OWASP Top 10: What cybersecurity professionals need to know | Guest John Wagnon

On today's episode, our old pal John Wagnon, Infosec Skills author and keeper of the secrets of OWASP, joins me to talk about the big changes in the OWASP Top 10 that happened at the end of 2021, his own class teaching the Top 10, and some job tips, study hints and career pivots for people interested in these vulnerabilities. Find out why access managers are going to rule the world someday!

0:00 - Free cybersecurity training resources
0:56 - Overview of today's episode
1:43 - Who is John Wagnon?
2:50 - Working in cybersecurity and teaching OWASP
4:18 - What is the OWASP Top 10?
7:51 - How did the OWASP Top 10 change in 2021?
15:48 - Why do these security issues never go away?
19:06 - Cybersecurity roles using the OWASP Top 10
23:43 - What's covered in John's OWASP Top 10 courses?
26:42 - How to get hands-on cybersecurity experience
30:24 - Vulnerability-related cybersecurity career paths
34:16 - What is John working on with Infosec and Fortinet?
35:37 - Using your career as a learning opportunity
37:16 - Learn more about John Wagnon and OWASP
38:30 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • View transcript
    • [00:00:00] CS: Every week on Cyber Work, listeners ask us the same question. What cybersecurity skills should I learn? Well try this. Go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It’s got in depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more.

      We took notes from employees and a team of subject matter experts to build training plans that align with the most in demand skills. You can use the plans as is, or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free, or click the link in the description to get your free training plans, plus many more free resources for Cyber Work listeners. Do it. Infosecinstitute.com/free. Now, on with the show.

      [INTRODUCTION]

      [00:00:56] CS: Today on Cyber Work, our old pal, John Wagnon, InfoSec skills author and keeper of the secrets of OWASP joins me today to talk about the big changes to the OWASP Top 10 that happened at the end of 2021, as well as his own class teaching the top 10, some job tips, study hits and career pivots for those interested in these vulnerabilities. Also, find out why access managers are going to rule the world someday. That’s all today on Cyber Work.

      [INTERVIEW]

      [00:01:27] CS: Welcome to this week’s episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. John Wagnon has been a guest on Cyber Work before. He was talking about InfoSec skills and some of the best practices for skills-based learning. He recently recorded, and when I say recently, I mean about two minutes ago, you recorded a video for our career profile series on the role of secure coder.

      For those of you who work in vulnerabilities, appsec, DevSecOps and other related fields, you’re probably already aware of the fact that the Open Web Application Security Project or OWASP, has done something that they don’t do all the time, or every year. They revised and significantly updated their top 10 list of the most common security vulnerabilities to reflect the current state of affairs. John teaches an OWASP Top 10 class as part of InfoSec skills and is a boot camp I believe, right?

      [00:02:27] JW: Yes. It’s a skills learning path. That’s exactly right.

      [00:02:30] CS: Okay. He keeps very close tabs on all these updates. Whether you’re knee-deep in the vuln research, or just curious about this top 10 list, this is the episode to listen to. John, thanks for joining me today. Welcome to Cyber Work.

      [00:02:42] JW: Chris, it’s always a pleasure, man. It’s great to be here. Thanks for having me.

      [00:02:45] CS: Oh, great. It’s been a while since your last episode. I’ll ask you again, to help our listeners get a sense of your personal history, how did you first get involved in cybersecurity? How did you come to create and teach courses for InfoSec?

      [00:02:58] JW: Yeah. No, that’s a great question. I mean, really, right out of college or in college, my undergrad was computer engineering. I started off in that field. Then I was in the Air Force for about nine years. I did computers, communication stuff there. Then beyond the Air Force, I’ve done cyber threat analysis, consulting for the Air Force in DOD. Then I’ve worked for a couple of different companies after that. I’ve been in this for goodness, 20 something years now. It’s been cool to see the world change since it’s way back when I started.

      I mean, it really did start in college for me. That’s not the story for everybody. There’s a lot of people that jump in after the fact, or is like, “Hey, I used to do – I was a plumber or something. Now, I do computer security stuff.” I mean, there’s all kinds of ways to get into this thing. Then as far as teaching, I’ve always loved to teach. I’ve just enjoyed that. I got connected to InfoSec a few years ago, and you guys were like, “Hey, we got these learning paths and all that stuff.” I was like, “Hey, man. That’d be awesome.” There’s a need for OWASP. You guys had the need for the OWASP course. I enjoy that stuff. I was like, “Hey, let’s get together, man. Let’s do this thing.” It’s a lot of fun.

      [00:04:17] CS: Fantastic. On an early episode of Cyber Work, if you all want to go back, it’s November 18th, 2018 episode, I interviewed Jeff Williams, who was a major early contributor to the OWASP Top 10. If you haven’t heard it, I’d recommend seeking it out for a deep dive into OWASP history and the roots of it. For expediency sake, John, can you summarize the use of the OWASP Top 10 list, what it tracks and why a massive shifting and updating like the one we saw in 2022 is so important?

      [00:04:46] JW: Yeah, absolutely. OWASP is an organization. It’s an open community. Really, they’re dedicated to keeping the world secure. They’re dedicated to keeping application secure in the world today. It consists of volunteers all over the world. I mean, if someone’s watching today, and they’re like, “Hey, I want to get involved.” You totally can.

      It’s an open-source community, or just an open community. Like you said, they do a lot of different things. One of the things that they do, one of the popular things that they’re known for is this top 10 list. It’s like, hey, what’s the OWASP Top 10. Well, it is the top 10 security risks, web application security risks in the world today. The way that they figure that out, is they go out and put out basically, a call for papers. I mean, it’s like organizations that would be willing to give us data. They posted on their Facebook page and their Instagram, their Twitter and their whatever. We’re sending out emails. I mean, however, they can get people to come back and give them information.

      OWASP has earned a name and a reputation obviously, along the way that now a company is known to be looking for the call for information. They put out this call and they say, “Hey, organizations. Tell us what are the big problems you’re seeing in the world today.” Then, they get all of this data that they compiled together. Again, one of the fascinating things to me is the OWASP organization itself, it’s a group of volunteers. It’s just people that want to make the world a safer place. They give up their time and they go through all this data, and they say, “Okay, how do we take this data and turn it into what ends up being a top 10 list?” There’s this whole methodology that they go through. They then figure out what that methodology is. They can have a ton of time. I really appreciate those guys.

      Anyway, but ultimately, what comes out of that is this top 10 list, and they say, okay, in the world of web applications today, these are the top 10 biggest risks that are out there. Then organizations can look at that and say, “Okay. I need to keep an eye on that stuff.” Then to your point, the list changes over time, but they don’t publish this every single year. They don’t even have a set, an exact schedule. They just published one at the end of 2021, which as of this recording is just a few months ago. Then the one before that was in 2017. It was four years.

      There had been some iterations where they waited three years, it’s been three years in between, some it’s been four years. It’s in the three to four-year range. That’s when maybe a new one comes out. That list, as you can imagine, as the world changes, as applications change, all that stuff, then that list is going to change. That’s why people are always interested in like, “Hey, what’s the current security posture of the world today?” Anyway, that’s what the top 10 list is. It’s a really good document.

      [00:07:52] CS: What were some of the more surprising changes about the OWASP Top 10 from late 2021? Whether it’s its vulnerabilities that climbed in the rankings, the ones that left the list, the ones that were just introduced? Also, is there a lot of weight to the numerical ranking of the vulnerabilities? Because I know, things go up and down. What is the reordered list say about the ways that vulnerability issues have changed and evolved, or developed over the last couple of years?

      [00:08:18] JW: Yeah. No, great questions. The methodology, or the approach for this list was a little bit different than the 2017, or even years before that. That goes back to what I said, this group has to get together and figure out like, hey, how do we even approach this data, this data that has come in from all these organizations? Which, by the way, there’s organizations all over the world that just dump – they’re willing to just dump their data into OWASP and say, “Hey, if this can be helpful, then please use it.” Which is awesome. We appreciate those companies, too, that are willing to share.

      [00:08:51] CS: For sure.

      [00:08:53] JW: Anyway, what in a general sense, what OWASP has done in previous iterations of the top 10 is they would go out to organizations and say, “Hey, we want your data, but keep it in the bounds of these certain areas.” That’s the most interesting thing to us as OWASP. They guided everybody. Well, this most current one, the 2021 list, they just – they took off the guardrails, basically. Hey, just give us anything you got. Just dump it on us. Which, frankly, turned into the largest dataset that they’ve ever had in the history of the OWASP Top 10, which is awesome. They have a lot to deal with. Lots of use.

      Also based on that, based on the opening the aperture there, if you will, and then the methodology that they use, they really were trying to go after, well, I’ll call the root cause of an issue, rather than a symptom. For example, the 2017 list had one of the risks that was on the 2017 list was XML external entities. XXE is how they abbreviate that. That was on the 2017 list. That was one of the top 10. On the 2021 list, that XXE has been integrated into, or made part of the number five risk, which is security misconfiguration.

      Just to give you an idea, they’re like, hey, really, the root problem of an XXE vulnerability is that your security is misconfigured. There’s misconfiguration problems in your web application. Then that, these XXE things pop out as a result of this. We’re going to pull it down to the root. I say that to say, when you look at the 2021 list, it’s a bit more broad in nature, in terms of each item that’s listed on there. That’s not true a 100% of them, but they they’ve really gone after the root cause, rather than the symptom. You mentioned like, hey, there are some that have changed, has list changed?

      A couple that I would point out is there’s a new one, cryptographic failures. In fact, that’s number two on the 2021 list. Again, that’s one of those root cause. In fact, just to give an example on that one, too, the number two on 2021 is cryptographic failures. There was another one on the 2017 list called sensitive data exposure. Sensitive data exposure has been pulled into like, hey, the reason that our sensitive data is being exposed everywhere is because the underlying cryptography has problems. Sensitive data exposure from the 2017 list has been combined into, or loaded into, if you will, the cryptographic failures item on 2021. There’s a few that are still on the list. I’ll point out injection, if you’ve been around OWASP Top 10, for any length of time, you know our good friend, the injection attack, right?

      [00:11:52] CS: Oh, yeah.

      [00:11:54] JW: That’s been on the list forever. It’s been number one for a while, frankly. It’s now number three on the 2021 list, which is interesting. Anyway, the number one item is broken access control. This is my thought around that, broken access control. In today’s world, you’ve got applications that are available to all kinds of different people all over the place. You’ve got people working from home, you got people working in the coffee shop, you got people working at 35,000 feet in an airplane while they’re flying. The underlying problem there is how do I keep access control around my application? Who gets to get in and who doesn’t get in?

      Back in the day, it was like, hey, we all sat in our little office at work. There was this internal trusted network, and anyone coming out of that network, we trust them, because they’re sitting in the office. Well, now that doesn’t exist anymore. Everybody’s everywhere. It’s created a lot of a lot of issues from a security standpoint. Anyway, that’s bumped to broken access control, all the way to the top. That’s the number one on the 2021 list.

      [00:13:10] CS: It is a weighted ranking, though. Number one means the big one.

      [00:13:13] JW: Yes. I’m sorry. Yeah. That’s a great point. Just a quick word on that. Yeah. Number one, in terms of the data that was shared and all that stuff. Number one is more critical. It is a bigger deal than number 10. They are weight writing – It’s not like, hey, here’s just 10 of them in no particular order. They are in a criticality ranked order.

      Frankly, that’s not to shamelessly plug my course, but if you watch the course, then you’ll learn a lot more about the methodology that they use and the mentality and the approach on how they figure out, hey, which one’s number one, which one’s number two, right? We go into that. Then also, I was going to point out quickly is the OWASP organization, because of all the input from all these other companies around the world, they have, of course, the top 10 list that they’ve put together. I always like to say this, the OWASP Top 10 list is not necessarily your organization’s top 10 list.

      You may have, for example, cryptographic failure, that’s number two on the list. That may be your number one, or injection may still be your number one. Don’t necessarily take the OWASP Top 10 and say, “Okay. Well, that directly match to our organization.” It’s an awareness document that gives you an idea of the state of application security today.

      [00:14:37] CS: It’s the state of the world. Okay, yeah.

      [00:14:38] JW: That’s it. That’s right. You’re right, though. To point out again, it is a weighted list. Number one is more critical. It’s more severe than number 10, or number two, whatever.

      [00:14:49] CS: Worldwide. Yeah. That also doesn’t necessarily – it’s not prescriptive in terms of the order that you address the issue. within your own company. It’s not like Maslow’s hierarchy of needs, where it’s like, you need a home before you can start looking for love or whatever. You don’t have to repair broken access control necessarily before you get into number eight, or whatever.

      [00:15:14] JW: That’s right. Yeah. Hey, Chris. Some people find love before they have a home. That’s true.

      [00:15:19] CS: Yeah. Well, yeah. That’s true.

      [00:15:20] JW: Who knows? It’s not required. No, you’re exactly right. You’re exactly right. Again, for your organization, you need to look at your own applications. You need to look at your own security posture and all that stuff, all the threats and vulnerabilities and blah, blah, blah. Yeah, and then you need to rank order for yourself. You may have a really critical security risk that’s not even on the top 10 list. Maybe a really big deal for you. Just proceed with that in mind.

      [00:15:49] CS: I asked Jeff Williams this on the previous episode, and I’ll ask you as well, and it might be a naive question. Why do you think these same types of vulnerabilities never go away? I mean, obviously, just knowing about them isn’t enough. What are some safeguards that would cut down on the instances of these types of vulnerability in everyday work life?

      [00:16:05] JW: Yeah, that’s a great question. I would say, there’s a lot of old applications still out there. I mean, again, we’re in the world of app, of web applications. Application security. There’s still a ton of old applications out there that hey, business, whatever, created this thing back in 2000. Which, for me, by the way, sounds weird to say 2000 has been 22 years ago. That is. Let’s say, you created one way back then and all these new modern things, operating systems were not around them. You just haven’t gotten around for a 1,000 different reasons. you haven’t gotten around to updating that application. It’s such a critical application for your business.

      Maybe it’s your billing application, or it’s your whatever, inventory control and whatever. I don’t know. You cannot get rid of that thing. That’s still out there. That introduces a lot of problems, those types of things. We had a conversation earlier in a separate video about secure coding, just that whole career path. Anyway, so when people are writing applications, when they’re creating these applications, if they’re not using secure practices, and they’re just trying to hey, the boss is on my back, I got to get this thing written about this afternoon. It’s just, okay, here it is. Just have it. Whatever. That happens all the time. Vulnerabilities happen that way. That’s a reason that these things are just constantly popping up.

      You’ve got users, end users that don’t behave properly. It’s like, “Hey, I’m not supposed to open that thing, or click on that link, or whatever, but I do it anyway.” You mentioned safeguards. I think, a few things really are, they go back to the basics of what I just said. I mean, as an end user, don’t click on the suspicious links. Don’t open the weird attachment in the email. I mean, that is a – that is still, like phishing attacks.

      [00:18:04] CS: They’ll get you every time.

      [00:18:06] JW: I mean, it is a massive thing, that is still one of the number one, if not the number one attack vectors that attackers will use is just phishing, because it still works, right?

      [00:18:15] CS: Absolutely.

      [00:18:17] JW: Anyway, use a strong password, don’t leave your computer unattended and just walk off in the middle of the airport or whatever. It’s those kinds of things. Another way you could use multi-factor authentication, that’s where username and password, but then you have to pull out your phone and punch in the little [inaudible 00:18:33]. That’s a good thing to employ.

      Those are some of the safeguards, I think, that we could put in place, just given the world that we’re in. If you’re on the development side, if you’re like, “Hey, I’m creating this stuff, then you need to use secure coding practices.” There’s different standards that you can use that can help guide you” You need to write secure code. That will be your little part to make the world a safer place. Those are a few things.

      [00:19:04] CS: That dovetails perfectly into my next question. For listeners, not currently working in the area of cybersecurity, or not in the industry at all and are just watching this out of curiosity, but who find this discussion of the OWASP Top 10 list all the different types of vulnerabilities there are to be patched and secured, what can you do with this info? What types of career paths, or job roles involved with this type of work? Because it’s not just secure coding, or patch management, but I assume that there’s DevSecOps elements, there’s access management and all these different things. Can you walk me through some of these different career paths?

      [00:19:38] JW: Totally, totally. This is not going to be an exhaustive list. Because this computer, this cybersecurity world that we live in is just a massive place. There’s so many different job opportunities out there, which is a good thing. Also, for someone that’s just starting out, you may look at this massive world and say, “Man, this is a daunting place. How do I even get in, or where do I start?”

      Some of the things you mentioned, patch management, or secure coding, or some of these DevSecOps roles, those kinds of things are absolutely possibilities out there, or open opportunities out there. I did a quick search of a really popular career website the other day, and I just typed in software developer. I don’t remember all the different – some of the keywords I used. I mean, there was a laundry list of these things. I mean, jobs open everywhere. I mean, it was everything. I think on the software developer side. I mean, I found a little – there was a farming equipment company that’s like, we need to write some applications. There’s banks, there’s insurance companies, there’s retail stores, there’s all kinds of stuff that’s open out there.

      Certainly, you could be in software development, but you could do a number of things. Like you said, patch. Patch management, how do you patch these systems? When do you do that? Especially if you have these really big, complex applications. Do you have to, for lack of a better term, you’re going to have to restart the computer to make them take the patch. Well, how do you how do you restart the actual web server that’s serving up your data all the time? This is critical.

      Sometimes there’s maintenance windows, where it’s like, all right, we got to wait till next Thursday, or a week from next Friday, or whatever it is, right? Before we can turn off this system and patch it up. In the meantime, there’s a massive vulnerability that’s just sitting down there, completely open for anyone to take advantage of. There’s some of that risk management. There’s a lot of different places you can start.

      I think InfoSec does a great job of giving different career paths, or skill paths, to say, hey, if you’re interested, just take this path. That gets you into this world, and at least it can start to give you some ideas of where you might want to start.

      [00:22:04] CS: Yeah. You’re my, I think 189th guest or something on the show. I learn as much from folks, as any of our listeners do. I was constantly amazed that there’s entire jobs, careers, things with promotion potential for things like access management, making sure who has access to what types of documents, or what parts of the system. There’s just so much of living online now that there’s so many different places where you can pitch in and be really good at one specific thing that you like doing. Like you said, you can go anywhere you want with it.

      [00:22:41] JW: I totally agree. I mean, that’s a great example of access management stuff. Then, in fact, like we said on the OWASP Top 10, broken access control has been number one security risk out there. I mean, if you’re an access manager expert, or access management expert, and my goodness, you can write your own ticket almost. It’s like, everybody needs that stuff. It’s an interesting thing. Some people may look at that and say, well, I don’t want to pigeonhole myself into like, hey, I have to be this access management expert. I wouldn’t look at it like that. I would say, “Hey, do that. Do a really good job at it, and then get to know that world and then be the expert.” Then, you can always laterally move, or maybe move up or whatever it is, and do a little something else in an organization.

      [00:23:27] CS: Also see what else is interesting to you while you’re there.

      [00:23:28] JW: Totally, totally. Don’t be afraid that, “Hey, I’m going to pigeonhole myself. I’m just going to do access management, or access control for the rest of my life.” That’s not how it works.

      [00:23:40] CS: No. You’re not chained to your desk. Yeah.

      [00:23:42] JW: That’s right. That’s right.

      [00:23:43] CS: Let’s talk again about you. Tell us what students who enroll in your OWASP Top 10 class will be learning about, what they’ll be actively working with, what the assignments will be like and what they’ll be able to translate to their jobs, or the jobs they want at the end of it?

      [00:23:57] JW: Yeah, of course, of course. Well, so if you take the class, you’ll obviously learn about OWASP. In fact, the very first – I hesitate to use the word lecture, because I feel like, we’re just having fun in there. We’re just exploring the space together. The first video set is all about the OWASP organization. Who are they? Where they come from? What motivates them? All that stuff. How do they do what they do? Then of course, we dive into the top 10. There’s one video per security risk on the top 10.

      In those, you learn about the risk. When you use broken access control, for example, what does that even mean in the world of modern applications today? How do APIs play a part in that and different application access problems, whatever? We talk about that. It’s the fundamental of each of the risks. Then, I’ll give you different examples, talk about how to protect yourself against some of these problems that arise out of these security risks. You’ll learn all of those things. Then, talking about how do you translate? How would you be able to translate that to your job?

      Well, I’ll go back to a software developer. If you’re a software developer, then you’ll understand hey, as I develop code, then these are 10 things I really need to keep an eye out for. I need to keep an eye on. Don’t make these mistakes if you possibly can avoid them. If you’re not a developer, if you’re just an end user, or whatever, it gives you a better idea of the state of the application security world today. Maybe you didn’t even realize that one of them is cryptographic failures, like I said before. Maybe you didn’t even realize how big of a deal that is, or that it was even a thing.

      I think, it’s a good awareness path. If it doesn’t directly translate to your job, it increases your knowledge in that area. It’d be good to take either way. I would encourage every person on the planet to take it.

      [00:26:08] CS: Yeah, sure. Yeah. Why not? To that point, we were saying before, if you’re in secure coding, or you’re in access management to be looking around while you’re there, something like the OWASP, I think is just – it’s this tower that gives you a vantage point to so many other – As you’re learning that, you’re also thinking like, okay, now, you could go in this direction, you could go in this direction. It really is the perfect fork in the road, or whatever that branches off in all different directions. That’s great.

      [00:26:41] JW: That’s right.

      [00:26:43] CS: If you don’t have experience in this area, but you’ve done your reading, you’ve learned about OWASP and MITRE and have a strong theoretical knowledge about patching and securing these issues, how do you acquire hands-on experience to show potential employers that you can do the work?

      [00:26:57] JW: Yeah, that’s a great question. That’s the age-old problem. I need 10 years of experience, but how do I get that? Whatever. I’ve seen some job postings. It’s like, hey, you need five years of experience with this certain technology. The funny thing is, is that technology was developed three years ago. Some people need to update their resume, or not the resume, but the job posting stuff. Anyway.

      [00:27:23] CS: Right. Or in a time machine.

      [00:27:25] JW: That’s right. You need to invent the flux capacitor. That’s number one. Then, anyway.

      [00:27:30] CS: I’m just going to write your own ticket for that.

      [00:27:32] JW: That’s it. That’s it. I would say, again, if you’re a developer, if you’re a web application developer, software developer, you can look at things like open source projects. Mozilla’s got some really good ones. There’s a bunch of them out there. VS code. There’s some different – lot of different Python ones. Anyway, you just type in open source project on Google, and you’ll totally find a ton of them. Or type it in on Mozilla, on Firefox, or whatever, right?

      Anyway, so yeah. You can use those. Basically, what these organizations have done, I use Mozilla as they’ve said, “Hey, we’re developing all kinds of different code and different projects we’re working on. These are different little tasks or different features that we want to build into our product.” Then, they just open that up to the community, to the whole world, and they say, “If anybody has experience, or can solve this little problem, then do it.” You would take one of those open-source projects, well, little tasks and you would say, “Hey, I know how to write in Python, or Java, or C sharp, or Go, or whatever.” Then you would you would take that and you would write an application, or you would solve that problem, basically.

      Then you can take that and you hand it back to the company and say, “Hey, I’ve solved this problem for you.” Maybe they accept it. Maybe they said, “Hey, we need to tweak it a little bit, or whatever.” Then, there you are. You’ve contributed to the project. Then, that is absolutely gaining experience in this area. You could do other things. If you’re not a software developer, there’s a thing called the common vulnerability scoring system. There’s different vulnerabilities that pop up in different applications, or different code, or whatever, software, then they’ll assign it a CVSS score. 10 is really bad and one is not so bad, kind of a thing.

      There’s a CVSS special interest group. It’s the CVSS SIG, because everything’s got to be an acronym. You can contribute to that. You can just type in CVSS SIG on the internet, or on Google or whatever and you’ll find it. You can request to be a part of that group and you can either contribute to the group, or even if you’re like, “Hey, I don’t really have anything to contribute. I just want to sit on the back row and watch.” You can do that, too. You can just follow along. That gives you some good experience on like, hey, what’s the state of vulnerabilities? Which software applications, or frameworks are problematic today? Those kinds of things. That’s another area that you could look at, to try to gain some experience without even – That’s completely independent of whatever job you have today. You could do that, regardless of where you work. Couple things.

      [00:30:23] CS: Okay. I’m guessing that this type of vulnerability finding and remediation isn’t usually a top of the ladder job. This isn’t something CISOs do per se. If you do find yourself doing this type of work, what are the common career trajectories from here? What are the common next steps for vulnerability managers and secure coders and the like?

      [00:30:42] JW: Yeah, yeah. That’s right. I mean, just, I guess, to be fair, some people enter this world, and we’ll pick on a software developer, and they absolutely love it, and they’re like, “I just want to do this forever.” Okay, you just keep doing that forever, man. Be awesome at your job. But some people are like, “Hey, I’ll do that for a little bit. Now, I’ve got the itch to go, or whatever. To go do something else.” Let’s say you’re on a team of maybe software developers, or on a vulnerability patching, or whatever team, then I would say, regardless of where you are, do a great job. Show up to work every day, ready to work and give it your best. Do a 100% kind of thing.

      As they say, the cream will rise to the top. You’ll get noticed by your employers. This whole cybersecurity world is just woefully understaffed. There’s not that many people that are doing it. If you are doing it, and then you do a good job, it’s like, man, you’ve just hit the gold mine kind of a thing. Do that. Back to the practical. If you start out in an entry level, then very likely, if you do a great job, you’ll work your way up to maybe a team leader position, or maybe some sort of manager. Hey, you’re going to manage this whole team, whatever. Maybe you’ll work your way into a director level, or whatever. I’m not trying to go through every single organization. You could start to get larger jobs, like maybe an architect, or those kinds of things. The architect, not necessarily like, hey, now I’m an architect designing buildings, but on a cybersecurity kind of thing.

      [00:32:28] CS: Designing the system of security.

      [00:32:30] JW: I’m designing the infrastructure. Hey, this is going to be a cloud-based application with remote users everywhere, and we got to figure out our access control problems, and we got to figure out our, whatever cryptography issues we have, or availability and efficiency, blah, blah. How did you put all those pieces together? There’s a 1,000 pieces you have to put in place. Someone has to take a step back and build that picture, build that whole thing. That’s a really cool place to end up.

      In order to end up in a place like that, you need to have done some access control. You need to be that access control person you’re talking about. Do the access control. Do the some of the cryptography stuff if you can, or do the – learn a little bit about the cloud environments and how those things work, and just that thing. Then after a while, you’ll look back one day and you’ll be like, “Hey, man. I’ve actually learned quite a few different things.”

      [00:33:31] CS: I know a lot of things. Yeah, right.

      [00:33:33] JW: Then the boss is going to be tapping on your shoulder saying, “Hey, guess what? You’re our best person to architect out this whole new thing.” You’re going to be like, “What?” I would say, just from a personal perspective, this has been true in my life, is if you have an opportunity to step into a new role, even if you’re a little bit nervous about it, and you’re like, “Man, I don’t know the first thing about that.” I would say, I would encourage you just do it anyway and do a great job and learn. You will find that you learn a ton of new stuff. After a while, you are going to look back and you’re going to say, “Okay, I actually know a few things about all this stuff.” Be willing to take the risk. Take the leap. It’s a good thing to do.

      [00:34:16] CS: I love it. As we wrap up today, John, this has been so much fun. Thank you so much for talking to me today. As we wrap up today, please tell us more about, you have other classes that you teach through InfoSec skills, or your work with Fortinet, or anything else you’d like to promote.

      [00:34:31] JW: Yeah, yeah. No, I appreciate that. It’s self-promotion time. This is my favorite moment. No, I’m just kidding.

      [00:34:35] CS: Absolutely. It’s time for deploying.

      [00:34:38] JW: That’s right. I’ve done a couple of the different skills learning paths with InfoSec. They’re both the OWASP Top 10. It was the 2017 list and the 2021 list. Those are the two that I’ve done. Don’t quote me on this. It depends on who was watching and when and all that stuff. The 2017 list, I think InfoSec may say hey, at some point, we need to just archive that away, because it’s getting older and let’s just highlight the 2021. I can’t guarantee that they’re both out there at any both time.

      Anyway, but one of them will be out there, whatever. Get out there and check that out. It’s been a lot of fun. Then yeah, just the work I’ve done. Like I said, I mean, I’ve done a lot of stuff through the Air Force and some different consulting with the Department of Defense. Right now, I work for Fortinet. It’s a security company. They do awesome work. I worked at F5 Networks prior to that. Again, I can say, with both of those companies, I got into that. I’ll just tell my quick F5 story for a second. I got in at F5, a buddy of mine was like, “Hey, John. We’ll get this thing.” I did not know the first thing about F5.

      There was definitely a lot of like, “Hey, I don’t know what I’m doing here. What’s going on?” But I said, “You know what? I’m going to do this thing.” I jumped into it, and I just nose to the grindstone and studied a lot and learned a lot, asked a ton of questions. Then as I look back on my F5 time, it’s awesome. F5 is awesome. Then I’m like, “Man, I actually learned a lot of stuff there at F5.” Then now I’m at Fortinet, Fortinet is also awesome. Just amazing people. They’re super smart. Then just a similar thing.

      It’s like, “Hey, I don’t really know a lot about this stuff.” I have now learned about the overarching, hey, how does the Internet work? What is a computer? And just that stuff. To learn the specifics of that job, it’s going to take a lot of work. It’s going to take a lot of studying and all that stuff, but that’s okay, because now I’m learning even more stuff. I look at it as a good – just a good personal building experience. Again, that’s why I encourage people, just go and take the leap and do it. In terms of promotion and all that, I would just encourage people to take the top 10 skills learning camp here at InfoSec. Hopefully, you’ll enjoy it.

      [00:36:58] CS: Yeah, absolutely. You think about the times when you were most exhausted when you were trying something new, and you just push through and push through, and then you’re like, “I can’t do it anymore.” Then you get done and you’re like, “Wow. Suddenly, I’m a different person almost at the end of it.”

      [00:37:10] JW: I know. I did that. I know. It’s cool. You got to do it. You got to start in order to do it.

      [00:37:16] CS: Yeah. One last question. $10,000 question here. If our listeners want to learn more about John Wagon and your OWASP courses, where should they go online?

      [00:37:23] JW: Well, like we said, go to the go to InfoSec and sign up for the OWASP Top 10 skills learning path. You’ll see it there. Hopefully, you’ll have a great time. You’ll be like, “Hey, you know what? I want to watch that all over again.” Take the time.

      [00:37:36] CS: Just leave it running in the background.

      [00:37:37] JW: Just keep it running just on an infinite loop. No problem. No problem.

      [00:37:41] CS: [Inaudible 00:37:41] of John Wagnon.

      [00:37:43] JW: That’s right. Just go to bed and wake up. That’s right. Then, in terms of connecting, man, I’d love to connect with whoever wants to. Probably the best is LinkedIn. I’m out there on LinkedIn. I’m trying to remember the little URL. I think, it’s just /JohnWagnon, if I remember right. If you’re watching this video, you see what I –

      [00:38:06] CS: You know how to do that. Yeah.

      [00:38:07] JW: They’ll see it on LinkedIn. Right. If you need help on that whatever. LinkedIn is probably the best place to connect. Although, I would say, I’m on Twitter, although I don’t really do a lot on Twitter. I’m one of the lurkers like, “Hey, let me just watch.” I don’t really post a lot on Twitter, but I am on there, so if you wanted to connect or whatever. Good stuff, man. Appreciate it.

      [00:38:30] CS: All right. Well, John, thanks for your time and insight today. Really appreciate it.

      [00:38:33] JW: Yeah. Absolutely, man. It’s been a pleasure. It’s been awesome, Chris.

      [00:38:36] CS: Great. As always, I’d like to thank everyone at home who is listening and supporting the show. New episodes of the Cyber Work Podcast are available every Monday at 1 p.m. central, both on video at our YouTube page, and on audio wherever you get your podcasts.

      I wanted to make sure you all know that we have a lot more than weekly interviews and cybersecurity careers to offer you. In fact, for those of you who are interested in InfoSec skills, you can actually learn a little bit of cybersecurity for free on our InfoSec skills platform and our trial program here. If you go to infosecinstitute.com/free and create an account, you’ll start learning right now with a cross-section of some of our hundreds and hundreds of InfoSec skills courses. You get 10 free cybersecurity foundation courses, six cybersecurity leadership courses, 11 courses on digital forensics, 11 on incident response, seven on security architecture, DevSecOps, Python, JavaScript, ICS, SCADA security fundamentals and more. Just go to infosecinstitute.com/free and get starting today.

      Unfortunately, John Wagnon’s, you got to go in and get the premium tier there. But you’re going to want to after you see that.

      [00:39:43] JW: Worth every penny, right Chris?

      [00:39:44] CS: Worth every penny. Absolutely. Thanks once again to John Wagnon and thank you all for watching and listening today. We will talk to you next week.

      [END]

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training

Hands-on training

Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.

Q&As with industry pros

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.