How to learn web application security

[00:00:01] Chris Sienko: Today on Cyber Work, our returning guest is Infosec Skills author and application security guru, Ted Harrington. Author of Hackable: How to Do Application Security Right. Ted's skill’s course is also called doing application security right. So of course we talk about AppSec's role in jobs ranging from coder, to pen tester, to CEO. We also talk about the one thing that will get your foot in the door faster than anything else even if you don't have a degree or a cert. And because I couldn't resist, I asked Ted to tell me the story again about being on the first team to hack the very first iPhone. It's true. That's all coming up today on Cyber Work.

[00:00:43] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals, and offer tips for breaking in or moving up the ladder in the cyber security industry. So today's guest is Ted Harrington. And if that name sounds familiar to you, it's because he is a past guest on the podcast. When I last talked to Ted, he was a guest just about a year ago.

So among many other things, he's the author of a recent Infosec Skills learning path called How to Do Application Security Right, which is also the subtitle of his recent book, Hackable: How to Do Application Security Right, which is available now from Lioncrest Publishing. Because of this, and because of our free monthly skills challenges that we're ramping up, I’m inviting some of our skills authors on to the podcast to talk about their areas of expertise, where their passion comes from for these subjects, and what they've learned about the specific benefits of online skills-based learning. So here we are. Here's Ted. Let's talk AppSec.

Ted, welcome back to Cyber Work.

[00:01:46] Ted Harrington: Yeah, let's do it. While you were talking through that, has it already been a year? I mean, time flies.

[00:01:51] CS: I think it was. Yeah, I think it was like November 2020. Yeah.

[00:01:55] TH: Wow! I’m excited to be back.

[00:01:56] CS: Oh good, glad to have you. So my usual icebreaker of choice for new guests is to ask them how they first got interested in computers and tech and how far back their interest goes. But obviously you've already answered that in your previous episode. And everyone here should go back and listen to it. So I want to have you tell another story. For those who haven't heard your first appearance, you talked about being part of the first group to successfully hack the very first iPhone. Can you walk me through the events of the day? What your strategy was? Because I remember you said that it was kind of a race against the clock with other hackers. And how the projects you worked on at that time informed the AppSec and other security work that you do now?

[00:02:35] TH: Yeah, definitely. So I have a security consulting company called ISE, Independent Security Evaluators, and we're sort of in what we call like our second version of the company. We sort of took it through a reboot in 2012. In the first version of the company that started back in 2005, that first ‘05 to 2012 period, we were defined by the same principles as we are today, which is how can we use research in order to drive improvements in security for technology that we individually might use or we see are widely deployed?

When the iPhone first came out, that was a pretty groundbreaking moment when you think about just how transformational that was.

[00:03:19] CS: And how ubiquitous how ubiquitous it is now. It's hard to think of a time before it was an option.

[00:03:25] TH: Right. And it's crazy to think of what the phone experience was before, like T9 texting. You had to push a button three times to get a let – It's like there's no mobile browsing. There was no maps.

[00:03:37] CS: I flip my phone up and it turned into a little teeny keyboard. Amazing.

[00:03:40] TH: Yeah, yeah, exactly. And the iPhone you know really had the opportunity to change the world. And like anybody, researchers in our group were really interested in wanting to get our hands on one because it's a cool tech. But everyone's a little hacker-minded and so I wanted to say, “Well, can we break it and can we be first?”

And what was interesting about that as purely as not just a research project, but as an almost as a competition, is that Apple was not providing early access to anything to security researchers. And so it was really sort of, like you described it pretty well, it's really a race against the clock to see who would be first, because any researcher looking at it wanted to be first.

And so what we did was our research team – I wasn't on that specific team, but the research team, what they were looking at was, “Well, can we take an existing issue that we know exists in the desktop operating system and can we build some attack scenarios that might hypothetically be carried over to the mobile operating system and see if that can give us a shortcut?”

And sure enough, that's exactly what happened. It turns out there was a buffer overflow vulnerability that had somewhat been ported over and these different attack scenarios were very viable. And so that was just a matter of actually making it work and the mobile operating system. And so the outcome of it was that the research team was able to gain full administrative control of the device remotely.

So the way we proved concept was we were working with a reporter for The New York Times. And so from our lab in Baltimore, his phone was on his desk in Manhattan, and we were able to initiate phone calls, add and delete contacts, operate the camera and the mic. Basically anything you could do if you were holding it. And so that was – I think what's really interesting about the story aside from the fact like it was a cool moment in the evolution of tech, was that there are a few really important takeaways. So number one, Apple has some of the smartest people in the world, some of the most resources in the world. And they still introduce security vulnerabilities. And that's something that I think everybody can take away from a story like that is don't be embarrassed by it. A lot of companies are embarrassed to think like, “Oh, I might have a vulnerability,” and somehow that's – Vulnerabilities exist. The question is do you find them and fix them? Or does the bad guy find them and exploit them? And that's the whole premise of my book, the whole premise of our security research, the whole premise of the course I produced with you guys, is to try to address that core harsh reality.

[00:06:11] CS: Yeah. Yeah, I don't think people really realize like just the sort of depth of complexity of even something like the first iPhone and all the places where something could go wrong. Like you said, like even with all those resources, like you just can't even imagine the sort of cartography of the tech in there, I imagine.

[00:06:32] TH: Right. There's an interesting lesson for it too, which is this happens to any company building anything, right? Which is they come up on a deadline of some sort. This is our go-to-market date. This is our product release date, whatever it is. The business makes a decision and says, “This is the line we've just drawn in the sand.”

[00:06:49] CS: We're doing it. Yeah.

[00:06:51] TH: We're doing it. And hopefully it'll be secure. And that certainly is what had been Apple. They hadn't yet eradicated this particular issue that they knew existed. And it still got ported over. Now, we had to – It wasn't a straight one-for-one transformation. We still had to take that core issue and make it exploitable. But that is a business problem that every business has, which is the business is going to tell us when something is due. And we better make it operational and we better make it secure by then. And the question is how do you do that? And those are questions that I answer in the book and in the course.

[00:07:26] CS: Great. So before we get to that, another thing I missed in your biography from our first talk that interested me was an event you co-founded called IoT Village. You describe its purpose as spreading awareness around IoT security, newest tech methods, sharing research and making IoT security better. And it includes activities like interactive hacking labs, live bug hunting and latest IoT tech and competitive IoT hacking contests, which, again, seems like it lines up very well with your interests and so forth. Can you tell me about this organization and how people can join?

[00:07:57] TH: Yeah. So the origin story for this was it was kind of funny, in that there's this – I’m sure everybody listening to this is familiar with DEF CON. But if you're not, DEF CON is the largest research-oriented security conference. I’m differentiating that from the more commercial conferences like RSA. But focused purely on research, DEF CON’s the largest and I believe the oldest in the world. And DEF CON, we started talking about this idea. We were focusing at the time on routers. And we're like, “Can we put together an experience for attendees that will leverage some research we had just done that showed that routers, like the kind that's in your home office, in my home office, are exploitable?” And they and together we said, “Yeah, we'll do that.”

And so the very first year we did it, which I think was – I forget what year, but I’m going to say it was maybe 2014 or 2015. I feel like I should know that stat. But it was a few years ago. And it was you know when you go to a conference and there's the main area, and then you go down a hall and there's like a secondary area. And then you go down another hall and there's like – Not many people go to that part. Well, we were like down a hall down a hall down a hall down a hall down a hall. We're so far in the corner.

[00:09:03] CS: Right.

[00:09:04] TH: We're in a room. It's not even just our room. It’s actually someone else's room. We're in the back corner literally behind a trash can. I mean, people were throwing trash on our table. We're like, “Oh man! We're off to a real start here.”

[00:09:18] CS: Your first challenge is to find the booth. That's your first hacking challenge.

[00:09:22] TH: Exactly. I’ll tell you what. Giving away T-shirts – We just gave away T-shirts and it drew people there. It's amazing. Bu those are the humble beginnings that this hacking experience started with. Literally, behind a trash can. Literally, people throwing trash at us, I mean, by accident, not on purpose. And then you fast forward to today what it is, and it is a very immersive, very large experience. You walk in and there's a capture the flag contest. As you mentioned, there’re labs. We converted it into a virtual format when everything, of course, when live events shut down during the pandemic. And so now we serve audiences really all over the world. And the idea is how do we get people to have an experience that helps us all as a community drive for better security in Internet of Things? Which is really anything, like any device that's some sort of way to communicate with that device, that's IoT, and that's almost everything today. And so it's a real passion for us, not only just the security part, but the community part. We're super big on to how do we build a community that does things together?

And I think one of the pinnacle achievements of this is not only has the community published a lot of research, but the capture the flag contest, three years in a row, the winner of it actually was awarded the Black Badge by DEF CON, which for those familiar with DEF CON might know, that's like this extremely elusive. There's no real definition for how to earn it, but basically it's if you do something badass, you get it. But there's no parameter how to get it. And then it's like a lifetime designation. Three times in a row, this community was able to become the recipient of it. And that's something we're really proud of.

[00:11:03] CS: I love that. Yeah, I’ve had previous guests on especially talking about infrastructure security and municipal security. And so much of that seems to come down to IoT security, because so much of water management and electrical grid and so forth has so much IoT component and so much running on older mainframes and so forth. Do you get into a lot of IoT talk in terms of how to sort of repair patch, hack, whatever things that are so many versions ago or whatever that it's impossible to bring them up to speed?

[00:11:42] TH: Yeah, totally. So the IoT world I see is very, very broad, and it encompasses industrial control systems, etc. But that is definitely a focus area that is a little different from, say, where some people focus. A lot of people think of IoT as just consumer grade products, right? Like your Nest thermostat. And that’s inside of IoT. Yeah, your coffeemaker. But that's not entirely. It's like I said before, anything that provides the ability to communicate with a device or system is IoT.

And so the what the problem you're addressing or bringing up is a really significant one, which is when you have systems that are widely deployed and very expensive to maintain or maybe impossible to update or maintain, a great example would be like door locks in hotels. When a hotelier buys door locks, their expectation is those are going to be installed for at least a minimum of 15 years before they're replaced.

Well, the attack landscape is going to change probably every like 90 days when you think about that. And that's a real challenge. And so yeah, everyone's grappling with that.

[00:12:49] CS: Wow! Hotels, now, I can add that one to my list of hacking things that I can worry about along with medical devices and the water supply. So yeah, I believe when we last spoke, your book was still coming soon or had just come out. But it's here now. And everyone should get very excited about it. So tell us about Hackable: How to Do Application Security Right. I’m looking at your description on your LinkedIn page, and it looks like it's for a larger range of readers than just people working directly with AppSec. So it looks like maybe C-suite people who are implementing the strategy can get something out of this as well as the sort of nuts and bolts of it. Is that right?

[00:13:27] TH: Yeah. Maybe the best way to answer that is to help color out the problem that I was looking to solve. I mean, if you're going to spend the amount of time and effort it takes to write a book, you better be solving a problem for somebody. And the problem that I identified was I noticed two things were happening. The first thing that I noticed was that everybody that I was speaking to in the course of our consulting business, so whether that's current customers, or prospective customers, or people I met after keynotes or whatever. Just everyone I was speaking to. They all seemed to have the same problems.

Now they didn't necessarily all refer to them as the same, but I could organize them like, “Oh, they're talking about this problem.” So that's the first thing I noticed. That's interesting irrespective of geographic location, industry specialty, size or maturity of the company. It didn't really matter. Everyone has these same problems. From the startup with two founders and that's it for their entire employee base, to the fortune 10 enterprise. They have the same problems. So I thought that was really fascinating.

And then I started thinking about, “Okay. Well, since I keep having the same conversations every day because everyone has the same problems, what are the conventional solutions to those problems?” And when I started asking that question, that's what made me write the book, because I realized the way that most people talk about solving those problems that everybody has are pretty universally wrong. And I couldn't stand to see that anymore. People using the wrong terms, using the wrong approaches, investing in the wrong ways, not even understanding how they're investing. Not understanding how to work with outside or inside resources. And so I sat down to write this book that basically answers those questions. Like here's what your mindset should be. Here's how you should work with outside entities. Here's how you should work with inside entities. Here's how you should set your budget. Here's how you should find vulnerabilities. Here's how you should fix them. Here's how you should then take all of it and translate it into a business benefit. Like use it in your sales and marketing. And so that's the whole thrust of the book, is it just takes you through that whole process. And because it's written in that way, the audience for it, I guess you could say there're three primary audiences, but they all overlap. But it's either the people who are the business people who are responsible ultimately for the security. So your CTO or equivalent.

The people who are responsible for the security who are in in the security itself, so security professionals from CSOs down to whatever blank of security. And then the third is the developers. So that people who actually build systems. And all three of those share the same common problem set obviously from three different viewpoints. But that's who I wrote the book for. And actually that's what I created the course for. I said, “Hey, let's take these ideas and turn it into a course too.”

[00:16:09] CS: Nice. Now have you gotten any feedback from readers of the book who have used your book as a road map to get themselves up to speed?

[00:16:20] TH: Yeah. Oh my God! I mean, that's one of the most rewarding parts of the whole thing. The book has performed well in every sort of traditional way you might measure it. It hit number one best seller in a bunch of categories. And like it's done really, really well. But the part to me that really hit me in the heart bone was when – I gave you even a couple examples, when there's someone from a tech company every single one of us know. And this individual calls me up and says, “Hey, I just finished –” Or hit me on LinkedIn and says, “Hey, I just finished your book. It turns out that of the 10 principles you talk about, we already were applying six of them. Four of them we did right. Two of them we didn't. And then the other four, we're now starting to apply.” And so I want you to know that like the method you describe in this book is now our guiding North Star. And would you come talk to our people?” And so I was like, “Of course, yeah.” So we arranged it. So I came and did a whole like book club with them.

And to just hear these people talking about these ideas and knowing that they're going to make that organization secure, and I, as a user of what they do, that makes – Like on a personal selfish level, I’m happy about that.

[00:17:33] CS: Yeah, yeah. That's awesome. I love that. All right. Well, thank you for letting us know about that. That's super exciting. So I want to talk about skills as an idea, and then infosec skills as a platform, and then your skills class as something people can learn about. So in your experience, what are the cybersecurity skills right now that are most in demand and are most likely to accelerate your career? And do you have some sense of what skills people are overlooking in their studies and preparations?

[00:18:03] TH: Can I say all of the? It is all of the above. Yeah. No. That's actually not a very helpful answer. So I’m going to oversimplify it. And sometimes that's the easiest way to understand ideas. But if we oversimplify it, I really think where the shortages are fall into two areas. And one of the reasons I love working with you guys is I think you are built to address those two – Your filter by those two areas. But one is there are some technical deficiency – Sorry. That sounded almost negative. It's not there's deficiencies. There's a shortage of technical talent. So people who know how to break a system. And those types of jobs are in such extreme demand. So you're ethical hackers or even if people aren't the full way to breaking systems, but maybe they work adjacent to it. Maybe they work in some sort of like adjacent fields that really have to understand the tech. But ethical hacking would be one area that I see a significant shortage. I know this because we're trying to hire these people all day long, every day, and I know how hard it is. So that's the first area.

And the second area, and this is the area that is really overlooked that's a shortage, is that security is like every other industry, in that every security company needs all the different business people to make that company succeed. And a lot of people think about security as, “Well, if you're not a hacker. There's probably not a place for you.” But that's not true no. We need project managers. We need marketing professionals. We need sales professionals who don't trade in the nonsense of fear, uncertainty and doubt. And so people who are outside of security, maybe you're in tech, but you're like scared of security. Whatever your job is, maybe you're a PR person. Know that there is a need, and especially there's a need for people who can speak credibly and authentically about security. And like when I wrote my book and the way I’ve talked about the course, that's one of the things that's always been in the back of my mind, is how do I help people stop this nonsense of saying claims that are untrue or unverifiable? And instead speak more credibly and authentically? Because if we can do that, every business needs that. And if we can do that, we can have much more effective communication between the buyers and suppliers of services and products. And security will be better as a result. So really long way of saying that there's technical shortages at the sort of tip of the spear, like ethical hackers. And then I see a lot of shortages on the business side of people who know how to actually talk about security. Those would be the two that I see.

[00:20:41] CS: Yeah. And to expand that a little bit too. We learned so much about on the podcast about different types of not even adjacent, but cyber security direct careers that still don't require technical experience. Like you said, project managers are a great example, or threat modelers, or risk assessors, or whatever. Like a lot of that stuff is just paper and pencil and is still equally um beneficial to the industry as a whole. So for folks who feel like they'll never learn how to break a system, you can still find your way in very easily.

[00:21:17] TH: Mm-hmm.

[00:21:17] CS: Yeah. So let's get down to skills here. For listeners who currently subscribe or hopefully decide to subscribe to Infosec Skills based on today's episode, what will they learn from your doing application security right class? And also, what minimum knowledge or skills should students have before taking your course path, if any?

[00:21:38] TH: I would say that you don't necessarily need a minimum baseline of experience. And the reason is even though the topic area is itself complex, and scientific, and technical in its own way, the way that I – My mission has been to demystify those things. And so I speak in very easy to understand terms. Wherever there's something that might be jargon to an outsider, I try to define that. Let's put it in this context. When I wrote the book, which is where I simplified the ideas so then I could turn it into a course for you guys, I wrote it as if I was speaking to my, at the time, 12 year old nephew. And that was really my challenge. Can a 12-year-old kid who's smart and curious, doesn't know anything about corporate America, doesn't know anything about tech, can I explain it to this person? And so I was able to do that.

So I think from a technical prerequisite standpoint, if you don't have any background, you'll still be able to follow along. If you have tons of experience, it won't be beneath you, because the ideas will be directly applicable to what you've been doing and it will make you think differently. And so the things that people will learn how to do, I rattled some of them off earlier in our session today, but they're going to understand how should I work with outside parties. How should I even approach security? How much should I spend and what should I spend it on? How should I think about penetration testing? And is it in fact the right thing for me? How should I build security into the development process? And then ultimately, how do I convert all of this into a business benefit? And the case that I make is that security done right is a very powerful benefit in terms of marketing. And I explain how to do those things. So those are the things that someone will walk away from. So that sort of full spectrum, how do you secure a system? And even though this was created around softwares, around AppSec, the principles are directly applicable to really trying to secure anything.

[00:23:35] CS: Okay. And I just want to sort of tie this to last week's guest, Chris Larson, who talked about secure coding fundamentals. And I think in both cases, while the names of those particular types of skills or whatever are correct, they also are maybe a little misleading. In both cases, with secure coding, she was saying you don't necessarily start with the knowledge of coding. If you start with the concept of secure coding, you can unders – Both of them sound like they're more around ideas than specific line by line coding and so forth. And I think if you just hear application security, like a lot of people I think seize up a little bit because they figure they're going to be like right in the command line immediately. And it's no fault of the title, but I think it's worth demystifying. And I think you did that well here.

[00:24:29] TH: Yeah. I’m not familiar with Chris's course. But it sounds like we're aligned in that. And I shouldn't speak for this other instructor. But for me, my thinking was how do I create something that's usable a year from now, three years from now, five years from now when the tech itself is going to change? So if I give a line by line, like here's how you do blank blank in blank blank system. Well, blank blank system is going to be different in six months. And all of a sudden all that work and effort is now – It's out of date as soon as I produce it.

So instead my thinking was, “Well, how can I help people think about how to approach the problem?” Because if you can – It's like when you go to undergrad, right? Unless your very few undergrad degrees are directly applicable to what you do the rest of your life, maybe with the exception of like if you're pre-med and you're going to go become a physician. Besides that, everything else is – What you learn in college is teaches you how to think. And then once you've learned how to think, now you can go learn the real world skills in the real world. And I’m generalizing, of course, there are some undergrad degrees that are directly applicable. But that's I think what something like a course like this is about. It teaches you how to think. How to break a problem into its discrete parts so that as the tech changes you can still deal with it.

[00:25:44] CS: To that point, beyond direct employment in application security, what other parallel track cybersecurity jobs or careers would benefit from a solid knowledge of AppSec? You've talked about this a little bit, but I want to sort of like really break it down into this is useful for C-suite, this is useful for so-and-so. Like where do you see this sort of pasting on the job letter?

[00:26:07] TH: I think this goes from literally the CEO all the way down to the entry level, just hired out of college computer scientist. And the reason that I say that is, depending on whether you're more on a technical track or more on a business track, whether you're entry level or you're very, very senior, your needs are slightly different, of course. There's no doubt about that. But fundamentally, each of those ranks on the ladder and those different paths, whether it's of a technical nature or more of a business nature, need to understand how to secure software systems, because software runs the world. Every business in every region, all around the world, every industry, is leveraging software, whether they're building it themselves or they're buying it from somebody else. We have to understand what it means to secure software.

And so if you're the CEO, you're not getting hands-on with anything in the tech. And you're you have people who do all that. But you need to understand, when they come into a board meeting and they're saying, “Here's what's going on with whatever, you need to be knowledgeable in that.” If you're the entry-level person just come out of a great computer science degree program and you need to understand how do you take those skills you just learned and apply them to make this business better, you need the ideas in a course like this.

[00:27:22] CS: Okay. So speaking in practical terms in the sort of business use of application security, what are some of the big roadblocks from a business practice standpoint that prevent efficient applications here? You're saying the test case of the big tech company that we all know that they had been using some of your concepts and some sort of used and then some not at all. Like what are some of the big things that you see like everybody is missing in terms of implementation of these things?

[00:27:57] TH: There's a book full of them. But I think the big one that immediately jumps to my mind is the way that people think about what's called penetration testing. Now, I’d imagine that many people listening to this are probably familiar with that term. But if you're not, penetration testing is a type of security testing that many organizations pursue, but they usually approach it incorrectly, or what they get isn't applying directly to the goal. So this is one of the – I talk about this extensively, this problem. And basically what someone is looking for when they are trying to get penetration testing done is they're trying to say, “Look, help me find my vulnerabilities. Help me fix them. And then help me be able to ultimately prove it to my customer, or to a regulator, or to some other organization that, “Hey, I did it.”

And so this term, penetration testing, has really come to be synonymous with that outcome. But that's actually not what penetration testing does. That's what vulnerability assessments do. Penetration testing does something different. And so this problem is – I mean, we could have an entire episode talking about the complexity of this problem. But what I’d like listeners to walk away from as they think about this is to think about what is the goal? What are we trying to achieve? And is the service that we're getting actually delivering that goal irrespective of what it's being called? Because the terms are being grossly misused. So that's one of the things that I definitely teach about in the course is, “Okay, how to identify what's what? What are some indicators to say –” Because if, let's say, you're a buyer of that service, you don't know. Like you're not in the business of delivering that. So I give people a way to think about, “Well, here's the types of questions you might ask. Here's what the deliverable might look like.” And that's definitely one of the big business challenges. People don't actually really know what is being sold, what's being bought and so on.

[00:29:49] CS: Yeah. I feel like you just booked your third appearance on the show here.

[00:29:55] TH: Have me back many times you want.

[00:29:56] CS: Well, yeah, all right. We’ll have you back. That sounds a great topic. And we'll put a pin in it and we'll come back to it. So going back to skills, once students have taken and passed your skills path, what are some next steps that you'd recommend in terms of education? Are there different types of foundations that AppSec you can take? Like where would you say, “After you finish my class, then go here, or go here, or go here.”

[00:30:23] TH: I love that question. So it would depend of course what the career path is. So as I mentioned, there's sort of these sort of three groups that all intersect, right? So maybe I’ll answer them individually. So if you are that more business leader, where you're not the hands-on tech person, but ultimately the responsibility is yours. I would recommend that you invest some time attending conferences like RSA, Black Hat, those things that are a little more focused on the business of security and start to think about how did what you learn, how is that being discussed in the broader marketplace? And where do you identify maybe the shortcomings? Because trust me, even speakers at these conferences are probably doing some of this stuff wrong. I don't mean that in a general way that all of them are, but there will be some who are like, “Ted talked about that.” So that's one. So if you're the business leader, think about what business-oriented security education can you consume? RSA is an example of some place I’d recommend.

If you are the security leader, what I would recommend that you do is go try to attend more security-focused, security research focused conferences. So DEF CON is a great example of that. There's a series is called B-Sides. B-Sides exist in most cities across the United States and many places around the world too. And it's really inexpensive to attend. A lot of them are online. And those are where you'll learn about what's the next thing that's happening in security research.

And if you're that software developer type, what I would recommend that you do is probably also attend maybe some of the more research-oriented ones. All three of those groups, you're going to get a lot out of something like IoT Village, which we talked about before, because we have these hands-on labs and things like that. The IoT Village, we never charge for. So it's either usually runs with another conference. You typically have to pay for whatever conference. But then you get all the learning that's going to happen from that conference too. So these things are – there's endless resources. And now that things have moved virtually, you don't have to leave your house if you don't want to.

[00:32:32] CS: Yeah. Now, speaking of some of the different ways of learning and places to do it, can you talk about some benefits to the skills-based education type as you're doing with application security right and training above other methods, like more formal long-term education paths, formal academic study and stuff that people might not be aware of?

[00:32:54] TH: Yeah, that's a good question. I mean – So first of all, universally speaking, anything that anyone does to make themselves better is good, is worth doing.

[00:33:03] CS: Positive. Yes, absolutely.

[00:33:04] TH: It's a positive. I mean, that's security in a nutshell. It's about getting better. So then really the question is what is the best method for you, Mr. or Mrs. Listener, that is going to deliver what you need in the timeframe you need it that's going to deliver credibility that you need to people who might maybe want to hire you, or promote you, or invest in your company, or whatever?

And one thing I was really drawn to about your platform and why I wanted to create a course with you guys was the subscription model. I thought that was really, really cool. I think that's very differentiating in that unlike many other platforms where you subscribe to a single course. It's been awesome for me to be able to say to people, “Hey, I created this course. Aand when you subscribe, you don't just get my course. You get like 7,000 other courses. You get all these stuff.”

[00:33:52] CS: Yeah. Pick and choose as you please.

[00:33:55] TH: Yeah. So courses, self-directed education like what you guys do. What that does is lets you pick out the skills you want to develop. So that would be the benefit there. You can say I need this particular thing. I go get that thing. And now I understand that thing and I can apply it.

Another approach might be getting a certification. Certifications, they're a double-edged sword, because they're really, really helpful and that they give you a framework for how to learn something and they indicate to an employer that, “Hey, this person has learned something we all agree is worth something.” But it doesn't necessarily mean that you're the best in your field. It just means that you've met a baseline. And so that's an important thing for people to realize, is that certs are awesome. Go get a cert. But never let the cert be the reason you don't go for something. As an employer, don't be the lack of a cert. Be the reason you don't hire an amazing candidate. Because certs, they serve a purpose, but they are not the end all be all.

And long-form formal education, like getting a degree, these are very powerful and amazing things. And I’m a big proponent. We love hiring people out of computer science undergrad or graduate degrees. A lot of our people, especially in the early days of our company, we're all PhDs. But you don't need those things. I mean, some of our more talented people didn't even have a college degree. So the guidance there would be that what a formal degree does for you is some of the same things as a cert but on like mega scale, right? Here's this super credible thing. This person has absolutely learned a set of skills. But if you are yourself trying to get into a career or level up, it's going to be very, very, very effective and very helpful. But the lack of that shouldn't be a reason to pursue something.

The final category is one that no one talks about, but I advocate for all the time, is do research. Like, literally, publish security research. If you can go into a job interview and say – you could even say I don't have a college degree. I don't have a single cert. But let me tell you about how I hacked Toyota. You are hired on the spot.

[00:36:11] CS: Wow! That is the cheat code of the year right there, I believe. So yeah, speaking about certs and all the things we talked about. That was a great answer. But can you talk about that with regards to the so-called skills gap and the way that hiring is done and the way that hiring a screen. Like you said, you hire people who don't have a college degree, don't have a cert, but can demonstrate skills. Do you have a sense of like how we can get the industry to sort of move towards this this model? Because it seems like a lot of the problem is that a lot of people are still chasing people with a whole alphabet soup full of search behind their name and so forth.

[00:36:55] TH: I’m going to not pull punches on this one and say that the hiring practices in security today are at times ludicrous. I mean, you see it all over LinkedIn all the time, these job postings that say things like entry level job required 10 years’ experience. And you're like, “That's actually not entry level.” But fortunately that's changing. Companies are starting to move away from that because there is such a clamor being raised by security professionals to say, “Hey, stop that.”

There's another issue too that is that some people, when they look at a job description, let's say there's ten bullet points on it, some people will look at that and they'll say, “I only have three of those. I’m going to go for it anyway.” Some people will look at those and say, “I only have nine of the ten. So I’m not qualified. So I’m not going to apply.”

And one thing that I would encourage all employers to do, this is something that we've started doing at our company, is literally in the job description we'll say, “Hey, if you don't have all of these but you have some of them, please apply anyway.” We don't want people self-limiting because they say, “Oh, I don't have that 10th thing.” Because, really, what makes someone successful in security actually isn't the specifics of what you'll do in the role, with some exceptions. Like to be an ethical hacker, ultimately, you're going to need to learn how to break a system. But what matters most are things like are they problem solvers? Do they think differently? Are they able to look at something and say, “Hey, it's supposed to do X. But can it do Y?” And so that's my counsel to employers, is to think about let's find aptitude and then we can train skill. Rather than saying, “Give me the person who's got the 10 years’ experience. And by the way, I want to pay them an entry level salary.” Like that's just predatory, and we should move away from that.

[00:38:49] CS: Yeah, for sure. And also, I think maybe there needs to be a little more training budget in some of these places where there's that assumption that, well, just as long as we get the expert that already has all the stuff we can just get them running on day one. But I think there's also a little more buy-in to a new company when you immediately get there and they say, “We're going to tell you how to do all the things that we want you to do.” And then you get their method, and you get their training. I feel like that there's a connection there that wouldn't be there if they just sort of throw you in the deep end.

[00:39:23] TH: Totally. My favorite way to hire is to hire somebody without the clear job in mind. Like when I find somebody who's smart and meets a lot of the principles that align with our culture, I love to hire that person and then figure out. Like let's just get them trained on how we do things. And then they can try a bunch of stuff. And then eventually they'll slid, yeah, slip into the thing that they love. And that's not going to work for all companies. I get it. But the point that I’m trying to make is that you don't necessarily always need the skill itself developed. Certain jobs you do. But in most cases you don't. And even the jobs where you do need the skill developed, as long as they have the baseline. Like a lot of ethical hackers, you can hire an ethical hacker who hasn't done ethical hacking before if they understand the foundations of computer science and they know how to sort of have that mindset. You can go from there.

[00:40:15] CS: So speaking of skills and your studies, without a professor assigning weekly tasks in an academic situation, some people might find it hard to stay on track to meet learning objectives. Do you have any tips to help lifelong learners stay focused on training and accomplish their goals and not just let their subscription drift and drift and say, “Oh, I should start working on that someday.”

[00:40:38] TH: Well, I’ll give you some tough love, which is that I saw there's this really famous professional speaker, Mel Robbins, and she has this – There's this clip going on right now that I think is so perfect. She says there's no one coming. There's no one coming to tell you to do your homework. There's no one coming to tell you to level up your skills. It's up to you.

Fortunately, the kind of person who's listening to this podcast, the kind of person who actively goes and subscribes to something like one of these courses, you're already taking the first step. So give yourself the kindness, the grace that you have already taken the first step. But ultimately, you have to be accountable to yourself.

Now if you find that you're the kind of person who maybe I don't want to say isn't accountable, but let's other things outrank this priority, or maybe your boss is just a jerk and is like, “You're never going to have time for this.” That's a real practical reality. What I’d recommend you do is find yourself an accountability buddy.

When I was writing my book, I was in the very fortunate position to become friends with a handful of other authors all writing their first books at the same time. And because of this community that I had with them, I knew that I was – It wasn't like any of them would be mad at me if I didn't write my book. But knowing that I had people constantly thinking about me and my book and asking questions, we built a similar system at our company. We have this program where, as everyone sets goals, they have a partner. And that partner's job – Usually that partner is from a different department. And that partner's job is to just say, “Hey, how are you doing on blank?” Just having to answer that question routinely makes it so that you can now say, “I choose not to prioritize that.” Or you can say, “Here's what I’m doing.” And it's okay to say you choose not to prioritize something. But you should actively do that rather than letting it slip.

[00:42:34] CS: Then waking up one day and going, “Oh God, it's been six months.” Yeah.

[00:42:38] TH: Exactly. Yeah.

[00:42:39] CS: So do you have any other skills learning paths on the horizon that you're working on? Or any other areas of learning that you'd want to teach someday?

[00:42:48] TH: I don't have a course that I’m working on right now. But I have a ton of things that I want to teach. One of the things I’m really, really interested in right now is about third-party risk management, vendor risk management, vendor security. This is a burning problem across all companies. How do you trust the collection of software and other types of suppliers that you work with? That's a real, real problem. And at our company we're thinking about pretty actively how do you help people solve that? So if I was going to do another course, that would probably be the next one. Maybe there's a future book around that idea. And then I’ve got like 17 other book ideas too. So there's more coming.

[00:43:30] CS: No loss of ideas. Okay. So as we wrap up today, we talked about this a little bit. Like you said, so many things are going virtually right now and so much can be done from home. Where do you see cybersecurity education going in the next five, ten years?

[00:43:44] TH: Oh, I think that, yeah, the virtual component is here to stay. Now, I don't think that what we experience during pandemic is the future, the forever future. I don't think the idea of an in-person academic experience goes away. No way. But what I think we'll see much more of is this hybrid model where there's in-person learning and then there's also virtual learning. There will be some people who do entirely virtual learning. For example, let's say someone in a third-world country who maybe their cost of living or their level of income means that they can't go travel to an academic institution. That should not be a barrier to them being a significant contributor to the workforce. So I do think the future will be this this hybrid model. And, yeah, virtual is such an important part of what's going to happen.

[00:44:34] CS: All right. So as we wrap up today, I just want to know, what's next for you, Ted? And if you want to talk about what ISE is up to? And also let our listeners know where they can find out more about Ted Harrington.

[00:44:47] TH: Yeah. So the easiest place to connect with me, learn more about the book, or the course, or, really, you want to reach out to me, you want to learn more about security testing, however I can help you. Just go to tedharington.com, just my name, super easy. And what's next for us? I actually alluded to it a moment ago. We're seeing this third-party risk management problem explode. And you're seeing the largest companies in the world deal with this through literally emailing stuff around and then manually entering into spreadsheets. And it's like, no. There has to be a better way to protect the largest companies in the world. And so we're focusing a lot of energy on that. We've just launched the software product that helps solve it. It's called Start. The thing is awesome. It's super simple. So that's where I’m super, super excited about solving that problem in addition to, because it's obviously a close correlation to ethical hacking. It's like how do you manage the process of finding vulnerabilities?

[00:45:44] CS: All right. Well, Ted, thank you for the return visit. And based on what we talked about today, probably not the last.

[00:45:50] TH: I love it. Thanks for having me, man.

[00:45:51] TH: All right. And thanks, as always, to everyone who is currently listening to our podcast at home, listening at work, or listening at work from home. New episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. So I’m excited to announce that our Infosec Skills platform will be releasing a new challenge every month with three hands-on labs to put your cyber skills to the test. Each month you'll build new skills ranging from secure coding, to penetration testing, to advance persistent threats and everything in between. Plus, we're giving away more than one thousand dollars’ worth of prizes each month. Go to infosecinstitute.com/challenge and get started right now. Thank you once again to Ted Harrington, and thank you all for listening and watching. We will speak to you next week.