The struggle to find experienced Cybersecurity professionals is familiar to anyone who has tried to fill a team. With connected technology expanding at a rate far greater than can reasonably be secured, experienced professionals seemingly have swaths of opportunities from which to choose. Fortunately, many Cybersecurity organizations understand that identifying and training less experienced talent is a viable path to addressing a variety of hiring challenges they experience.
One of the biggest challenges faced by organizations dedicated to finding trainable Cybersecurity talent is how to identify that talent. From pre-teens heavily engaged in the security community to Academic Anthropologists exploring a career change, there is no one set of skills that perfectly identifies a future attacker. But there is a huge pool of people who have desirable traits like curiosity and technical acumen - developers! Whether organizations are expanding security knowledge by creating internal champions or talent into full-time roles, introducing developers to deeper security training almost always benefits an organization.
A perfect example of how a skilled developer can grow into a security career is Linda Fay. Linda is a software developer at heart whose curiosity when fixing security issues lead to a career as an Application Security Architect. Not coincidentally, Linda has been a top performer in several Security Innovation cyber range events and even had a perfect score during Hack Through the Holidays 2019. Our team chatted with Linda, and she shared some great wisdom for those interested in breaking into the Application Security field.
Security Innovation: Can you tell us a little about your career and how you became an Application Security Architect?
Linda: I began my career as a programmer and have touched all aspects of the SDLC at one point or another including development, QA, architecture, release management, program management, support & incident management. As a developer and architect, I had to fix issues identified by the security team and was always curious about how they were found, and more importantly, how they could be prevented.
At some point there was an opening for an Application Security Engineer and I was asked to be part of the interview panel. Many of the candidates had network or infrastructure backgrounds that didn’t make them great fits for an application security-focused role. After some time the hiring manager asked if I would be interested in the position since it would be easier to train a developer about security than training a networking security specialist about development. I got that job and started learning everything I could about security and hacking… and I’ve been doing it ever since!
Security Innovation: When you started learning everything you could, what kind of resources did you use?
Linda: I started by reading everything I could and looking for online training classes. I was lucky that one of my first tasks in my new App Sec job was to find training for developers as part of our PCI compliance, so I was able to evaluate a bunch of courses and learn at the same time. Since then, I’ve tried to stay involved with local groups like OWASP and make it a point to attend at least one conference a year. Now I look for online training and CTF events to practice and stay current.
Security Innovation: For those not familiar with industry groups or specific events, which would you recommend?
Linda: I’m a big fan of OWASP. The community is really great – everyone is very friendly and willing to help each other out. The Austin OWASP chapter is really active and even webcast most of their monthly meetings so people can attend remotely. LASCON is one of my favorite conferences. The content and speakers are great, yet it’s small enough to feel like a local conference where you can network and meet other people.
I also find cyber range and CTF events online or on Twitter. There are lots of great security professionals on Twitter and I learn a lot just from following them. When someone mentions a new event I haven’t heard about, I always look it up and try to participate.
Security Innovation: In our events, you mix hacking time well with helping others learn. What advice do you give to skilled professionals who want to help others?
Linda: Helping others is really important. We all had to start somewhere and some people just need a little nudge. A small effort on your part can have a huge impact on someone else and their future career. Plus, explaining concepts to others is helpful since it requires you to thoroughly understand it yourself.
We always hear about the skills gap in security and one of the best ways to close that gap is to help educate anyone who shows an interest in security. Some of those people may end up working at your bank, hospital, or somewhere else important to you. You want to make sure they know what they’re doing so they can help protect your money, personal health info, PII or sensitive data.
Security Innovation: Beyond the resources available, what guidance would you give to people early in their Cybersecurity careers?
Linda: Don’t get discouraged if you don’t understand things at first - Cybersecurity is a challenging topic. Practice and keep trying. Attend local meetings like OWASP and network with others. Also, the people you talk to and learn from could be helpful to you later on in your career – reach out to them periodically.
Security Innovation: You’ve participated in a bunch of SI Cyber Range events - what other events do you participate in and recommend to others?
Linda: There are so many available nowadays it can be overwhelming. The best advice I can give is to just pick one, stick with it, and master it before moving on to another one. In addition to the Security Innovation events, I’ve done the SANS Holiday Hack Challenge and Over The Wire Advent Bonanza as well as Hack The Box and HackerOne. Portswigger also has a great Web Security Academy for online learning with labs.
Many thanks to Linda for the great advice! Join her and hundreds of others expanding their hacking abilities during March Hackness 2020, happening now until March 21st.