to become an influencer in the global information security industry.
“I want to detect even harder vulnerabilities and become a professional information security researcher. I hope to be able to speak in front of a world-class security conference one day.”
Quynh spends eight hours every day working at VNPT’s information security center and uses her evenings to work on her graduation project.
Despite her busy schedule, she aims to pursue a more balanced lifestyle in and outside of work.
“I always try to keep a positive mindset and manage my tasks, while getting enough sleep and having spare time to hang out with friends on weekends.”
Since the process of detecting and fixing vulnerabilities does not yield immediate results, Quynh shared it is important for an information security researcher to persevere.