Did AppSec USA. Looked to the future. Bought the t-shirt.

I had a grand time attending AppSec USA held in Washington D.C. last week. It’s great to go to an event where everyone is passionate about the same topic, with a very cooperative and nurturing atmosphere. Mingling in the hallways were new AppSec devotees and recent graduates talking with old-timers who design scanning engines, cryptography, and other solutions.

I manned the WhiteHat booth with two solution architects from the team, and I think all three of us had fun learning about what other companies are doing in AppSec – in a couple of cases, spawning interesting talks back home with our engineering teams. Application security is all about technology partnerships, and how to build a safer Internet that will survive contact with users.

On Thursday, I really enjoyed the Women in AppSec lunch, which had so many attendees that we overflowed the lunch room and stood around holding our plates, chatting in the hallway. Another experienced woman in security (my booth neighbor) and I found ourselves with four young women just starting to look at their careers. We took turns evangelizing the advantages of working in security, with advice from our own paths. It’s a sad truth that women make up only 11 percent of Application Security professionals, and this number hasn’t changed since 2014. So I’m all about advocating for more open discussions and nurturing. We do it for customers, let’s talk about how to do it for our future coworkers!

There is no set course for how to get a career in security – that’s both a strength and a weakness. A person can go get a Master’s in InfoSec at large, and still find themselves with no practical experience that will get them hired right out of college. (True story – new graduate that was trying to figure out what her resume was missing.) I related the experience of visiting a potential customer site, where their Endpoint Security expert on the team was the ex-secretary who managed to complete the migration project of changing vendors with no issues in record time. That’s how to get ahead!

Practical hands-on experience will trump a class in many cases, but there are also certifications of note to be considered, that tell a potential employer that you understand practical security concepts. We also mentioned the 0 percent unemployment in security these days, which encouraged the women to try everything from network monitoring to app scanning to figure out what they love. Engineering? Product management? Marketing? CISO? CEO? You can start anywhere.

I later poked my head into the class on IoT and Control Systems hacking being run by Justin Searle. He was teaching roll-up-your-sleeves, hands-on style penetration testing of SCADA and IoT systems like smart houses/buildings. The summary lesson was all about how to minimize risk by finding vulnerabilities before going to market, which echoed WhiteHat’s own “Hack Yourself First” motto. With all the inter-system communication and information exchanges, the risk of compromise grows in equal measure with the actual benefit.

Don’t get me wrong, I absolutely want Jarvis to run my house one day. But I’ll definitely be choosing the smart home system that has the best, security-certified controls that passed all the tests available. There will always be risk – but the advantages are huge. So kudos to all the present and future penetration testers that are helping make my future smart home a safe one.

Now, if only I could pick which actor will voice my speaker system…

Tags: application security, whitehat security