Engineering, cybersecurity and changing careers

Dave Farrow discusses his unconventional career journey and the intersection of engineering and cybersecurity.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • Transcript
    • Chris Sienko: As you probably know, October is National Cybersecurity Awareness Month. And to celebrate, Infosec is giving away a free month of its Infosec Skills platform. This is a subscription-based skills training platform for cybersecurity experts. If you’d like to learn more, please go to infosecinstitute.com/podcast and don’t forget to claim your free offer before October 31st. Hello and welcome to another episode of the Cyber Work with Infosec Podcast. Each week I sit down with a different cybersecurity industry thought leader to discuss the latest trends and how these trends are affecting the work of infosec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. Our guest today is Dave Farrow, Senior Director of Information Security at Barracuda, an organization that strives to provide businesses with cloud-enabled enterprise grade security solutions. But he didn’t start there. His career journey began as a software architect at Fiserv, followed by VP of Engineering at Yosemite Technology and Director of Engineering at Barracuda. So we’re gonna talk today about making lateral moves from other tech areas into the security field and what drew him, and what tips and tricks he might have for listeners that might want a similar career change. Dave, thanks for joining us today.

      Dave Farrow: Thanks for having me, Chris.

      Chris: So, tell me a little bit about your unconventional career journey. I assume you were always kind of a big fan of computers and tech, but sort of walk me through the steps along the way.

      Dave: Sure, oddly enough I was not a big fan of tech–

      Chris: Really?

      Dave: I spent most of my childhood either building models, cycling through the hills behind Ventura County, or in the ocean off Ventura surfing. My father gave me a Commodore 64 when I graduated from high school, and I’m ashamed to say now that I never really played with it.

      Chris: Okay. Wow, okay. It didn’t imprint on you as it did for some of us.

      Dave: Yeah, yeah, I look back now and I’m just kind of ashamed to say that that was my background. But no, I started out in college as a speech communication major–

      Chris: Okay.

      Dave: Do for one quarter and realized there was not nearly enough math in that. And so I started over again and I chose electrical engineering computer science because it was the thing that made the least intuitive sense to me, and I was intent on learning something at school, and so I went off to do that. The school that I went to, we were I guess kind of snobs about being electrical engineering computer science students, and we felt that if you were a CS student it was only because you couldn’t make it as an electrical engineering computer science student. And so at the end of college, when I had the opportunity to learn computer science and get paid for it I thought, “I think it might be foolish “for me to pass that up.” And so I really fell into it. Fell in love with it immediately and thought, “How did I ever, ever miss this?” I had one gig during that time. I think my second year in the industry I did one hardware-based project and I spent most of my time looking at catalogs and said, “I’m not interested in this at all.” and so I got into software and I’ve been in software ever since and I have just absolutely loved it.

      Chris: Okay, so going through your bio you started out as owner of Farrow Enterprises. What is or was that?

      Dave: Yeah, that was, I would say that was an act of defiance against the aerospace industry.

      Chris: Okay, that’s a great lead.

      Dave: Yeah, I started out working for TRW straight out of college. They were the ones that said, hey we’re gonna take a risk on this guy that doesn’t know software because their theory was that if you had an engineering discipline background they could teach you software. And so three years into that, we experienced what every aerospace company does, there was a downturn. And rather than lay people off, they were mandating five extra hours of overtime a week for a dollar of extra pay, and the guy running our division challenged anybody that could find a better deal to do so. And so at that point in time, I stepped out into just contracting. So Farrow Enterprises was just the name of the umbrella under which I did contracting work for the next several years.

      Chris: And what kind of contracting work was that?

      Dave: Well, I did contract programming work for a ton of different industries. I did everything from work with telecom to work in the bingo industry, and a lot of stuff in-between. In a lot of different environments. There’s some data warehousing. A lot of different languages in that process. My only real requirement during that time for a contract was that there be at least one new technology that I could learn in the process.

      Chris: I’m so curious to ask more about the bingo industry but I’m–

      Dave: It was a fun time, and I was actually building a bingo calling desk. They made it very clear that that was the gas pump for their business and their business was selling paper, and that bingo calling desk was gonna sell paper. So think of it as an online video game. You know, it’s part of Video King.

      Chris: I challenge you to write a book called “An Act of Defiance Against the Aeronautics Industry” and have a chapter on the bingo industry. I will be your first customer.

      Dave: All right, I will add that to the list.

      Chris: Okay, so, in 2003 you became a software architect for, is it Fiserv, Fiserv?

      Dave: Fiserv.

      Chris: So was that a direction you had been, it sounds like you were sort of pursuing that, but what pushed you further into that direction, and what interested you–

      Dave: Again, it wasn’t an unconventional path for me. It was actually a logical extension of what I was doing at the time. Right, the contracts that I had been taking were generally C development and architecture-level gigs up to that point. But at that time, the dot com bust was going on and I was living in Denver at the time, and had a lot of small children at home. And when the dot com bust sort of hit, and actually right after 9-11, the contract I was on was winding down, Christmas was coming, didn’t really want to go look for a new gig right then. And so, I submitted my resume on monster.com for a gig in Fresno, California. And if you know Fresno, you know there’s almost no technology here. I submitted in Fresno because that’s where my family, my wife’s family is from, and I said, hey, you know, I want to look like I’m looking for a new gig. How about we go spend six months out there with your family and for anyone that actually interacted much with Monster at that time, it was impossible to actually reach a recruiter. And through an odd series of events, I dug up a phone number, and they picked up the phone. And then I saw that as sort of being ordained, that we were gonna get that. So I actually moved out to Fresno to do a six-month gig and have been here ever since.

      Chris: Wow, okay. So from there you become VP of Engineering for Yosemite Technology for six years and then Director of Engineering at Barracuda for another seven. So, you know, engineering’s clearly in your blood, but in 2016 you became Senior Director of Information Security at Barracuda. So what brought about this massive career change? Or was it even a massive career change, or was it a fairly intuitive jump to go from security to engineering that way?

      Dave: Right, so it was an evolution. So what I discovered as a software architect at Fiserv was that there really are two primary things I needed to be doing. One was communicating the vision to the team to continue moving the architecture forward, and the other was developing the architecture. And I met, through a social engagement, the founder of Yosemite Technologies and we were comparing notes and he had the same problem. So I joined Yosemite to solve one of those problems for him so we could each wear one hat. And that’s really sort of the story of my career. As we went through out journey with Yosemite and eventually got purchased by Barracuda. Barracuda purchased Yosemite Technologies in order to roll the technology we were developing into another product, right. A cloud-based backup product. And at that point, I set about looking for other ways to add value to Barracuda. And along the line there, as I sort of watched over the sort of the end of life of the software-only product, as it moved into the cloud product, one of the things I identified was that some of our key engineers were managing our bug bounty program and that was distracting them from actually developing our products and so I thought, hey, this is something that I can help with. I’m gonna administer the bug bounty project. And that was how I started into that project, started into the security world. I began handling the incoming bug reports. There weren’t a lot of them at the time, it was right at the beginning of the bug bounty craze. And what we discovered here is that right, what was it late 2012, that sort of a confluence of things came together, one of which was handing out some bounties that probably didn’t need to be paid out. Responding to reports, sort of more promptly. And what happened was, we ended up getting, seeing a sharp uptake in our bug bounty program. And that eventually caused me to bring in some folks that were much more versed in security than I was to help manage that program. And over time, that program has expanded basically to start pulling all of the independent security activities that were going on in the company under a single umbrella.

      Chris: Okay, so your security department basically started with a bug bounty program?

      Dave: Our centralized part of it did, yes. But we were doing security activities, you know, we’re a security company so there are a lot of guys that are very well versed in security, and they were doing those things independently and it was nobody’s primary job.

      Chris: Right, right, okay, so that’s that point where yeah, security is not yet really a full-time job per se, or that aspect of security.

      Dave: Right, and so I was the guy that sort of came on board and said, all right it is, it needs to be a full-time job. We need full-time jobs here, here and here. And so, this move was really an extension of the setting of direction and the building of a team that I was doing at Yosemite.

      Chris: Okay, so tell me a little bit about the sort of Wild West days of the bug bounty programs and because, when you’re talking those years you’re talking about, sort of, the start of, yeah, I mean obviously there’s always been security issues, but this is like, really the sort of ground zero of active security issues where people are making things, rather than just, oh there’s a hole in my bucket, you know.

      Dave: Right, right. So the part that I remember the most clearly was the day when, it feels like it was a watershed day. You know, I had been handling, I don’t know, a dozen or so incoming reports a month of varying severity. Some cross-site scripting attacks here, some click-jacking reports there. And I realized, I need to do some tooling around this. And we had a very well defined scope of activity. And someone sent in a report related to, I think our website. And, I looked at the report and was actually a meaningful report. It was actually real value to us. It was, I believe it was a persistent XSS. And so, it mattered and I thought, look, I’m gonna just be a decent guy and kick this guy a few bucks. Didn’t understand that that few bucks meant a lot more to him than it meant to me. And probably, within 45 minutes, I think all of his friends knew it. And were just going nuts on our website.

      Chris: Testing every inch of the wall, and yeah.

      Dave: Right, right. And, the scan, at that point we hadn’t really anticipated that someone was gonna throw an Acunetix scanner at our lead generation page and so they generated 40,000 leads in Salesforce. And so that was probably the ugliest incident in the Wild West. The other part about the Wild West, when we were managing our bug bounty program ourselves, was we got a lot of colorful characters in there. I’m not gonna drop any names though I would really like to. When I talk with other people running their own bug bounty programs, we do compare some names, and they go, “Oh man, you’ve got that guy too?” There’s one guy that threatened our wives and our daughters because we wouldn’t give him a bounty. Lots of rude folks, but on the flip side of that, one of the guys that works on my team now I met through that program. You know, he rang our bell really hard for a few days, and in self defense I said, “Hey, would you be willing “to jump on a Skype call with me?” And I’m not gonna drop his name either ’cause he likes his anonymity, but that has turned into a very fruitful relationship, and has been really instrumental in developing my security knowledge. He’s introduced me to a lot of folks in the industry. So my experience through the bug bounty program is there are a lot of really top-shelf white hat folks out there that are providing tremendous value to companies. There’s a lot of fear about, am I opening, writing an open cheque to the internet? And our experience has been, it doesn’t have to be that way. You can manage that. And the key thing is, if you adopt a position of being a good partner with these folks, they do respond as good partners in return, and it’s been a hugely positive process. I will say though, that the guy that I mentioned that is on my team now introduced us to Bugcrowd. I’m gonna make a shameless pitch for Bugcrowd. They got us out of the business of trying to pay people across borders, which was really the hardest part about managing that program, and they deal with a lot of the difficult personalities for us, and that partnership has made the bug bounty program extremely valuable to us.

      Chris: Interesting. Okay, so yeah, that’s really interesting. And that sort of ties into things that we’ve talked about in previous episodes, specifically that when you’re young and you have knowledge but you don’t have experience, that doing bug bounty for companies is a good way to sort of get your name in front of them, and if you can demonstrate that you have decent people skills and communication skills, they might want to jump on a Skype call with you.

      Dave: Right, right, and the guy that I hired into my team was actually not in an application security role when I hired him. He was doing network security and some incident response. And he wanted to be in application security, wasn’t sure how he was gonna get there. So that relationship, we leveraged into a lateral move for him that’s been probably more valuable for us. But it was valuable for him too, but it’s been just a wonderful collaboration so far.

      Chris: Okay, so let’s talk some more about lateral moves here. So what are some of the connection points between engineering and security, as a career? What are some of the overlaps in your engineering skillset that apply to your cybersecurity roles?

      Dave: Sure, sure, so I think engineers, especially software engineers that want to go into security, have one leg up on people that are getting in, right. Before I even really got too far into security, I could explain conceptually how a cross-site scripting attack worked. I could explain how a command injection worked, or a SQL injection worked, I could understand that because I had coded those kind of errors all my life, right. I knew what a buffer overflow looked like. I didn’t understand necessarily exactly how to exploit that, but I knew what it was and I knew why it was bad. And so that took a lot of the learning curve out. On the flip side of that, there’s an enormous gap in reality between being able to explain a cross-site scripting attack and being able to exploit one in real life. And so I can’t stress enough the value of actually finding ways to practice exploiting them in real life.

      Chris: Okay, any tips on that?

      Dave: Yeah, online challenges are a great way to do it. There’s, my favorite ones I started when I was beginning was a thing called w3challs.org. I remember just beating my head on the wall. The very first XSS challenge. Actually it was the first SQL injection challenge. And I knew, I knew exactly what the injection point was, and it took me hours before I realized the lesson that I will never forget and that I’m not gonna give away here, because there’s value in actually learning that painful–

      Chris: Right, yeah, no hint books, yeah.

      Dave: And, but there’s no substitute for taking that conceptual knowledge out of your hands and putting it into the keyboard yourself. And there’s just, there’s no shortage of opportunities to do that online for free.

      Chris: Yeah and that’s one of those things that I think people mistake, is that if you know, or even if you know out of a book that, you know, I know how to do this ’cause I read it in a book somewhere. But like, the actual trial and error of like, you know, fiddling the details until the thing actually happens, is where you learn, right?

      Dave: Right, right. The second thing that, well, when I said that software engineers have one leg up. The leg that was sort of missing for me that, well actually, I did have a bit of a leg up on that as well. Networking knowledge is really, really critical, right. And I had written client server programs. A matter of fact, I started out at TRW writing client server programs, kicking it old school, right. Writing it–

      Chris: Right.

      Dave: Writing the servers. Forking and execing and all of that old stuff. But again, that was very limited perspective of how networking worked. It was from one piece of the puzzle. And any engineering work that you do to understand how networks actually operate and how to move through them, is gonna be very valuable in the security world.

      Chris: Okay, so let’s sort of flip the foreground and the background here. What are the benefits of having engineers in a security space? What are some things that an engineering background can bring to a security department that people classically trained, if you will, in cybersecurity don’t have?

      Dave: So I actually don’t look at it quite that way.

      Chris: Okay, they’re interconnected?

      Dave: So I believe that engineers are central to our security program. All of our security, in our products and services, begins with the engineers themselves. At least, the way we’ve organized our practice here, I and my team don’t have any actual permissions to change anything. And that’s by design. The guys with the hands-on responsibility for keeping things up and running, and for developing these things, they have the responsibility for fixing things. We are here in an advisory capacity to say, here’s all the things we found, here’s how you fix them, but they need to do them. And so, security knowledge has to be baked into engineers from the very beginning. It’s, security and software engineering and dev ops, to me are like sanitation in medicine is. Everybody has to know how to sanitize their hands and their equipment and their environment, right. So if you’ve got someone who’s a software engineer that wants to go into the security practice, because they want to move into that, they add value because they speak the language of the people that we need doing the most fundamental security work. And they can bridge that gap, because security guys, they don’t talk the same way that software development guys do. And they’re not really tuned in to the pressures that a developer has to deliver features. They’re not necessarily tuned in to how the builds and CICD process works. And they’re learning those, but I hear sometimes myself and other folks on my team or other security researchers saying, “Why don’t just just do this?” Because you just fix it by doing this. I had a very interesting conversation with OJ Reeves a few months ago. He’s also known as TheColonial, I don’t know if you’re familiar with him. He’s responsible for much of the development of Windows Meterpreter.

      Chris: Oh right, yes, yes, of course.

      Dave: And he is telling me, he’s actually got, he’s livestreaming the development of a native CLR implementation of Meterpreter, and he’s doing that, he’s like 50 or 60 hours into it, and he’s a wonderful teacher, wonderfully articulate man. And he’s doing this partially to communicate to the security folks, how hard software development actually is, right. The answer to, “Why don’t you just do this?” Is, we have constraints that you might not be aware of. So he’s bringing all that discussion into the livestreaming of this new implementation of Meterpreter. I’m very excited about it, I’ve only watched a few hours of it, but it’s great stuff.

      Chris: Oh, that’s great, yeah. And that clarifies it nicely for me, in terms of, you know, I used to work in publishing and so you have the editors and art directors, you know, sort of butting heads because well, I need this specific thing which is completely at odds with this thing that you need. And my deadline is one week and yours is three weeks, but you want yours sooner so you can sit on it and so there’s all these sort of, and as companies get larger and larger, your roles get more and more subdivided into, you’re doing this one specific thing without really knowing what the people in the cube next to you are doing.

      Dave: Right, but in my experience, most security teams are fairly small, right. And as, there’s a temptation to feel like the company isn’t investing in security, but that’s not the case. The investment in security is spread out among the engineering teams as well. They have, there’s an expectation that security is being built in in the process. And so the security team really needs to be focusing on pointing those development resources and those dev ops resources at the most impactful things that they can do. And so anybody that’s moving out of software development, or develops into a security role, brings a capacity to translate between these worlds, which is enormously valuable and very hard to teach.

      Chris: Yeah, and as we’ve said in previous episodes too, there needs to be baked-in security in the board level, and at every level, but especially at the engineering level. So what are some security issues that you’re working on at the moment, and what are some interesting solutions you’ve come up with for these problems?

      Dave: You know, Barracuda, there are a couple of things that are top of mind for us right now. People continue to be targets. So, we do pen testing on a regular basis and, you know, we feel great that the pen testers never crack our perimeter. But the reality is, they’re not really trying to crack our perimeter, because they’re trying, it’s much easier to get a human to make a mistake. So that’s one key thing that we’re really focusing on. It’s not high tech, it’s not super sexy, and the reason we’re focusing on it is because it’s not high tech, it’s not super sexy and it just works, right, as an attack, right. And so we really have to focus on protecting people, and so security awareness is a big thing that we focus on. The other thing that I’m hearing a lot of chatter about in the different, people I talk to in the industry, is a real growing concern about supply chain attacks. And in particular, given the privileged place that our products sit in a lot of our customers’ environments, our developers are very interesting targets. And so, in terms of cool new vulnerabilities to watch out for, one of my members of my team just recently gave a talk called “The Ides of March” about demonstrating a fully cross-platform out-of-the-box exploit for popping a shell on a box, just providing you with a malicious VS code project. You open the project and bam, he’s got shell. And so those types of attacks are things that we worry about. So we’re, given the amount of open source that’s out there, and the difficulty of really investigating what’s in all of those things, that’s something that really sort of keeps us up at night. And I don’t think we have a good solution on that yet, but security awareness seems to be probably one of the most important things that we need to be driving. And I don’t mean just around phishing, but also–

      Chris: Yeah, don’t click the link, yeah right.

      Dave: But also, awareness from our development teams that poisoned repos are actually a thing, and engaging them in the conversation about do you look at before you open one of these things?

      Chris: Hm, okay. So yeah, that’s a much wider definition of security awareness than we’re used to hearing.

      Dave: Right, and I think everybody in the organization has some component of security that is relevant or specific to their role, and so a lot of our job is, as I see it, is communicating in a way they can digest, what ways that someone might be trying to take advantage of them and what they can do to protect themselves.

      Chris: So moving back into the career frame here, and specifically the cybersecurity frame, we mentioned that, obviously you’ve made what I thought were kind of big career changes, but it seems like they were fairly, sort of, there’s a natural progression in them. But for people who want to make a lateral move over to cybersecurity from a related or even a semi-related field, what are some tips that you have for them in terms of things to learn, experiences to have, certifications to get, things like that?

      Dave: Yep, get busy doing security is what I say. My journey has had some big shifts in it. Did follow a somewhat logical progression, but there are members of my team I can point to a handful of them, one of the guys, one of my best engineers, he’s moved on now, was watching water pump out of the ground out in the central valley when I hired him. He had a civil engineering background. Another guy came up through our tech support and sales organization. Another guy I met as a barista at a local tech incubator. My son had an office there and said, “Hey, this guy’s good with computers,” right. And all those guys are now successfully making a living in the security industry. And we all, we took the same route with all of them. In particular the guy that was the barista, this is sort of my favorite story. My recommendation is, jump into the online resources that are available, the online challenges that are available, and try them. And the offer that I make to the people that I know personally, that I come in contact with, is, connect with me. I usually say over Hangouts, but connect with me over some kind of media where we can chat. I’ll send you some links to some challenges that I started with, that were meaningful for me. If you get stuck, let me know what you’ve tried and I’ll give you some ideas about where to look next. And the people that have come onto our team as a result of that, are the guys that latched onto that and did it. The barista, the guy named Connor, he’s sitting in the next office right now. I remember the time when I decided that I was ready to bring him in and actually have him make the lateral move. He was working on a particular challenge on w3challs.org, .com? I think it’s .com, and he was stuck. And it was one that I had had a hard time with as well. And so I asked him a few questions over Hangouts, you know, what have you tried? And he had tried all the right things. “Tell you what, maybe think about this idea.” And that was, I don’t know, 9:30, 9:45 on a Saturday night. I woke up the next morning and there was a message on my Hangouts room at like 2:45 in the morning with the flag, and it’s just sitting there with the flag, right. And that is what I’m looking for. As a security practitioner, the people that are successful are the ones that get the bug, that demonstrate tenacity. Because it’s an extremely frustrating field, right. And they demonstrate results. And you can do that, as someone looking to make a lateral move, you can do that by working through the boxes on Vuln Hub, right. You can go to Root the Box, you can go to, and you can go out and if someone comes to me and says, “Hey, I want to get into this.” I’ll say, “What of these have you tried? “Do you play any capture the flags? “Do you go to conferences and do, like, “the Wireless Hacking Village?” You don’t have to do that professionally for me to be interested. Because the relevant skill for my team is not what schooling background you have. It’s, can you think creatively, are you tenacious, and is your Google-fu good? The rest of it we can teach, right. The other thing I’m looking for is can you actually think critically about risk, and can you communicate? Because ultimately that’s what we’re about, is we don’t have enough context in our team to understand the opportunity costs that are lost by saying, “Stop what you’re doing and fix this bug.” We have to talk about how likely this is to be exploited, what the impact is, and we feed that into the business leaders and we enable business decisions. We are a business enabler, and our job is to ensure that we’re not surprised by risk. And so those are really important soft skills to have as well.

      Chris: Okay, can you expand a little bit on thinking critically about risk, like what does that involve, what kind of skill is that exactly?

      Dave: Yeah, yeah, so I’ll do that with a story. Do you remember that story that came back a while ago that someone said, hey people have just published this tool called Modlishka that wrecks MFA?

      Chris: Oh yeah, okay.

      Dave: You remember that?

      Chris: A little bit.

      Dave: Okay, so they’re like, “Yes, MFA’s totally been bypassed “by this Modlishka thing.” And I thought, that’s really, really interesting. I need to dig into that. So I dug in and I read further, and I haven’t played with it as much as I would like. I think it’s a super cool tool, really impressed with what these guys have done, but it totally does not break MFA. That is a misleading headline.

      Chris: Right, yeah makes it sound too easy.

      Dave: It doesn’t break MFA, the essence of Modlishka is it’s a man-in-the-middle attack and makes it way easier for somebody who’s looking to socially engineer someone into giving up creds, right, and to man-in-the-middle someone, to set up that attack. And it’s tremendously valuable for people that do this, like in pen testing. But MFA isn’t fundamentally broken as a result of that. The critical thinking that I’m talking about is the ability to take one of these reports, to read through it, to understand how it works, and to assess what is the essence of what’s broken here? Right, the essence of what Modlishka is exploiting is a man-in-the-middle attack, right, and at that point it can actually mimic the MFA prompt as well, or it actually sort of acts like a gateway to the thing that you’re attacking. And I’m not gonna try and explain it all here–

      Chris: No no, okay, but that does help sort of clarify the concept of critical thinking in terms of.

      Dave: But our job is to look at, okay, there’s a thing here.

      Chris: Yes.

      Dave: Can do a thing. How’s that gonna affect the confidentiality, the integrity or the availability of those things I’m responsible for protecting? And in what way, and what mitigating controls are there that could be put in place, other than fixing it, fixing it is too disruptive to, you know, what’s going on right now. Those are the types of decisions that we need to bring to our development teams, so they can factor those into all of the other pressures that they’re getting from the business.

      Chris: Okay, so obviously we’ve emphasized hands-on experience as a primary thing that you’re looking for, and critical thinking, are there any roles in your mind for certifications in terms of considering cybersecurity positions? Are there any certs your recommend for people, you know, is it the sort of thing that you start doing things hands-on and then you sort of seek the certs when you hit walls or need to learn things on your own?

      Dave: That’s the way that I recommend doing it. Refer to previous comment about e-snobbery. When I started thinking about what certifications I needed, where I sit, I would say that I should have a CISSP and that’s on my roadmap to do this year. And I think that, you know, in certain roles, that type of accreditation is really, really useful. I believe that some of the more entry-level networking certifications are good because they do provide foundational networking knowledge. I wouldn’t necessarily hire based on that, but they’re valuable to have. I have one certification, I have the OSCP. Someone shows up with an OSCP, and I’m gonna want to talk with them, right.

      Chris: Why is that, what’s in there specifically that you see demonstrates value?

      Dave: The requirements to get the certification is a hands-on practical exam. You get access to a private network for 24 hours. There are five machines on there, and you get a pass or fail based on the flags that you get. And you have 24 hours after that to write a pen test report and they judge you based on what boxes you popped and what your report says. So there is no fooling that. There’s some concern about people cheating on the exam by having somebody else take it for them. But the exam is as rigorous as it can get to demonstrate that you have the basic mechanics of doing a pen test. Now, I don’t ever anticipate being able to use the OSCP directly in my profession, but the things I learned through actually popping boxes in the OSCP transformed the way that I think about risk, and the way that I reason about risk, and that critical thinking. So the hands-on actual exploitation is really, really important, and a certification that will give you that hands-on training. Not just checking a box or taking muti–

      Chris: Multiple choice.

      Dave: Exam, right. Those will impart a certain amount of knowledge, but actually being able to reason through and articulate in a report to a client, this is the chain of things that I exploited to gain complete control of this box, and here are ways to mitigate it. In my mind there’s no substitute for that type of preparation.

      Chris: Yeah, that’s great. So as we wrap up today, tell us anything else you’d like to about the work Barracuda Networks is doing in the security space, and if we want to learn more about Barracuda or Dave Farrow, it sounds like you have a fairly open email policy if people want to ask your advice on things, how can they reach you?

      Dave: Absolutely, so they can always reach me at my Barracuda email address at DFarrow@Barracuta.com, I’m happy to answer questions there. Wow, what do I want to say about Barracuda? We’re in all things IT security. Our goal really is to deliver, create and deliver innovative security products that are easy to buy, deploy and use. Our model is, your journey secured, right. So if you want to learn about what things people are securing, I would say check out the types of things that we sell and if you’re not familiar with what those products do, that would be an indication that you might want to go and learn about that class of product. ‘Cause each of them solves a particular type of attack point, and I would encourage people to go just maybe look at our catalog and say what on there sparks your interest, and then dig into that. Dig into how you might attack email, right. Or how you might attack an application, a web application filter, right. I’m not saying go after our stuff. If you want to do that we have bug bounty programs, but what I am saying is, you might use that to orient you to the space if you’re not familiar with the types of things that are available to us hackers.

      Chris: Okay, and the website again is?

      Dave: Barracuda.com.

      Chris: Okay, and you are DFarrow@Barracuda.com if people want to get in touch?

      Dave: Barracuda.com, yep. You can add me on LinkedIn, unfortunately I am not a social media being, so you can search for Dave Farrow on LinkedIn and feel free to reach out. Please let me know that if you’re reaching out that you’re reaching out because–

      Chris: Contact in four to six weeks.

      Dave: I don’t generally take invitations from people I don’t know but if you tell me you heard about this from the podcast I’d be happy to respond to you.

      Chris: Okay, well Dave Farrow, thank you very much for your time today.

      Dave: Thank you for having me.

      Chris: And thank you all today, as always, for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to YouTube.com and type in Cyber Work with Infosec for our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice. And to receive a free month of our Infosec Skills subscription-based teaching platform, in honor of National Cybersecurity Awareness Month in October, go to infosecinstitute.com/podcast or click the link in the description and be sure to claim your free month before October 31st. Thanks once again to Dave Farrow, and thank you all again for watching and listening. We’ll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.