Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Back to Main

Popping Shells and Jumping Fences

Mike Shema
Aug 7, 2018

If you’ve considered venturing into pen testing or stepping onto the path towards an OSCP cert, one of the best resources to help that journey is Georgia Weidman’s best-selling book, Penetration Testing: A Hands-On Introduction to Hacking.

I had the opportunity to speak with Georgia in this week’s episode of the Humans of InfoSec podcast. She’s a founder of Shevirah Inc., a security startup that specializes in mobile security testing, and Bulb Security a consulting firm that specializes in security assessments and training.

Georgia recently conducted a hands-on exploit development class at the inaugural Defcon China and gave a keynote at OWASP Appsec Europe. But everyone has to have a first presentation and sometimes they don’t always go as planned. Give the episode a listen to find out more about her journey through infosec and how she manages to handle the competition and stress of startups with a hobby that involves…more competition and stress!

After you’ve listened, check out some additional thoughts and comments on our conversation below.

Conference presentations aren’t easy. They require balancing all kinds of particulars like having snappy titles that still convey a sense of purpose, meeting the audience’s level of technical knowledge without forfeiting too much detail, and keeping their attention throughout. Not to mention the danger of running with live demos.

Everyone has a first presentation. In our conversation, Georgia talked about preparation and practice, practice, practice. That’s great advice whether it’s your first presentation or a polished keynote. Another aspect is listening to feedback and adjusting to the audience to improve the content so your message is clear.

The conversation also alluded to imposter syndrome, such as feeling that your idea for a presentation isn’t worthy or that you must be overreaching to even consider submitting to a conference.

Conferences can do a lot to both help tamp down imposter syndrome as well as improve the quality of content overall. Many already implement these steps and more.

  • Emphasize in the CFP documentation that new speakers are welcome and whether there is special consideration for them. A simple, clear statement may help nudge someone who’s reluctant to submit.

  • Provide (even brief) constructive feedback on abstracts that are rejected. Many times a conference just doesn’t have enough session slots to accept all the good submissions. Other times a submission might have been unclear on its purpose or didn’t convey a strong message.

Writing isn’t easy, either. Continuing on the theme of conference presentations, it’s the written abstract that is often the key to getting a submission accepted.

Communication is an important skill in infosec. Not everyone needs to be comfortable with public speaking or able to give polished talks. Nor do they need to write books or blog posts. But they should be able to talk about security in a way that explains risk and offers solutions that fit within engineering constraints rather than checklists.

There are dozens of ways communication becomes important, from explaining the basics of the OWASP Top 10 to designing security architectures to helping someone enable multi-factor auth for their email account. Whether you’re on a red team, blue team, or Dev(Sec)Ops team, you’ll need to collaborate with peers and work through competing priorities. Good communication helps that succeed.

Good communcation also requires listening. For example, giving a presentation isn’t a one-way discussion. As Georgia noted, she paid attention to constructive feedback and adjusted content to make it better. Listening in meetings and individual conversations are just as important.

Active listening is a step towards empathy, which is a useful skill in the security industry. Laying blame on “stupid users” or “stupid devs” has never been a productive stance. While there can situations of negligence and active ignorance, always leaping blame dev teams for poor security doesn’t put them on a collaborative footing and may ignore constraints and decisions out of their control. It’s one thing to say “use 2FA” or “enumerate all your library dependencies”. It’s another to work on solving those problems and understanding the challenges that arise from legacy systems, complex systems, and massive systems. This is the world that DevSecOps is pushing towards.

One goal of the Humans of Infosec podcast is to highlight the different paths people take into the infosec community. Georgia talked about the Mid-Atlantic Collegiate Cyber Defense Competition. As the name lays out, the organization creates red/blue-team competitions in high-stress, realistic scenarios. It was also encouraging to hear that it attracts people from under-represented communities. It’s one more path for people to learn about infosec and find their way into the industry. It’s equally important to welcome and support their ongoing participation. Support can come in different ways, from working with them on teams to sharing knowledge to mentorship.

Another goal of the podcast is to spotlight how human people are. Not only do they come into infosec on different paths, but they have different areas of expertise and different hobbies outside of infosec. Whatever your hobbies, we hope it includes listening to our podcast. Let us know what you think!