Ty też wyglądasz ku długim weekendom i domowej ciszy?

A każdemu kto nie może doczekać się długiego weekendu i spokojnego czasu w domu, polecam materiał, który nagraliśmy parę miesięcy temu z Michał Bąk o zarządzaniu swoim życiem pracując zdalnie 

Niektórzy z nas są stworzeni do tego by pracować w ciszy i w komforcie swoich czterech ścian, jednak wielu z nas nie próbuje nawet znaleźć dla siebie rozwiązania i godzi się na framework stworzony przez społeczeństwo.

Dla mnie praca zdalna to narzędzie, które sprawia że nie tylko jestem lepszym pracownikiem, ale i czuję się bardziej spełniony prywatnie i pozwala mi to na skupienie się na rzeczach w życiu ważnych.

Jeśli rozważasz pracę zdalną, bądź chciałbyś dowiedzieć się odrobinę o wyzwaniach związanych z tym trybem pracy, rzuć okiem na ten wywiad, w którym dzielę się lekcjami płynącymi z ponad 7 lat spędzonych pracując zdalnie.

Powodzenia i szukajcie miejsca dla siebie. Życie jest zbyt krótkie by pracować w miejscu, które nie daje komfortu; natomiast jest wystarczająco długie by testować i w końcu znaleźć coś odpowiedniego.

 

Znalazłam pracę jako programista, ale co dalej?

Pytanie z którym spotykam się relatywnie często, i pochodzi ono z dobrego miejsca. Pytanie to wywodzi się z chęci robienia rzeczy dobrych oraz chęci zapewnienia siebie samego jak i innych, że zrobiło się wszystko co w swojej mocy by się jak najlepiej wykazać.

Odpowiedź jest całkiem uniwersalna i powinna zostać zastosowana do całości życia, zarówno prywatnego jak i zawodowego – pozwól sobie nacieszyć się tym co właśnie osiągnęłaś, pozwól sobie robić rzeczy które sprawiają Ci przyjemność. A w przyszłości nie zaglądaj zbyt intensywnie w przeszłość, żałując, że nie zrobiłaś czegoś wcześniej, bo pomysł, że “dzięki temu zaoszczędziłabym sobie miesiące spędzone w jednym miejscu” jest zbyt często złudne by mu ufać. Zawsze będziemy “mądrzejsi” patrząc wstecz – a przynajmniej powinniśmy być – więc często będzie się wydawać, że można było podjąć lepszą decyzję.

Skoro jej nie podjęłaś, to znaczy że nie mogłaś jej podjąć, bo nie miałaś wystarczającej wiedzy/doświadczeń/informacji, więc “co by było gdyby” jest stratą czasu. Przecież chcemy dla siebie jak najlepiej, więc jeśli czegoś nie zrobiłaś, to po prostu znaczy że Ty sprzed X miesięcy, nie byłaś w stanie spojrzeć na sytuację w taki sposób jak Ty teraz.

Szczęście kryje się w świadomym doświadczaniu każdego dnia, a nie zaglądaniu w to co jeszcze przed nami i co musimy zrobić.
Niczego nie musisz. Jedyne co musisz to żyć i się tym życiem cieszyć. Cała reszta przyjdzie z czasem, więc zaufaj sobie i zaufaj procesowi.
Strach przed tym, że w przyszłości będziemy żałować przeszłości to największa trucizna sprawiająca, że brakuje miejsca na doświadczanie teraźniejszości.

Take it easy, you’ve got time. More than you think 🙂

Zapraszam na podcast!

TestDive 2018 – DevSecOps implementation i.e. a culture of care

This year, I was invited to speak at TestDive 2018, an event sponsored mainly by Nokia and organized by fabulous people working at Nokia Kraków. It’s a great honor when someone asks you to talk at the conference of such a scale, and I was the lucky one this time.

Based on the amount of great feedback that I’ve received after the talk, it sounds like I did quite okay 🙂 And that’s awesome, because the subjects I talk about are rarely sexy. It’s practitionership, it’s effectiveness, and more often than not it’s far from flashy and overhyped solutions.  Cyberresilience isn’t a state you achieve by plugging in that one overpriced box into your network, or by hiring that one security guru. It’s about constant education, collaboration, understanding and daily grind meant to move a needle just a little bit.

Rome wasn’t built in a day. But it also didn’t collapse over night. Everything takes time, and if you’re not actively focusing on building the right culture, you’re ultimately ruining it.  That’s what the game is all about, just the grind and doing what needs to be done.

Anyways, I want to definitely send some love to Robert Becker who invited me to be a speaker, and who guided me through the whole process. It’s been a busy few months for me, so having someone like Robert helping me out and pinging me whenever I’ve forgotten to provide about some info was invaluable. You could feel the same sense of ownership during the conference, where everything was prepared top to bottom. We had fabulous announcer; great assistants from Nokia(thanks Maciej!), great atmosphere and venue was spot-on.

 

I do believe this was the most friendly conference I’ve attended this year. I don’t know what it was, and how that happened, but literally the moment I went through the doors I’ve felt like that’s it. I’m really looking forward to TestDive 2019’s edition,  and for one more time I want to say that I’m extremely grateful for being able to go on stage and share my experience with people who care enough to invest their time into listening to me, while they could be consuming the knowledge of other great speakers.

Love you all, your feedback is my oxygen. Now go and make some ruckus! 🙂

 

Here’s the link to the presentation:

https://docs.google.com/presentation/d/1hFIAYKObmPmvEr0CIZYnAP6DqgOuuuZPba2S-gD8Jqs/edit?usp=sharing

 

And here are the links to three parts of my book. The rest will follow the editorial redaction process and will be uploaded to my blog when it’s ready.

Preface:

https://dawidbalut.com/2018/09/19/social-skills-for-information-security-professionals-the-preface-to-my-book/

#1

https://dawidbalut.com/2018/09/19/social-skills-for-information-security-professionals-on-credibility-awareness-and-business/

#2

https://dawidbalut.com/2018/10/03/social-skills-for-information-security-professionals-on-agile-secure-sdlc-and-unhealthy-habits/

 

and my YouTube channel as few of you have asked for it:

https://www.youtube.com/thedawidbalut

Social Skills For Information Security Professionals: On Agile, Secure SDLC and Unhealthy Habits

Agile implementation of security into a corporate culture

Start small

I recommend you to take baby steps with all of the security initiatives you want to start at your company. By balancing the workload and adaptability you can demonstrate coworkers and executives that security doesn’t need to be tangled and complicated. If you show people that it takes just 5 clicks to enable disk encryption to improve safety of their PCs, it’ll be easier to have discussions with them in the future. After you’ve accumulated a few such small-wins, their mindset will change and they believe there actually are hassle-free solutions to security, they’ll be more eager to implement more of it.
Focus on the small wins and do the things that have the biggest ROI(Return Of Investment) and lowest cost of implementation and then steadily increase the complexity of security requirements.
1% is always better than 0. Small win executed today is better than an ideal win executed never.

 

The common mistake I’ve seen is that we  try to start out too big. We want to enforce all the security rules as soon as possible and sometimes even worse – all at once.
This approach may sound reasonable from a security pro’s perspective, because time is all we’ve got and each minute with security exposure is a minute an attacker can get a foot in the door.
However, it’s a complete failure from a practical business POV and I haven’t ever seen it being successful in the long-term perspective when someone tried to execute too many and too complex things at once.

Human beings are wired in a way that makes them dislike leaving their comfort zones, because the primitive part of our brain was programmed to keep us alive by avoiding risks.  In order to fight that, you must give people a tangible incentive for them to take a leap, because they must justify in their own heads why this particular risk is worth taking. Bigger your demand is, bigger the incentive should be, because the potential gain must be big enough for people to fight back the alerts their primitive brain is giving them. Yes, although nowadays we’re rarely required to make decisions that can kill us, that thing still resists when challenged with something new, because it doesn’t understand that discomfort . All it knows is that it must protect us at all cost, and it’s up to us – or actually other parts of our brain – to take a brave decision regardless.
It’s a good idea to start smaller with things that don’t push the comfort zone that much to earn the trust of your people. Most people are open-minded, but not that open-mindedly stupid to be leave their safe spot on the day 1, when they don’t know how good of a leader you are. And that’s for a good reasons, it’s not them to be blamed. People just want to be safe and we should respect that.


An example may be a common situation when you want to start implementing Principle of Least Privilege within your organisation. You shouldn’t just cut off coworkers access to all of their productivity tools, they were used to utilize on daily basis for the past few years. Do it in many small stages, one tool after another in reasonable time spans, otherwise you may outrage people when they lose access to things they were used to use freely. Not only it may cause them a discomfort but it can negatively affect the business when people’s morale are low, and their productivity is lower because they don’t have the tools they need to get the work done.

Building security is tough, not because it’s that technically complicated, but because it takes a lot of time, perseverance, patience and leadership skills. If you’re joining an organization that’s been on the market for a couple of years and never had a security person/culture before, you must prepare yourself for slow rollout of all those great ideas that you have.
It’s because people, who were never trained to be security-savvy, will have hard time adopting new requirements , even if you have reasonable justification for it. People like what they know, what they tested and know to be working and what feels like right for them. Because of our recklessness and mistakes we’ve made in the past 4 decades, we have earned not friendly reputation around infosec. It makes a lot of engineers think that security will make their work suck, so they do everything in their powers to stay away from it.

The best way to build credibility and have immediate results without irritating people is to start with subtle changes like showing the value of strong passwords, password managers, 2 Factor Authentication, Antivirus and frequent software updates . It may sound like nothing, but all adopted across the whole fleet will result in good security baseline that already puts your company in a few TOP % of safest companies. Even though those are the basic things and infosec folks like to go for fancy and overhyped security measures, I can count on fingers of one hand companies that actually have implemented above mentioned basics and done patch management right. That’s just an example tho.

That’s it, starting small is important. You won’t get much love for 30 days password expiry, enforcing security product with terrible UX or for cutting off access to critical services, just because you haven’t done good enough research to learn what is it, that people need to get their work done.

Start early

I can think of at least two main reasons why it’s reasonable to start with security at the project’s earliest. One, is that if you create a security culture in your organisation from its early days, you won’t give people a chance to learn bad habits of ignoring security. Second, is that it’s more expensive to change architecture design and refactor a finished product. Changing habits which essentially is rewiring brains of your employees is a very expensive ride, so it’s better to avoid such challenges altogether and instill security from the employee number 1. Everything that’s happening in the organisation is CEO’s responsibility and if she/he doesn’t set a healthy tone from the day 1, it’ll be hard to teach people to follow the practices, if they know even CEO doesn’t walk the talk.

I recommend all-sized businesses to look for the help of security consultant as soon as it becomes affordable. I wish more companies realized that asking for a few hours of consultancy won’t ruin their budget, but can have tremendous ROI. It can create a baseline upon which they can build their stuff securely from the day one and avoid costly refactorings or breaches in the future.  Chances are that if you give it a thought, you’ll remind yourself that you personally know some security passionate who’ll be more than happy to support some startup free of charge in exchange for business experience. She/he can help you ensure that products are well secured, so people in need should reach out to their social circles and ask for help as soon as possible. It costs them nothing, and even if they find a kid who’s been studying appsec for barely 6 months and can work for you only part-time, it’s still better than doing nothing at all.

I’m writing this to demonstrate two important things we don’t pay enough attention to. If you’re a security specialist and someone is asking you for advice, you should emphasize the importance of starting early. Because if you eventually end up joining that company in the future, you don’t want to start from scratch and waste your energy on solving problems that could’ve been prevented from happening in the first place.

The other one is that when you join the company, expose yourself as soon as possible. Don’t close yourself in your office focusing solely on technical aspects such as deploying monitoring and pentesting the infrastructure. Go out there, and show people that you exist. Allow them to notice you, and give them relevant resources as fast as you can. Provide them with books, articles, tools, guidelines, checklists, procedures so they can already start applying it in their day to day work. Thanks to that the improvement will be happening in the background, when you get back into your zone focusing on other things.

Outline SDLC/NDLC improvements

Security should be perceived like any other cost of running a business

Security shouldn’t be seen as an addition to the product development. It’s as regular part of a business operations as anything else, especially when we’re talking about companies that develop their own software.
At software companies, ensuring security should be considered as a part of Quality Assurance, not only because security triad mentions Confidentiality, Integrity and Availability out of which 2 are heavily linked to the product’s quality. So there is that, but also nowadays customers demand products to be safe for their personal usage and professional usage, because they don’t want to buy a service which may have negative impact on their business operations. We’re living in times where we’re all connected to each other like never before and not a single company can exists on this planet without affecting others in one way or another.


Although it may sound obvious to you, it’s not you who I’m concerned about, because we – security professionals – can’t do anything on our own and the perception of all parties involved matters. You must instill security into organisations DNA in such a way that people truly understand what it is and how it matters, because it doesn’t really matter if you have triple-firewalled PC with a personal guard watching over your computer when you go to the toilet, if there are employees who think it’s fine to download pirated games on their corporate laptops.

Also, middle-management is much more eager to spend resources on security, when they perceive it as a regular, necessary cost of software development. There will never be enough money and time to invest in “additional” activities, so you must rewire their dictionary. Security is often called a no-ROI time-waster which adds complexity and slows down development process, so not only security itself costs a lot, but it also makes other things more expensive.
Unless you explain how and why security is important you may have hard time pushing security related changes into existing SDLC processes, and that’s fair because everyone has their own work they’re ought to protect. That’s something you got to really understand, because most often at the workplace importance and urgency, don’t come from  inner virtues and passions, but from the actual business impact. So that’s something you must comprehend to shift your mindset and help everyone across the board understand what impact may insecure product have on your business, because except of us, no one is there to do security for the sake of doing security.

 

Hold them accountable to high standards, but keep your expectations low

Settle down on how much resources can be dedicated on security improvements, bugfixes and alike.
Discuss how many hours in each development sprint can be dedicated for security and how much free bandwidth does engineering have for potential unexpected security patching. Write it all down in internal documentation system or some other place that allows you to have an official proof that you had those discussions, so that no one can claim that you’re expecting them to do something they hadn’t agreed upon and twist out of the commitment. Each big goal is achieved by making many small steps, and altho it may look like some things should be done all at once, it’s most often not the case in real life. If you properly dissect your projects into smaller tasks, you’ll realize the value of small incremental changes and that big projects not only suck for time management, but they also tend to create a lot of friction with coworkers.
Focus on small but constant improvements, so you have the big goal in back of your head, however you don’t expect people to deliver it all at once. Not only it’ll make execution your projects on time more feasible, but it’ll also reduce the stress and boost team’s morales when they see 100% execution of a small task, rather than 0.1% progress on a huge project.

Let me make one remark here tho, because you really need to be wise when creating your expectations and demands. It’s not reasonable to expect business to stop all money-making activities and focus entirely on security for a few days or weeks to fix identified vulnerabilities. Use risk management to help business operate and help ensure it’s longevity instead of expecting impossible.

In my experience, it really makes a lot of sense sense to establish a fixed amount of resources that will be spent on ensuring security in each product’s release/sprint.
Sacrificing 3% engineering resources each day, is less painful than telling customer that you won’t deliver a mission critical feature, because you had to stop all your software engineering activities, caused by your security department having this unreasonable request of focusing solely on security for a next couple of weeks. Customers care about security, but not that much, to let you lag on service delivery.

Build secure SDLC

Security is more cost-effective if you start working on it at the earliest phase of SDLC.

Old tried and true, isn’t true anymore. The common practice of building a product and throwing it at a security team doesn’t scale anymore. Given how much code we produce on daily basis, it’s increasingly more expensive to not instill security in early phases of SDLC. At current pace we can’t afford waiting will last phase of SDLC, because a need for potential refactor of two weeks of code would come with dramatic costs.

Securing the whole workflow drives very tangible long-term improvements, because to me it’s less about catching issues earlier than it is about education that ultimately is something we’re looking for. Developers who’re constantly exposed to security work, will memorize more and more of it, keeping safety in back of their heads and  allowing them to fix the issues even faster.
We don’t want to see same mistakes over and over again, and unfortunately that’s something I still see at most companies all over the globe. Although the software engineering world moved forward a lot, security practices are still holding it all back and we haven’t globally addressed the basic issues that are so trivial to be remediated. It’s all about mindset and it’s all about moving the responsibility to the left and then making sure everyone is capable of taking ownerships of it.

 

While I get it that approach of black box pentesting was somewhat practical in the past, – been there and done that – nowadays most innovative software is too complex for security teams to secure the product in just few days before it hits production. There must be a whole lot of things done around it, which we’ll discuss in DevSecOps chapter later.

Surely there are small software houses with senior, security-savvy engineers where it’s practical to build a tiny product and then deliver it to security testers, because they cared about security while writing their code. But during my whole career having had worked with thousands of engineers from dozens of companies, I can name only a handful of such senior level of security-savviness so hoping that you have people who are somewhat competent in security isn’t the smartest thing to do.
Actually, hope rarely is a good strategy for anything in life. It’s good to have, but it’ll take you only this far.

However, if what you’re doing works for you, your company and your customers, then keep doing it. I want to emphasize it once again, that I’m sharing yet another perspective that if you feel a need to, you may want to try out. So while I’m advocating an approach of injecting security into whole software development life cycle, I realize that it is not a silver bullet and it may be too expensive for you at the moment. Yet still, I believe that 1% is much better than 0, so trying something is better than sitting stale and missing the right point when you were supposed to take action.
My recommendation always is to get involved in product design phase and keep an eye on the product throughout the whole development process. 

It’s all about cloud and dirt. About having the high level vision and long-term roadmap as well as doing what needs to be done to help you organisation achieve the goals.

Social Skills For Information Security Professionals: On Credibility, Awareness and Business

Align strategy with business stakeholders first

Who’s actually responsible for investments in security?

Security issues don’t pop up out of nowhere. Code, products, infrastructure and business quality is always a responsibility of a human being.  So why don’t we treat it as such, and we seem to be always obsessing about technology rather than going after the root cause, which happen to be the people?

However, while talking about the “responsible person”, I rarely think about a software engineer who writes code, but about company’s management layer. Because it’s up to business leaders to decide on all investments. Including how much time employees will be allowed to devote to security and quality in their day to day work. If software engineers are expected to produce inhuman amounts of code, they can not afford focusing on security best practices. Managers who reward software engineers based only on amount of produced features, are the ones truly responsible for insecure products.

Just ten years ago I used to religiously believe that the responsibility for insecure code is all on programmers. After many years working with businesses all over the world, I’ve learnt that my perception couldn’t had been more wrong.

It rarely happens that engineers don’t want to build high quality products, but at the end of the day what they want vs what they’re ought to be doing, may be a two completely different things.
Most software engineers I’ve met were actually very interested in concepts related to application security, infrastructure security and the whole hacking theater. It’s fancy, it’s all over the place, people want to be a part of it, but their fantastic attitude doesn’t matter if we keep blocking them from joining the tribe.

 

The challenge is that more often than not, middle management isn’t held responsible enough for products’ safety. They’re usually rewarded just for shipping feature-rich and functional product on time, and the ‘security-thing’ is somewhere at the bottom of a software release checklist.

It’s also up to the executives, how much time and money they invest in employees education. If you expect your employees to learn about security in their personal time, that’s called being delusional, not visionaire. Because if a software engineer wants to spend time after hours learning something, then most likely they’ll be looking into some new programming library or framework, rather than stressing about complex concepts such as application security they have had unfriendly experience with at work.

 

It all goes top to bottom, the culture and tone set by execs is a real thing

There is a long and rough path ahead of us, till secure software engineering will be considered a part of basic quality assurance processes. It takes a lot of time and effort to make everyone conscious of potential consequences of security negligence, which means the earlier you start educating them, is better.

If execs don’t incentivize middle management to keep an eye on security, then middle management won’t incentivize software engineers to write code securely. If you don’t start from the top of an organization’s hierarchy you’ll have a hard time succeeding with your security initiatives.

Engineers, like most other human beings, generally don’t like to step out and do things their managers don’t want them to spend time on. And that’s for a good reason. In a healthy corporate culture, you want engineers that trust their leaders and focus on bringing value to the organisation. You want people who’re don’t raise a riot against policies set by business leaders, unless there have some good reasons to do so. Many, many people work in IT just to provide for their families, so being anxious that not all of them are questioning the status quo, is just ludicrous. Let others live the lives they want to live, because it’s not for any of us, to judge anyone else. If you want something to change, then focus all your energy on helping yourself drive a change, rather than oppressing people to follow your lead. If you start something that’s worthwhile and sensible, I promise you that there will be people willing to follow.

So if you notice someone stepping up to raise software engineering standards, you can’t miss such rare opportunity to convert it into a long-term partnership. Show your appreciation on the spot, because if someone is risking something for you, you better watch their back.

If you want to push people a bit so they leave their comfort zones, you must be very clear about your expectations and also provide them with some incentives. It doesn’t need to be tangible, just make sure you express your appreciation for an employee going an extra mile and paying attention to code quality.  If you want to create a tribe that follows your lead and steps up, then you need to decrease the discomfort as much as possible. Essentially, you must make people comfortable in the discomfort they’re about to experience. You achieve that, by making them (feel) safe with your leadership.

 

I’m telling you all these, because I’ve seen a handful of my friends burning out. They had no support from the TOP so they’ve tried to take a lead alone, and incompetently enforce their narrative on regular employees. Which then led to toxic atmosphere, very aggressive tone and broken relationships. So be careful, because no matter how big your mission is, office politics apply to every single one of us.

 

Set common goals with management and executives

Senior management must be advocates of healthy security culture, otherwise it’s a Sisyphean task to do all the things from the bottom up. Without healthy leadership of an executive team, it’s very problematic to achieve tangible security improvements without huge costs without compromising quality of your personal life.

So before you start bothering engineers with your requests, make sure you have official support from executives, because engineers need clear and integral guidance coming from the top. Don’t confuse them more than they’re already by their other duties.

A good way to achieve effectiveness of your security program, is try to learn as much as you can about the high-level business objectives of your company and what are the points of focus for people sitting in management roles. Understand their perspective and gain the leverage.
It’s hard and dangerous to provide you with a generic recommendations, because each organization and each executive is different. It’s all in your hands to learn and feel how to approach them on individual basis.

 

Settle down on authority at earliest possible

Security is an executive level issue so it would be really useful if you were in a position to influence all stakeholders at the organization. You shouldn’t be wasting your time on back and forth discussions on why something must be done, or why it must be done this way or another. In a healthy corporate culture it would be enough if you just had a security role and everyone should follow your lead from the day one with a credit of trust. But such organisations don’t really exist. Every single organisation is dysfunctional to some extent, and sometimes you’ll face people which you can not lead as a servant-leader and you’re forced to use your authority in order to execute.
I’ve seen it many times that security professional had great intentions, attitude and leadership skills but they couldn’t complete their tasks, because there is always that one person in a company whom you must approach differently.

It’s CEO’s job to create a culture, where every employee trust new coworkers and respect them with a friendly attitude. Executives should make it clear to the middle-management that you are a serious business stakeholder, no different than any one of them, and they should respect your guidance.

If managers are only penalized and rewarded for shipping working product on time, they won’t want to invest in security which in most organisations almost always slows down software development process to some extent. So execs must make it clear that products security is a part of quality and should be treated as a regular, acceptable software development cost.

Thanks to that you may not need to waste time arguing with people why their teams needs to invest in security and all that stuff. You should be able to focus on effective execution rather than discussions caused by dysfunctional corporate culture and lack of proper communication. Being at the lowest of an organization chart, you’ll likely to have hard time working with non-security savvy management who has no interest in focusing on security. That’s how business works, if there are no incentives then why would anyone want to listen to you, especially when you’re a fresh-hire?

 

Deciding on those bureaucratic matters at the earliest, can save you a lot of anxiety and frustration. I realize that plenty of us want to act like big boys and girls, who can obviously handle everything without anyone having your back, but that isn’t smart. Cost of maintaining your ego really isn’t worth all those bad consequences that may come if you push too hard.
By consequences I not only think of  toxic corporate atmosphere but also about your professional burnout and health issues that may arise when you’re too stressed and anxious for a long periods of time.

With power comes great responsibility so always aim to be empathetic to your people and don’t fall into the trap of taking advantage of your authority just because you can. Use this leverage only in exceptional situations when you’ve tried everything else and it failed.
You want to be in power but you should hope that you will never face a situation when you need to use it.

Build credibility and learn the language of business

Stay away from spreading confusion and FUD

Credibility is something you ought to be building from the day one of your career and tender till the very last day, when you say the final goodbye. What I’m trying to say here, is that the way of doing things really matters. We’re often so goal focused that we don’t pay too much attention to the byproducts of our actions. Sometimes, those byproducts bite back in the future.
Even if you achieved expected outcome, you must consider if you’ve used the best tools for the job, meaning have you persuaded people to do something thanks to your leadership status, or have you spread fear, uncertainty and doubt(FUD)? If the second is the case, then you may expect it to haunt you in the future.


If you’re a renowned expert in your field, you still must remain humble. You still need to build your internal reputation from the ground up by working nicely with people in your organization. You coworkers expect you to comply with their code and aren’t easily impressed by your status outside of the company. So if you’re a rockstar that’s perfect, and you should leverage it to make your life easier, however you should be aware of its shortcomings.
I’ve seen plenty of folks who ended up disappointed, because they believed that everyone will know their reputation and they’ll be treated differently because of their prior achievements. And when we think we’re THE ONES, we tend to forget about the need to play nicely with others. No matter what your perception of yourself is, I promise you that others have it completely different.

Learning how to weigh your words, so that people understand your intentions well, will ease a lot of interactions. Security field is very special, because we often tend to be the  ones who worry more than managers and executives, because they simply don’t realize the true nature of security risks. However, if you complain too often, people may start labeling you as a frustrated person, who doesn’t understand that business is an art of tradeoffs. They may become afraid that all you care about is building a fortress and slowing down the business growth.
We have our reasons, but our good motives don’t matter much if others don’t know about it. You must work out a relationships in which people understand that you’re trying to help them do their work safely, that you’re the enabler and troubleshooter, not the troublemaker.

So you really want to be perceived by business people and other coworkers like someone who has it all under control.  When discussing severe security issues you’ve had discovered, you must be careful, so your language and tone aren’t unclear, negative or overwhelming. As an InfoSec Pro myself, I know why you’re using certain jargon, but everyone else outside of our little echo chamber have no idea what’s going on. Don’t be too simple in your  speech, just be impossible to be misunderstood.

While it may sound counter-intuitive, sometimes it actually makes sense to slightly underrate the issue you’re reporting, so they accept it without anxiety and you can make a progress. Small progress always trumps no progress, and good now is better than ideal never.

Because of the negative tone, we had set for all-things-security in the past few decades, people overreact when you have even a little aggressive tone. Security folks who too-passionately want to secure companies they work for, often don’t comply with a corporate communication code. Overreaction may ultimately lead to them ignoring you, which is one of the biggest challenges to overcome after the damage had been done.

The most practical advice I can give you is that we must learn how do adapt at the fast pace. Yes, it does mean that you won’t get as much technical work done at the beginnings, but building credibility and foundations really pays off in the long run. Because once you’ve built credibility as a “smart security leader who knows business, risk management and knows how to work with people”, you can progressively start expressing your thoughts more in-depth.
So be careful about all that and once you’ve figured it out for yourself, stick to it. Different things work for different people and organisations, so keep doing what works for you. You do you, keep that in mind thru the whole book and life actually. If being passionate and verbose works for you and everything is good, then I’m happy for you! Keep doing what you’re doing, but revisit often so you don’t fall into the trap of being too romantic about your past approach. Effectiveness and practicality trumps attachment every single time, so stay alert and don’t let your ego blindfold you.

“Make it till you make it” is much better strategy than “Fake it till you make it”

If you feel that what you’re doing is right, then you shouldn’t let anyone who doesn’t know you influence your point of view. But bear in mind, that when you act a certain way and don’t listen to suggestions from others, you gotta take it all on your shoulders when stuff goes sideways.
If you act overly confident to the extent that it may be perceived as narcissistic cockiness, yet you make too many mistakes, people will lose respect to you very quickly. Humility is a huge tool you should use, to give yourself a space for making mistakes.

For example, if someone asks you for help but you aren’t sure of the answer, be honest about it and tell that person that you’re going to figure it out for them, but you need to do your homework first to make sure you provide quality advice.
Then do the homework digilitently, and get back to that person with all the details they needed.
Never let your ego try to make things up, because people are smarter than you think. If you fake too much, they’ll figure you out and you may end up forever labeled like an incompetent imposter.

Fake it till you make it, doesn’t really work and I much more prefer a version “Make it till you make it”. Learn stuff, be humble, reiterate till you’re pretty good at things you do. Competence inspires confidence, so till you have serious body of work to backup your words, just do stuff in silence and don’t try to overdo it.

Everyone is a target these days, but are they truly aware of it?

Vast majority of startups and SMBs – especially outside of tech world – tend to have this dangerous believe, that  they’re too small to become a target for malicious hackers.
When you look at the statistics and reverse engineer hacker’s mindset you can figure out why it’s actually the opposite way around. Hackers, cyber thieves, script kiddies and other malicious actors, come after the easiest targets not only because of the instant reward that stimulates their brains, but because hacking is these days is more of a business than it is a hobby.
Thieves seek quick wins, because like most business owners, they realize that time is their most precious resource. So they’re more likely to attack organizations with weak security posture, because in a week they can hack dozen of them, rather than spending a month without certainty that there will be any return of investment.

It’s not to say, there aren’t hacking groups that go for the big brands, it’s just there are far more average skilled hackers than there are sophisticated and well funded hacking groups. And that leads to a very important point. As an owner of a small business consider your investments as something that is supposed to stop those lone wolfs, rather than trying to spend a lot of money on trying to protect yourself against gangs or state sponsored attackers.

Management needs to understand that while big organizations can often survive a security breach, small ones can’t afford it, often because of its impact on their public image. If business providing enterprise solutions has stable position on the market and great product, most customers will stay because it’s expensive to transit whole enterprise to another vendor. But if you’re a small startup that has been compromised, you’ll have hard time preserving your customers. Not only that, because in this era, breaches get overblown on social medias and PR/marketing-wise you’re finished even in terms of new, potential customers. This is really important thing to mention here, because recently I’ve seen many article saying that “it’s cheaper to get hacked than secure an organization” which are nonsense and are doing a lot of harm to us who work on executives’ security awareness.
Basic security isn’t that expensive and articles like that make more bad than good, so ensure everyone understands business risk management including dangers coming from social media scandals and get the solid perspective on why security breaches bring different results to different organizations.

You can earn some love from your marketing and sales people if they learn that you’re protecting the business to make their job easier, so they won’t need to explain to each prospect why you were hacked and convincing them that the company is in much better shape nowadays.
Be smart and unite people from various departments to help you achieve your goals.

Social Skills For Information Security Professionals: The Preface To My Book

On my motives for this book

How and why – I believe – can my story make your life easier

It’s been roughly 11 years since I’ve started commercially working in IT, out of which 7 were profoundly dedicated to InfoSec, a field in which I truly believe there is a lot yet to be done and that each individual can make a difference by their contributions. Similarly to the careers of so many of us, I’ve made a plenty of mistakes that had put my career at risk, significantly slowed down my growth, significantly lowered the income, as well as had negatively impacted my health and personal life. Although making mistakes should be an expected part of any worthwhile career, I had certainly not expected that along the way I’ll taste so many different flavors of life.
I’ve had my ups and downs, but I always tried to ensure that whoever was involved, came out with something beneficial to them. Despite having good intentions in my heart, not always was I successful in demonstrating that well. To me, everything I’ve been doing was always about bringing value to others and being the most productive person in the room, long before I have realized that I’ve had been doing it all wrong and my hunger for success was my biggest obstacle. But as the saying goes, “obstacle is the way”, which is why I’m grateful for all of it, and I really want to share my experiences with others, so they can save themselves some trouble and get smarter faster than I had. I wish I’ve had a resource that would guide me through at least the basics of human interactions and effectiveness in the business world. So here it comes. A book that I wish someone else gave me 11 years ago.

I want to be really upfront and transparent with you. Although the companies I’ve worked for were very satisfied with the outcome of my work, to me it came at the cost of my professional and personal relationships. Without any doubt, I can say that because of my stubbornness and improperly directed hunger, I’ve wasted a ton of my potential as well as burnt some potential in others. And that feeling sucks. Realizing that while chasing greatness I’ve had a negative impact on a quality of life of a few people around me, as well as looking at my own life and noticing how much health and energy I wasted – it just sucks. But it sucks in a different way than most things in life suck. It’s not about discomfort this time, but about an actual pain, because while I’ve got compensated quite fine for my around the clock grind, I’ve forgotten about the most important currency we have access to in our lives – time and health. If you’ve got good health and you’ve got time, you have all the resources necessary to makes something great happen. Assuming obviously, that you’re resourceful and can actually understand the value of these powerful two. That’s what I want to be the leading point of this book, i.e. how to achieve your goals quickly, yet without compromising quality of yours and others’ life. I respect your time, which is why I wanted to keep this book as concise as possible, cutting out the fluff each time I’ve noticed any. If this book takes you 2 hours to read, and it saves you as little as 1 day of your life – I’m all set. My mission is accomplished and I’ll feel good about it, because there is no bigger mission than saving lives. This is one of the reasons I’m publishing this book for free. I’m making fair amount of money on selling my time to the corporations, and I want these lessons to reach as many people as possible and help them preserve their time and health. I can make money by other means, but the opportunity to help people improve their health and relationships is so rare, and so huge, that I couldn’t let myself to agree for commercial publishing. I’ve been sharing my knowledge for the past 5 years all over the Internet, at conferences and meetups; and those few voices generous enough to share with me that I’ve helped them improve their lives, are the biggest reward one can get for their work. That’s what I hope this books will do for you – help you achieve your goals at lower costs of all involved stakeholders at all facets of life. I don’t want to monetize on this book. I want you to learn from it, and then for you to monetize newly acquired knowledge by improving as a professional and getting compensated well for your effort.
You don’t owe me anything and I don’t expect anything from you. You’ve already given me enough than I’m audacious to ask – your time and attention. Thank you for that, and if you still want to do something for me, then please share your experience and knowledge with others. Help you peers, show them your perspective and help them grow by exposing them to various point of views. Pass your knowledge to others, so they have it easier than you had. To help them avoid the mistakes you’ve made and so that they can save their time and use it to build something bigger or experience other thing life has to offer. Standing on the shoulders of giants. That’s what it all is.
I guess at this point you can already smell how much I dislike wasting time and reinventing the wheel 🙂

How and why – I believe – my story can make you avoid personal and professional suffering

Infosec is a stressful job and if not managed properly leads to unhealthy situations which surely can end up with a long-lasting burnout. Burnout is one of the most painful experiences in the life of a professional, especially a good one who is self-aware enough to realize how much of a potential they had and how it just got destroyed. There are many critics saying that the job-related stress in industries such as IT isn’t worth discussing, but I call that a dangerous misconception. You couldn’t get more wrong in thinking that we’re not under high pressure. InfoSec is one of those industries where many things are totally out of our control, and you can’t really sleep well – ever. Many of us got so engaged into the work we do that we started compromising other parts of our lives, introducing unhealthy imbalance. Precisely such imbalance led . So I can relate to all of us, who had experienced tough times. That’s one of the reasons I believe in this book so much. It’s not that it contains any secret knowledge, or that I’m such an egocentric writer. Heck, I’m not even a native speaker english speaker, so I realize my shortcomings, yet I am still ready to take the heat, because I believe in its value. I believe that this book can help – at least to some extent – my InfoSec friends who have struggled, struggle or will struggle with the challenges I’ve been struggling for many years. I hope this book answers some of the questions we ask ourselves and will turn out helpful especially to those of us, who have nobody to turn to for a practical and non-judgmental advice. Writing the book has certainly help me in understanding some concepts better and instilling them deeper into my mind, so I have the answers handy whenever I need them. And I need them pretty much on daily basis, so having this handbook on my computer allows me to stay in sync with reality and remain calm and humble.  

The tough experiences had made me who I am today, and with many bad outcomes, I’m getting more and more comfortable with helping others avoid my mistakes. Losing relationships, not taking care of my health which resulted in life-long illnesses and daily pain which decreases the quality of my life, had all contributed to the process of reinventing myself. Moments of the truest joyfulness were these where I’ve learnt that something can be done better. That I can do better and I can be better to other people. It’s thanks to those moments that I’ve used to reinvent myself, I’ve been able to achieve long-lasting fulfillment.

I know I’m starting to sound meta and all that corny stuff, but I decide to still leave it here as I’ve met people who will get to feel the hope again while relate to my story. I’ve got good news for you though. Only the foreword contains so little substance.
Please feel free to use this book whatever way you like to. You can read it as a regular book in its entirety or using it as a reference handbook, with easy to navigate index which allows you to jump into specific questions and answers.

Almost nothing worthwhile comes without pain or some sort of suffering so I’ve came to the point where I accept my mistakes and allow myself to live without blaming myself too much for making them. I advise you to look at things similar way, because holding to the past in which we weren’t as smart and wise brings nothing good. Looking at the future as a blank page, allows you to approach things differently and avoid repeating the old mistakes.
In the book, I”ll be guiding you through subjects that are very subjective and focus mostly on emotional intelligence and social skills, which can’t be as accurately measured. So you might feel like I’m yet another bozo, but you need to open your mind to fully benefit from it. I promise you that nothing in this book hasn’t been thoroughly tested, and each and every single chapter you find in this book describes lessons learnt from mistakes I’ve made personally in my career. I’m never talking about others, about things I’ve only read or heard about. Everything has been battled tested by yours truly and I believe most of it can be easily replicated into most working environments. It worked for me with minor contextual adjustments while working for companies from various countries on two continents with organisations ranging from a small services startups from Silicon Valley, through public institutions in Poland, to hundreds million dollars big corporations.

You need to sacrifice the present for the better future, but it doesn’t mean you need to sacrifice as much as I’ve had to. I’ve learnt a ton and I want to use that knowledge to help you make your professional life easier. I want you to be more effective and productive than I used to be all those years before I started taking the human aspect more seriously.

Understanding these concepts can potentially enable you to see a bigger picture and gain richer point of view. Please bear in mind that nothing is set in stone and that my experiences may be different from the things you’ve had a chance to experience in your career. So to limit the amount of anxiety and misunderstanding, let’s create a healthy narrative for this journey of ours. I want this book to be an inspiration for you, showing you yet another perspective of someone who gotten his hands dirty, not a predefined set of rules one must follow.  Use it as a doof for thought, a content for consumption and a spark to initiate something bigger and adjusted to the to culture of your organization and your personality. Your personality matters. Just because something had worked for me and is indeed a sane way to do things, doesn’t mean you’ll want to follow the same path. Things that come to me easily now may come hard to you, and that’s all fine. We are different, so embrace what’s best in you and use that to achieve what you want to.

How to squeeze maximum value out of invested time in reading this book

This book isn’t an ideal picture of the world. It never intended to be. It was meant to show us ways in which we can be more practical and effective. To show you how we can abandon the fears, imposter syndromes, anxiety and stress – or at least reduce it significantly, by small tweaks in a way we operate on daily basis. I want this book to be practical, so I recommend you to read this book slowly and don’t rush into next chapters. Please read a chapter and give yourself some space to reflect on it. Try to remind yourself a situation to which a chapter would apply and outline counterarguments to what I’ve written. Then find a right balance for you and find the best way for you to navigate through life. I’m not right, and you’re not wrong. We’re both doing our best, and sometimes the best solution is in the middle of two perspectives, of two totally different individuals. You do you.
After all while we’re expected to bring value to the business and help it make more money so if you’re still employed, then apparently you must be doing something right! However, regardless of how much we like or dislike our job currently, we can make ourselves like it more. We can make others like us more and we can reduce the anxiety of a whole system.
But for that to happen, we must improve our social skills, especially communication skills at scale.

I believe that security professionals can’t achieve their greatness at the workplace, if they’re not being actively supported by all stakeholders across the entire organization and if other employees don’t feel ownership for the organization’s safety. Security just must one of the core values of corporate culture. Each time I have joined an organization, where security professionals wanted to do everything themselves, they miserably and painfully failed shortly after.  Fighting a broken security culture without any support from the top leads to burnouts for InfoSec folks and creates general anxiety, irritation and a toxic atmosphere within an organization. No one wants that to happen, yet so often we end up in exactly such situation.

Right, but what about Secure SDLC you may ask? To me Secure SDLC is more technology centric, while DevSecOps is more human and culture centric. I may even write a book on secure SDLC one day, but we have a lot of great content on that matter already, so it’s not a priority by any means. To me, helping people understand the DevSecOps culture is much more important task, although they are very powerful couple, and I believe in the long run, one cannot exist without the other. I would even say that many companies have magnificent SSDLC, but it could be so much better if the operators understood that each business, is a human business first and you can boost whatever you’re doing by involving more people and making them care about it.
I’ve met many people who understand how to implement SSDLC principles into their organisations, however not many know how to build the DevSecOps culture which can bring their SSDLC or whatever they’re doing on the totally next level.
I’ve spent over 5 years working on implementing DevSecOps culture at the organisations I’ve worked at, because I believed that with so limited resources doing things together is the only way to go. We all hit a point in which we can’t scale anymore, which is why we must seek help of others. And to get such help, it’s good to provide it first. Be the leader people will happily look up to and many doors will open. And by working all together we can do much more and do it much better.
SSDLC is fabulous piece of art, and I wish more companies adopted it since 2002 when Microsoft officially announced it. I really with, because we’d be in a completely different shape as the whole industry. But we haven’t so we must add something to it, that will fill the gaps with a work that doesn’t cost much every single one of us. Collaboration and empathy is something that’s not that complicated or expensive if we only decide to take one step forward each and every single day.
With a right attitude the culture is something that can be created in the background, while we can use our technical competence to enhance our SSDLC workflows and incrementally improve resilience of the organisations we work for.

I hope the lessons shared in this book will save you – and everyone around you – a lot of anxiety and trouble. I wish I had access to such a resource when I was starting out, which I believe could’ve helped me prevent the damage that has happened otherwise. It’s never too late to learn and improve, so I’m still extremely grateful for an opportunity to have experienced so many things and that now I can share it for benefit of others. I hope this book helps you navigate through social interactions with lower stress and more fruitful results and although this book summarizes the most important lessons learnt over the past decade, I’ll be still happy if it saves you a single day of your life.  

Let’s get started already! 🙂

QA Summer Fest #1 – Miquido

Miquido,  fantastyczni ludzie, fantastyczna organizacja I mega atrakcyjne biuro!
Na wewnętrzne zaproszenie miałem przyjemność występować na pierwszym wydarzeniu z serii QA Summer Fest, więc nijako jestem z tego dumny 🙂
Spotkałem się z niesamowicie przyjaznym przywitaniem oraz pożegnaniem, wobec czego jeśli kiedykolwiek usłyszę “Miquido”, będę mieć tylko i wyłącznie dobre wspomnienia.
Sala konferencyjna była dostępna już na godzinę przed pierwszą prelekcją,  dzięki czemu każdy mógł się komfortowo przywitać i znaleźć sobie przyjemne miejsce do brania udziału w wydarzeniu. Ciężko było mi dostrzec choć jednej osoby, która by się nudziła, mimo, że przyznaję się bez bicia – przeciągnąłem swoją prelekcję mocno. I trochę za mocno i wiem, że uczestników wymęczyłem, jednak “connection” które czułem z grupą, sprawiło że prelekcja przemieniła się w przyjazną rozmowę na tematy życia codziennego w branży IT.
4 października po raz kolejny będę miał szansę spotkać się z ekipą Miquido w ramach mojej prelekcji na Mobiconf. Coś pięknego, dzięki jeszcze raz za gościnę!
Podrzucam jeszcze link do prezentacji, o który parę osób pytało:

SJSI Quality3D meetup #3

Paręnaście dni temu zdarzyło mi się pojawić na https://www.facebook.com/events/225878038117535/ i niestety dopiero teraz znalazłem chwilę, żeby stworzyć podsumowanie.
Przy pozytywnych doświadczeniach generalnie tak jest, że nie ma za wiele o czym mówić. Inaczej wygląda sytuacja gdy jest negatywnie i chcemy się tym podzielić, żeby wyrzucić to ze swojego systemu i iść naprzód, upewniwszy się wpierw że każdy jest świadom naszych cierpień 😉 Tu cierpień nie było ani odrobinę, przez co chwilę zajęło mi napisanie podsumowania.
A tak poważnie, było dobrze, nawet bardzo dobrze.  Miałem szansę spotkać się z bardzo przyjemnie aktywną grupą, z którą mogliśmy prowadzić dialog, zamiast prawić jednostronne prelekcje.
Taki format, real time Q&A odpowiada mi najbardziej, bo wtedy czuję, że nie tylko mogę poznać ciekawych ludzi ale też wnieść wartość przez proponowanie rozwiązań do realnych, kontekstowych i indywidualnych problemów.
SJSI organizuje ostatnimi czasy bardzo ciekawe wydarzenia, na które zapraszają ludzi z wielu dyscyplin, by ci podzielili się swoja wiedza i doświadczeniem. I dokładnie w ten sam sposób sytuacja miała się z moim wystąpieniem. Zostałem zaproszony i bez chwili zastanowienia krzyczałem “TAK, TAK, TAK!”. Możliwość dotarcia do nowej grupy osób ze swoimi ideami, pomysłami oraz gotowymi recepturami rozwiązań do szansa której nie mógłbym odrzucić.
Jestem wdzięczny za możliwość docierania ze swoja wiedza i doświadczeniem do innych. Za każdym razem, podczas każdego występu, mam nadzieje na dostarczenie jak największej wartości ludziom którzy zdecydowali się zainwestować swój czas i pojawić się na wydarzeniu by słuchać własnie mnie, Jestem szczególnie wdzięczny za mile przywitanie oraz za interakcje podczas prelekcji.
Mimo, ze początkowo byłem myślami gdzieś indziej przez realizowany wcześniej projekt, to po 5 minutach już byłem all-in i totalnie pochłonięty przez interakcję z uczestnikami. Było dobrze!
A teraz czas na linki o które pytaliście.
Książka:
Prezentacja:
Artykuł o tym jak przebić się do branży security:
A w skrócie, event był o:

“Najlepszych rzeczach, jakie możesz zrobić dla bezpieczeństwa Twojej firmy w ciągu najbliższych 3 lat”

Firmy, ich pracownicy oraz cała społeczność IT jest zakłopotana i lekko zagubiona w ogromie zagadnień związanych z bezpieczeństwem organizacji. Jest tyle szumu informacyjnego dochodzącego z każdej strony, że ludzie nie do końca wiedzą, którą drogą pójść, aby zwiększyć bezpieczeństwo swojej firmy. Czy powinni testować manualnie czy automatycznie, czy powinni zamawiać usługę pentestów, czy używac programów bug bounty, czy powinni trzymać swoje dane w chmurze czy w klasycznym centrum danych.
Podczas niniejszej prelekcji postaram się odpowiedzieć na te i wiele innych pytań – schodząc do poziomu technicznego. Moim celem jest podsunięcie Wam pewnych pomysłów i gotowych rozwiązań, tak abyście mogli skupić się na realizacji istotnych zadań.

oraz o

 “Testowanie najpopularniejszych błędów bezpieczeństwa – rozwiewamy mity o trudności pracy jako bezpieczniki i pokazuje że może robić to każdy z Was.”

W świecie bezpieczeństwa krąży legenda o tym, jak wyjątkowym trzeba być by zajmować się testowaniem zabezpieczeń i ochroną organizacji.
W rzeczywistości – uwaga, uwaga! -wszyscy jesteśmy ludźmi i jeśli coś udało się zrobić jednej osobie o podobnym do Ciebie profilu, to możesz to zrobić i Ty.
Podczas półtoragodzinnego warsztatu pokażę Wam praktyczne narzędzia oraz przybliżę sposób myślenia konieczny podczas testowania bezpieczeństwa, dzięki czemu – niezależnie od obecnej profesji – będziecie w stanie wgryźć się w temat testów bezpieczeństwa, testów penetracyjnych, audytów bezpieczeństwa i tym podobnych.

InfoSec Career Paths vs Programming Skills – The Basics

On Peerlyst, in my Q&A session, Eric Geek‍ asked:

Is being a great developer vital when choosing information security as a professional career?

My answer below:

Beneficial? Yes.
Necessary? By no means. Demand for development skills in infosec is raising, but the demand for general infosec specialists is growing even higher.

I know many fantastic security professionals, who just hate programming. They’ll code a bit to help themselves, to build some simple automation for their tasks, but they’d never write any serious application.

The market for infosec professionals is so wild, that it’ll eat almost anyone with any interest in security and some technical acumen.

Software engineers can easily become information security specialists

… and they bring a lot to the table, for organisations that need that kind of skill set.

The work required for software engineer/programmer to become security specialist will vary a lot depending on the person and their existing skills, aspirations and predispositions.

If you are a software engineer, then I would recommend to learn more about application security and then move into secure software engineering roles. While in that position, your goal should be to gain exposure to technologies and security processes. This will make it easier for you to switch between other professions within the cybersecurity industry.

If for example you’re a software QA engineer and you know how to test software, it doesn’t take much to start including security tests in your day to day work. It will allow you to realize after a couple of months that you’ve gotten the grasp of quite a few security issues!

If you’re a network engineer, then it makes sense to learn more about infrastructure and network security in order to move into positions such as network security engineer, incident response engineer, or a network penetration tester.

This approach should help you if you want to transition into cyber security at low cost and low anxiety. It makes it easier to make that transition, because if you have a solid background in building something it will come easier to you to figure out how to break it and secure it.

If you’re comfortable in a given specialisation, you won’t feel scared of the amounts of new knowledge you’ll need to possess and this will lower stress to ease you into the learning process.

So a software engineer who wants to transition into security role, should try applying security principles to whatever they’re currently doing — try to learn how to break the things they’ve built, and then how to make them more secure and impenetrable as possible. If you reiterate enough, you can become a security-savvy engineer who can easily add ‘security’ in front of their existing job title and becoming a security specialist in any given field.

I would suggest adding some good eye opening resources to your knowledge base. One that holds value for all types of security operations is learning about basic Security Architecture Principles. And then learning more depending on which fields of cybersecurity you want to explore.

Here are some great materials for Web and Mobile Applications:

  • OWASP TOP10
  • OWASP Application Security Verification Standard(ASVS)
  • OWASP Security Code Review Guide
  • OWASP Web Applications Testing Guide
  • OWASP Mobile Testing Guide

Network and Infrastructure Security:

But the most foolproof and effective methods of learning security skills to me is doing the following: google stuff out. Start doing some fundamental research in your craft and google is your best friend here, and always will be. Sooner you learn the art of googling, is better because we use it a ton in our day to day work.

If you’re writing code in C++, then google “C++ security vulnerabilities”, or “writing secure code in C++”. If you’re deploying apps in cloud, such as AWS, then google “how to secure AWS applications”, “secure deployments in AWS” and so on. Learn as much as you can from search results and from the latest news, this will expand your security expertise as time goes by.

This way you’ll learn security skills relevant to what you’re currently doing and keep up with the latest cybersecurity trends, which will allow you to live and breath that knowledge and put it to practice in your projects.

You can become valued security professional from any IT specialization

I often get a question on how to become a security professional. And my answer is – by becoming a professional in any other field, or by working your way up from anything you’re currently doing. Reverse engineer requirements from job offers in your area and learn what they want you to know. Then strike at them as soon as you feel comfortable with your skills. Research & reverse engineer job offers & learn & practice & go on interviews & understand what you were missing and why they haven’t accepted you & learn the missing pieces & rinse & repeat until you get a job.

Appreciate the journey and don’t underestimate the value of having a varied background, do it all at the beginning because you’ve got time.

I started my adventure in IT from the very bottom, working as a computer technician, network admin, web programmer, and system administrator. After many years, I got involved in security. I do not regret the time I spent in previous positions because taking an indirect path provided many valuable experiences, all of which gave me perspective. My range of experience allows me to understand the problems many employees face, enabling me to make better decisions for the companies and teams I work with. I believe the security industry could benefit greatly from more diversity

However, if we’re considering a position where you have zero experience in security whatsoever, but have experience in other fields of IT, then I recommend becoming an expert in a different field. Start applying security concepts to your field of specialization. This has worked for so many talented professionals I know. Too many people want to get into security without prior experience in anything IT related. This doesn’t make most of them very valuable professionals because they tend to make myopic decisions without considering business context. Security is merely an addition to business operations, designed to support its longevity. It doesn’t exist on its own.

You can read pentesting and bug bounties blogs, but pasting random payloads without deep understanding will prevent you from contributing much to your organization. Dive deep into anything you learn, stay curious, and enjoy ‘expert’ status in a few years.

Here are a few viable and popular career options:

Web App Security TesterSome skill in coding is good. It’s not necessary, but it is beneficial and it’s usually what separates wannabe experts from true experts. Learn how software stacks work and get a handle on web programming languages like Java, PHP and their respective frameworks. To break something and improve its resiliency afterward, you should understand how it all works. Once you review all the OWASP resources, you’ll know what to do next

Network SecuritySimple bash/perl/python/ruby coding if any. Create a local lab network consisting of various components. Deploy services like LAMP (Linux, Apache, MySQL, PHP) stack and research how to secure each element. While building, study what issues can arise during configuration and maintenance so you know what to avoid and how to test them when sysadmins hadn’t the time, interest or knowledge to do so. Then, focus on PTES (Penetration Testing Execution Standard) Technical Guidelines to discover ways in which penetration testers and hackers can attack your network. Reverse engineer their methods to build proper defenses against future attacks.

Compliance and AuditingZero programming skill required for most roles. Learn about underlying technology and business models. You want to understand how businesses operate so you can protect them and ensure new regulations don’t hinder company innovation. Grab some good business books and gain business exposure by learning from executives and managers with real-world experience. Study industry best practices, like those from the Center for Internet Security, as well as regulated standards like HIPAA, PCI-DSS, DISA STIG, ISO 27001, SOC2 to understand how to make your organization compliant without negatively impacting productivity.

Cryptographer/CryptoanalystDepending on a chosen niche, coding may be just an addition for tests of implementations, protocols and algorithms cracking. If you want to become an expert in this field, I recommend attending a university with strong mathematical and cryptography programs. This is a fascinating field that requires prior and substantial mathematical knowledge, so if you go through heavy math, learning to code will be your least worry 🙂

Security ConsultantDepending on the context, most roles require zero coding, some require some. This position will help you gain experience working in IT or IT security, so you can understand the business and broaden your horizons. If you decide that you want to stay in consulting, research what big companies are doing, technology they use, and regulations they’re subject to, then learn how to manage these for them.

Vulnerability ResearcherAll-in or ZERO. This narrow specialization requires focus in at least one field. Become proficient in at least one programming language, framework, and operating system. Then focus on a narrow set of functions in a given product or service. Examples include studying assembly, C programming language, learning how video transcoding works, and identifying weak spots in a library such as FFmpeg. Zero coding is required if you want to be a bug bounty hunter, who keep calling themselves “vulnerability researchers”

Software Security Expert – Software engineers often become security experts. Be proficient in at least one technology stack, then apply all relevant security knowledge to making products safer. Strengthen security across your organization, responding to the demands of your colleagues and customers.

If you want to speed up the process of becoming values security professional, pick technology that truly interests you and learn as much as you can about it. So instead of being Web App pentester, become a Node.JS security expert. Be a specialist, not a generalist. Go for a narrow niche. Find something that sparks your curiosity and become passionate about it. Know things only 0.01% of people using the technology knows and your pockets won’t be able to hold amounts of money companies will pour into it 🙂

The most important advice here is to look for employment as soon as possible because nothing can beat the quality of learning you get on the real job. It’s the actual job and job market that shows you what is required and what is not.

Almost ZERO programming experience required for Penetration Testers

Don’t get me wrong, pentester who knows how to program and code is invaluable, but some pentesters are such great manual testers that they will find a great employment no matter what. Despite the current state of pentesting in US where actually cool stuff is happening, you still have 95% of countries who’re a decade behind in terms of their cybersecurity posture, and in there all you need is to study OWASP Testing Guide to fill your pockets big time.

Let’s consider a few scenarios and then jump to job specific recommendations.

If you already have some security experience, then check out a few renowned books that are highly rated on Amazon with the title containing word “Pentesting” to build your foundation. Then go for an Offensive Security’s lab and certification – OSCP, which as of now is the most respected entry-level certification for penetration testers. Consume as much content as you can, but don’t allow yourself to get lost in the universe of theory. The best pentesters are those who put their knowledge into practice and get their hands dirty.

If don’t have security experience but work in other IT fields, then the recommendation is for you to become an expert in a different field and then start applying security concepts to your field of specialization. That route worked for many great people working in the industry that I know. If you’re a Java programmer, study how you can test applications written in Java. If you’re an IT OPS engineer deploying services in the cloud(AWS/GCP/Azure) then learn about potential security issues and learn how to pentest those services. Learning will come much easier if you have the proper background.

If you haven’t ever worked in IT, but want to work in security, well this one is tricky and hard because general security isn’t an entry-level role. Too many people want to get into security without prior experience with anything IT-related, which doesn’t make them very valuable professionals because lots of decision they make are myopic and don’t consider business context. You can get easily get excited reading pentesting and bug bounties blogs, but as long if you’re just pasting random payloads without deep understanding of a matter, then you’re not contributing much to your organization. Same way you won’t get a sixpack by reading about pushups, you won’t become a great penetration tester without going into the field and testing stuff.
So go deep in anything you learn about, and enjoy ‘expert’ status in just a few years.

And now let’s take a look at some of your options when you’re completely fresh to the field.

Web/Mobile App Pentester  – Learn how to code. It’s not necessary, but beneficial and that’s what usually differentiates expert wannabes and true experts. Learn how software stacks work to get a grasp of web programming languages such as Java, PHP and their respective frameworks. To break something and improve, then it’s the resiliency afterwards you should understand how it all works. It doesn’t mean you must be a guru software engineer, but you can’t go wrong knowing the basics.
Once you’ve completed all the resources from OWASP you’ll know what to do next.

Network/Desktop Apps Pentester – Create a local lab of a network with various components in it. Deploy some services such as LAMP(Linux, Apache, MySQL, PHP) stack and then google out how to secure each of those elements. While building, study what issues can arise during the configuration and further maintenance, so you know what issues to avoid and how to test them in the future in other environments where sysadmins hadn’t had time, the interest or knowledge to secure their instances the way you could. Navigate to PTES (Penetration Testing Execution Standard) Technical Guidelines and see what are the ways penetration testers and hackers could potentially attack your network, then reverse engineer their attack methods and build defenses so they attacks no longer work.

Specialized Pentester – Pick one technology and go as deep as you can. So instead of being a Web App Pentester, become Node.JS Security Expert. Become a specialist instead of being a generalist and cut the learning process in half or even more. Find something you’re curious about, learn more about it, and become passionate about the field, put in a few solid years of dedication, and you’ll get whatever you want to have. (Well, not precisely everything you want, but you get the point)

Red Teamer – All of the above recommendations apply including social engineering and physical security attacks. You may not have the technical predispositions to be a great web pentester, but if you have been gifted with empathy and social skills then you can still achieve a lot!

There are hundreds of blogs of people who documented their journey, and I recommend you to look into real world examples of people who’ve moved into a pentesting career. Learning from the successes and mistakes of others is very cost-effective. Also, I’ll recommend you a bulletproof method of finding a job as a pentester. An importance most people don’t realize:

  • Find a few dozens of pentesting job offers in your area
  • Extract the most common requirements, both high level and detailed technical skills
  • Know what to study and what employers really need
  • Don’t waste time on learning everything. Learn the minimum possible to get the job and be a valuable team member. From there your career is highly malleable, you can adapt to what your organization needs you to do.

So yeah, you can flourish in the infosec field without having more than one week of study in programming. The market is the ultimate judge. Some companies require programming skills as a must-have, and some don’t care. Find what suits you best and keep on rockin’!

Sharing Udemy Courses and Certifications in CV and resume

I’ve noticed this post today on my LinkedIn wall:
I just saw my first resume where the candidate highlighted Udemy certifications.  I think this is a great idea.  While certainly not stand-alone, these are a great way to show deep interest in an area.
~ Mike Johnson, CISO at Lyft

And I’d like to add my comment to his words:

1 is better than 0.

Don’t shy away from demonstrating your effort even the one that ended up with tiny successes. Any thing you’ve accomplished show determination and drive.

In some recruitments it’s really a matter of 1% difference between candidates that leads to hiring decision.

This is especially the case for more junior roles. Be so good they can’t ignore you, and show everything that you believe can differentiate you from the crowd. Online courses, blog, small github repository, speaking at local meetups.

It all matters more than you’d think.
If still in doubt, ask yourself a question – what can I REALLY lose if I put it in there?

Go and get some. There is nothing but ego that’s stopping you from showing little successes. Don’t force the big game and act put.
If you don’t put those small wins because you don’t want to be perceived as someone to whom these things matter, and afraid it’ll undermine your bigger wins then stop. It’s ego talking and in this case, it’s your enemy.
If a hiring manager makes a judgment that you must have had achieved nothing greater because you’ve shared the smaller things, then it’s likely you’re better off without them anyways.

Appreciate everything, but foremost importantly- appreciate yourself and your effort.