I've seen a few 'how to build your own security testing lab' documents in the past, but many have struck me as being 'what I would do' rather than 'what I did'.
Having gone through the process myself at least three times over the last 15 years I thought some people might be interested in seeing a series of photos taken while we were literally building SE Labs from scratch.
First things first. You can never have enough boxes. And never throw them away, because they'll come in handy later - such as when you move from your temporary space into the permanent office.
Why not start out and build the lab where you mean to end up? Because having a commercial office space 'fitted out' takes a lot longer than you might imagine. Choosing the right time of year can help speed this up.
Start-up tip #1: Don't plan on anything happening fast over the Thanksgiving/ Christmas/ New Year period. Everyone except you will be on a go-slow/ stop. It will make you angry.
Ideally you would have all of your expensive servers locked away somewhere safe from thieves, vandals and pretty much anyone carrying too many cups of coffee.
Without that luxury you might have to set up on a desk, near the door, and plaster the windows with paper so people can't see your new company's crown jewels sitting vulnerably exposed in an insecure office.
When you work from a serviced office you have a choice: rely on their networking infrastructure or create your own. We created our own because sending exploits over someone else's network is not very friendly and there might be some liability issues too.
One problem with creating your own network in a serviced office is that you can't really run your networking cables under the floor.
This can mean using cardboard, gaffa tape and cable ties to construct a sort-of over-floor networking setup that is fractionally less hazardous than simply having cables looping all over the floor.
At this stage we were at least able to start work, although we quickly discovered the limitation of cheap network switches and, thanks to the speed of Amazon Prime, managed to upgrade without too much disruption.
While the testers were busy attacking systems and logging how the security products handled these threats, we also had to start work designing the award logos that we would eventually hand out to any vendors who did a great job.
Here are the early sketches, made in the Easy Hotel adjacent to the developing office. As you will see from our reports, the design we ended up with was the round badge. Did we make the right decision?
While all of this was going on, the main office was under construction. You can see the progress below, as the main open-plan office, the server room and our corner office take shape.
Why is there no furniture, even right at the end? Because there was a problem with the delivery and our desks were stuck on a boat somewhere near Europe, while we worked from temporary, bolted-together desks. At least we had chairs...
|One large, empty shell...|
|The area to the right will become the server room.|
|The new server room is visible through the window on the right.|
|The corner office, full of junk.|
|A tidy corner office.|
|The open-plan area starts to take shape.|
|We moved into the new office with zero days to spare.|
|Our name is on the door (sort of).|
|After a busy night we head to the pub. This is now our new home.|
(The building in the photo. Not the pub.)
|The corner office is now full of junk again.|
|We have chairs but little else.|
|The server room starts to take shape.|
|A working office space!|
|All systems go. Neatly.|
|Well, neat on the face of it...|
|We use physical systems for most tests. So we need a lot of them.|
What became of the cardboard boxes? Rumour has it that after the move one of the guys took them all home in a van and built a massive fort for his children.