When it comes to preparing one’s self for a career in cybersecurity, be it through formal education, tinkering in your downtime, or during on-the-job training, what’s clear is that there is no one “right” path. If you look at successful practitioners all across the industry you’ll find just as many different routes that led practitioners to where they are today as you will practitioners themselves.
For this series, Infosec Insider asked a few of our InfoSec World 2018 presenters to share how they came into their current role in security. First up, Keith Hoodlet, Trust and Security engineer at Bugcrowd.
What was your first professional job? (And if it wasn’t in security, how did you end up here?)
My first professional job was as a Customer Service Representative role at John Hancock. The year was 2010, and much of the economy was in the gutter from the still-recent housing market collapse. I had recently graduated with a Bachelor’s Degree in Psychology, and at that point had been a security hobbyist for around 13 years. My choice to pursue a degree in Psychology was a result of my self-conscious awkwardness in working with other people, but I think that through my experience as a Customer Service Representative—as well as my education—I managed to get past that.
After my wife completed her Master’s Degree and found gainful employment, I eventually went back to school to take classes in Computer Science (which is what I probably should have done in the first place); I then went on to intern at Veracode, was later hired full-time at Rapid7, then eventually moved on to where I am now, at Bugcrowd.
Did you have any formal training before entering security?
No; almost everything I’ve learned in the field of information security comes from being self-taught. My first experiences around the concept of “security” come from when I was in middle school, playing Blizzard Entertainment’s PC title, “Diablo.” I figured out that I could use Telnet to connect to their online platform, battle.net, and then later learned I could use Diablo trial accounts to connect with whatever user name I desired—no authentication necessary. So of course I did what any enterprising juvenile delinquent would do—I built a front-end in Visual Basic to spin up as many accounts as I could, and used my new bot army to take over channels. Shortly thereafter, I was hit with “WinNuke” (a malformed packet that caused my system to crash), and quickly became hooked on this whole field of information security.
What about your current role now drew you to its specialty?
Application security still feels very much like the Wild West that I experienced on the internet of my youth, and as such, I became very enamored with seeking out opportunities to further develop my knowledge in the field. With the ever-increasing pace at which adoption of new web technologies seems to be occurring, I don’t foresee this specialization going away any time soon. What’s more, most of the traditional technologies people have adopted to scan applications for security flaws just aren’t keeping pace; I would say that—now more than ever—we need security professionals who understand how to code, and can differentiate between good vs. bad coding practices. I was specifically drawn to Bugcrowd’s Trust and Security Engineering team because the people I work with possess deep knowledge in this area, and I wanted to work with them so I could further expand my own knowledge.
What skills would you recommend to anyone looking to become a trust and security engineer?
Understanding how to effectively build (and break) applications is central to what it means to be a Trust & Security Engineer at Bugcrowd; the same could be said for anyone pursuing an application security engineering role at nearly any other company today. Speaking as someone who comes from a background in writing compiled code and working with network protocols, I would strongly recommend picking up Python and learning how to write a Flask application. Flask provides a fairly simple model for someone to start developing an understanding of the “Model, View, Control” architectural patterns that most of the modern web utilizes today. Furthermore, Flask still relies on an individual developing a base level of knowledge around HTML and CSS, as well as JavaScript (if you’re getting clever with your application). From there, I would definitely recommend pursuing knowledge in JavaScript frameworks and libraries—the World Wide Web practically runs on JavaScript today.
Tell us something about your job that people not in that role would not expect.
The most important skill any one of us has is our ability to communicate; regardless of how technically astute you might be, you absolutely need to possess strong “soft skills” in order to be successful as a Trust and Security Engineer at Bugcrowd. What good is all of the knowledge you’ve acquired if nobody can understand what it means? That’s not to say that technical ability isn’t important. But for most of us, it is second to our ability to interact with people who possess varied levels of technical expertise. With all that being said, the team has set aside time every week to work on further developing our technical skills through performing research on bug bounty programs, working through “HackTheBox.eu," and hacking on a myriad of other CTF-style challenges; It’s a lot of fun, and definitely helps with team building.
Keith will be presenting a talk entitled "Attack Driven Development" at InfoSec World Conference in Orlando, Florida, March 19-21, 2018.
