While security training platforms are commonly viewed as harmless spaces for honing technical skills, recent incidents highlight the genuine risks associated with their use.
Platforms such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP are fixtures within penetration testing and developer education. Their deliberate vulnerabilities encourage exploration — offering insight into the tactics and thought processes employed by attackers.
However, when these intentionally insecure applications remain active or become misconfigured on corporate networks, they can quickly transition from educational tools to entry points for adversaries. This risk is not limited to small firms; high-profile organisations, including Fortune 500 companies and security vendors, have seen attackers exploit exposed lab environments.
For teams setting up security labs in cloud environments, the risks expand. It is surprisingly easy to leave sites like Juice Shop open to the internet — sometimes even using default credentials. In such scenarios, threat actors gain effortless access and can escalate their attacks, traversing deeper into an organisation’s infrastructure.
Security controls for testing environments demand the same methodology applied in production. Misconfigurations frequently translate to real-world vulnerabilities. Modern cloud platforms can expose these labs widely without proper isolation, turning testing VMs into potent launchpads for attackers if left unwatched.
Even experienced cybersecurity leaders must ensure practice environments are decommissioned promptly or secured with the same rigour as production systems. Tooling for visibility and strict inventory management are essential. Attackers are quick to exploit overlooked assets — security testing platforms are no exception.
*Original Story: https://www.bleepingcomputer.com/news/security/hackers-exploit-security-testing-apps-to-breach-fortune-500-firms/*
