Teach yourself cybersecurity with skills-based education

Infosec Skills is kind of a big deal. The interactive learning platform boasts 500+ cybersecurity courses featuring cloud-hosted cyber-ranges, hands-on projects, customizable certification practice exams, skill assessments and other features. John Wagnon, Senior Solution Developer at F5 Networks, is a course creator for Infosec Skills and has created an informative and in-depth study of the OWASP Top 10 list. John and Cyber Work host Chris Sienko talk about skills-based education, in-demand job skills, learning programming on your own and, of course, the OWASP Top 10.

John is a Senior Solution Developer for F5 Network's DevCentral technical community. In this role, he helps analyze and solve complex problems for F5 users all over the world. He frequently writes articles and records videos that are featured on the DevCentral website. Prior to his work at F5, John was a Communications Officer in the U.S. Air Force where he specialized in ground and satellite networks. After leaving the Air Force, he worked for a technology consulting firm where he analyzed cyber-attacks against US Department of Defense computer systems and networks. John holds a Bachelor of Science in Computer Engineering and a Master of Science in Computer Networks.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Chris Sienko: Cyber Work with Infosec has recently celebrated its 100th episode. Thank you to all of you that watch and listen and subscribe to both the audio podcast and our YouTube channel. We're so grateful to hear from all of you and we look forward to speaking with your more about all aspects of the cybersecurity industry. To celebrate this milestone, we have a very special offer for listeners of the podcast. We're giving 30 days of free training through our Infosec Skills platform. Go to infosecinstitute.com/skills and sign up for an account or just click the link in the description below. While you're there enter the coupon code "cyberwork", one word, all lower case, C-Y-B-E-R-W-O-R-K, when signing up and you will get your free access. You'll get 30 days of unlimited projects to over 500 cybersecurity courses featuring cloud hosted cyber ranges, hands on projects, customizable certification practice exams, skills assessments, and more. Again, check out the link the description below and use the code cyberwork, C-Y-B-E-R-W-O-R-K to get your free month of cybersecurity training today. And thank you once again for listening and watching. Now, let's get to the episode. Our guest today, John Wagnon, is a course creator for Infosec Skills, including an informative and in depth study of the OWASP Top 10 list, one of the many topics that we'll be speaking about today. John Wagnon is a senior solutions developer for F5 Networks, DevCentral technical community. In this role he helps analyze and solve complex problems for F5 users around the world. He frequently write articles and records videos that are featured on the DevCentral website. Prior to his work at F5, John was the communications officer in the U.S. Air Force, where he specialized in ground and satellite networks. After leaving the Air Force he worked for a technology consulting firm, where he analyzed cyber attacks against the U.S. Department of Defense computer systems and networks. John holds a bachelor of science of in computer engineering and a masters of science in computer networks. John, welcome to the show today.

John Wagnon: Hey Chris, it's great to be here. Thanks for having me.

Chris: It's great to have you as well. So we always start show, we like to hear origin stories. So tell us where you first got interested in computers and tech and also where specifically did security enter the mix.

John: Yeah, so computers and tech started really back in college. That's was my bachelor's degree as you mentioned, bachelor of science in computer engineering. And even back then, I thought, hey these computer things are gonna be around for a while so let me kinda get into that. And so anyway, so that's really where it started back in college and then continued on with my life in the Air Force. As you mentioned in the little bio there, I was a communications officer in the Air Force, doing a lotta computer networking kinda stuff and then it has continued on with life after that, whether it's some consulting work for the Air Force, or DoD or now with F5 Networks. And security specifically, really I guess really after I got outta the Air Force, I really dug into the security side of things. I mean it's always kinda been in the mix. It's not like you study computers and networking and just don't care at all about security.

Chris: And never care about it.

John: Right, exactly.

Chris: Right.

John: So it's been in the mix, but really, really I would say the last probably 10 to 12 years has been really security focused.

Chris: What's the appeal specifically? Was there a certain ah ha moment where you realized this was the fun stuff or this was the important stuff?

John: Yeah, I mean it is fun and important. And so I mean that was part of it. But also, when I got outta the Air Force, I loved my time in the Air Force and wanted to stay connected there and so I did some consulting work, some contracting work, that kinda thing with the Air Force and DoD. And there was a huge need that they had and I knew that. And they said, hey can you really help us focus on this stuff. And then as you get into, then you kinda catch the fever as it were, and then it's like, man this is really cool stuff. And some of it can be scary. Some of it can be like, wow what is goin' on? But then really at the end, it's fascinating, it's fast moving, there's always something new to learn. And that's one of the things I love about it, is it's like, man, you never, ever stop learning this stuff. If you stop learning, then the world continues you on and leaves you behind about that fast, so you better keep learning.

Chris: Oh boy, we talk about that all the time, about the half-life of security knowledge It's about two years at this point.

John: Yeah I was gonna say it's about 30 seconds, but yeah--

Chris: Yeah, yeah.

John: Maybe two years.

Chris: It starts melting away. But yeah and there's also that, just that satisfaction of, you know like you solved a real problem that could have potentially enormous consequences.

John: That's right.

Chris: I'm sure that's exciting as well.

John: Yeah it is.

Chris: So as we mentioned at the top of the show and there's a little promo before you came on here, but we're talking today about Infosec Skills, which of course is our skills-based learning platform through, you know, Infosec. So first of all, what types of classes have you created for the site?

John: So the only one for Infosec skills is the OWASP Top 10, like you mentioned. So yeah they OWASP Top 10 is the one that I've done thus far. I will say this, it's not a class, but I've written a blog and may write another or two. Or who knows, by the time someone watches this, maybe I've written a bunch of 'em. But yeah, I may do more work in the future as well, so.

Chris: Okay yeah, so you've created other classwork or collateral in the past, so tell me about the blog a little bit.

John: Yeah so the blog was, frankly kind of an overview of the OWASP Top 10, why it's important. So it's sorta connected.

Chris: Is that how we found you?

John: Well actually I did that one, I did that one after I did the class. Just to kinda help people learn about, hey there's this class out there.

Chris: Great, all right.

John: I think, yeah, so it's out there, you can go check it out. And then go take the class.

Chris: Okay, well give me a little walkthrough of what students will see in the OWASP Top 10 class. I mean, you know, I guess first give a real quick elevator pitch on what the OWASP Top 10 is. But then also like what are the specific skills that you're imparting to sort of keep people savvy about it?

John: Yeah, so I guess the quick version of OWASP Top 10 is, OWASP is a non-profit organization that does a bunch of computer security work around the world. They've got a lot of leading experts that contribute and all that. So it's just a, frankly it's a big group of people that really wanna see the internet and all that stay safe, which is great. The Top 10 list specifically, is this group of people, they go out, they do surveys, they do a lotta data collecting from all kind of different companies and industry experts and all that all over the world and they compile a list of the top 10 security risks that they see in the world at that time for web applications specifically. So if you use a web application, which all of us do, all the time, whether you know it or not, then there are risks associated with that. And so the OWASP Top 10 are the top 10 most critical risks out there. And so for the course itself, for the skills learning path, I go through each one of those. Well first of all, I go through an overview of like what is OWASP and how do they create the top 10 list, what is the top 10 list all that. But then we go through every one of the top 10 security risks in depth. And I use demos, I use videos, I like to tell different stories, hack into people's webcams and spy on their backyards and all kinds a good stuff. So you'll see a lotta good stuff in there.

Chris: Nice. So one of the reason, you know, we changed our podcast name to Cyber Work a while back and the sort of point is, is not only do we wanna talk to people in cybersecurity industry, but we wanna impart tips on getting on the first step of the ladder or climbing the ladder of the cybersecurity industry. So I wanna talk a little bit about, you know for the benefit of people who are maybe just considering cybersecurity for the first time, or might feel sort of stuck in their current position and you know want some advice. So to start with, what recommendations do you have to get people into cybersecurity, who might have an interest but no previous experience? Are there are certain skills or certs or experiences that newcomers should work on first to get their foot in the door?

John: Yeah, well shameless plug, you need to watch my skills learning for OWASP Top 10, right? Obviously that's the number one thing. No I'm just kidding.

Chris: Use coupon cyberwork to get one month free.

John: That's right, that's right. So there are, there are certain certifications you could go after, security specific. Like Security Plus or CISSP, certified ethical hacker, you know those are three good ones to kinda take a look at. And then I would say a lot of what we're seeing today, just in general is this move to automation, move to the cloud. I've heard different, either business leaders, or industry leaders or whatever say hey, if I can't automate something today, then one of my primary goals is to figure out how I can automate it tomorrow, you know, type of an idea, which makes business sense. That it's like hey I want to do things faster, better, more secure, all that kinda stuff. So knowing that that's the way that the world is moving and frankly has been moving for awhile now, then as someone who wants to get their foot in the door, then start to learn some of what that automation is. Go check it, you know. Anyways, so like cloud based stuff, automation stuff. Get your foot in the door there. There's always code. Like app developers are in massive demand, so go learn a programming language. Learn Python, learn PHP, JavaScript, whatever. Frankly you could even go look at, one this is just kind one interesting thing that you could do. Go to a company that you might be interested in or you're just interested in the work that that company does and check out the careers page. What are the job openings that you see, right? Well I mean for me personally, I work for F5. I'm on the DevCentral community team like you mentioned. There are massive amounts of job openings for developers, you know. So go learn a programming language and get yourself a job and it will happen. And you know, you'll be in demand. So anyway.

Chris: Is that sorta thing that you can do kinda freelance, where you sort of self-teach yourself a programming language and then build a thing and sort of show it to someone and say hey I did it or--

John: You could.

Chris: Yeah?

John: Yeah, you totally could. One of the cool things about the internet today that wasn't around say 20 years ago or whatever is that you can go on there, you can go on the internet, there's a, I don't even know if this group is sponsored by anyone or whatever, but it's a great website called Code Academy. And they have all kinds of different learning opportunities where you can just go on there and start learning, I mean from the basic, hey let me try to program, you know hello world that pops up on your screen and start there, right? And learn how to do that in JavaScript and then learn how to do it in PHP, and then learn how to do it Python and then whatever, right? And what I would encourage people to do is maybe kinda play around with a couple a difference languages if you wanna get into the programming side.

Chris: Right.

John: Play around with a couple of 'em and say hey this one just really makes sense to me. And then this other one just makes absolutely no sense to me, the way that's built or just I don't know, whatever. And you know it's been interesting, I've run into different people along the way that will have these very emotional discussions, almost fights as it were saying hey this programming language is the best and it's like no this one is the best. There's no best one. So I say that to say hey get out there and just kind of check out the basics of a few of them. And then take that, to your point, take that and say hey I know how to do this thing. I know how to program in JavaScript or Python or whatever. And then you can take that to a job interview and say here's some things that I've done and I understand how to program in this language. And then employers are gonna be like, and I mean I can't guarantee this obviously, but employers are gonna be, that's what they're lookin' for. So I mean at the end of the day, not to get into too much of a business discussion here, but at the end of the day, a business or a company is going to compensate you for a skill that they have a need for, right? They are interested in a skill and if you can bring that skill to the table, then they will compensate you for that. So, not to get too far ahead of ourselves here but in terms of education and all that stuff, you may need to go to a four year degree in order to achieve that skill. You may need to go to a master's degree level stuff or you may not need to at all, you know. So anyway I would encourage you, at least to start off, do what you can without spending tons and tons of money. I mean I've got a bachelor's and a master's degree. I'm certainly not anti-education at all. But sometimes that may not be totally necessary to go all the way to certain levels before you can just go start making money, you know. And you may not ever need to go back and get a master's degree or maybe even a bachelor's degree. Anyway, so--

Chris: That translates perfect to my next question here. So you said it's more important to get the skill or it's as important or that's the crucial point. So in your opinion, what are the cybersecurity skills that are most in demand right now and which ones do you need to most quickly accelerate your career? Are there any skills that people are overlooking right now in their studies and preparations?

John: Yeah I mean I know I just talked about just code, like web development, developing, coding, that kinda thing, that's absolutely in demand. On a security perspective specifically, penetration testing and just other security testing is absolutely in demand as well. I mean you can imagine, companies have these web applications and they need to know if they bad guys are gonna be able to get in or not. Because guess what, the bad guys are trying to get in. So if you could come in as a pen tester and say, hey I can be the virtual bad guy and try to get in and tell you exactly where your holes are and that's in high demand for companies today. And then I would say too, to the extent that you can, depending on where you work and all that stuff, maybe get some real hands on experience with actual products, like just a network firewall or maybe a web application firewall. Again, to the extent that you can, you may not even have access to be able to do some of that. But if you can, walk down the Hhall and be like hey guys, at least let me look over your shoulder and help me learn what an access control list looks like or a security policy on a WAF or whatever. How do you build that? And teach me a little bit. And then you can take that and grow from that, right? And then take that to the employer and say hey make me your next security guy or whatever.

Chris: Yeah absolutely.

John: Yeah, so those are a few things.

Chris: So how long have you been an educator? And in that time has the cybersecurity training landscape changed since you began?

John: I, in terms of like formal educator, the nature of what I do in my job, I create a lot of content for DevCentral. I know I've talked about DevCentral, I mean that's my job, I'll plug it a little bit. So the nature of what I do is create a lotta content for that community, that's our online community, technical community for F5. And so I'll write articles or I'll do videos or that kinda thing. But also as a part of that, I'll have speaking engagements to customers or user groups or that kinda thing. Or even conferences, I'll go and be a speaker at conferences. So I've been doing that for several years now. But in terms of the actual, hey you're gonna go sit down in a John Wagnon class, that's gonna be the OWASP Top 10 skills learning path. So I haven't done as much of that, but I've been in the speaking, education roles for quite a while now.

Chris: Have you seen a sort of a change in the direction in the way people sort of learn or what they're being taught and so forth?

John: Yeah, I mean I would say this kinda goes back a little bit to what I said a minute ago with the four year degree versus boot camp versus a you know like skills learning path or whatever. You know back in the day you finished high school, then you go onto to get your bachelor's degree. That's just, you had to do that, right? Today, that is not the case. You, again I'm not anti-education. Like I said I mean I've a master's degree myself, but you do not have to get all of that anymore. I mean I work with bunch a guys and girls that don't have a bachelor's degree and they've gone and learned a skill for themselves, many of which we've just talked about and they bring that to the company and the company desires that skill. And if you can learn that skill and bring it to the employer the employer will, you know, they will like that. They will find that attractive. And I can say, really from my, I guess I can speak for myself, I don't remember being in an interview, not that I do a ton of job swapping or whatever, but I have not necessarily been in an interview lately at all, where the employer's like hey I, you must have a master's degree or else forget it. Or you must have a bachelor's degree. If you could bring that skill to the table, then that's what's critical, that's what matters. So in terms of the landscape changing over time, that's where we are today. And frankly as far as I'm concerned it makes a lotta sense. If you have piece of paper that says bachelor of science in whatever, okay that's great, but as an employer I care what you can bring to me to help me grow my business, to help me make money, that kinda thing, right? And regardless of whether you have a certificate that says something or not, are you helping me do what I need to do as a company? Right, to make money and grow our business, anyway.

Chris: So let's talk a little bit about specifically about skills based education of the sort that Infosec Skills is and so forth. What are some benefits to this method of training above other methods that people might not be aware of, as opposed to academic study or boot camp?

John: So I think skills, skills-based or skills-focused training is extremely important and at risk of repeating myself here, it's really at the end of the day, you as an individual, whoever you would be, the people watching this, you need to have a skill that is desirable to an employer, right? I mean if that's the goal of what you're trying to do, if you're trying to get a job or whatever. Or if it's just hey I just wanna grow more in my own education and I'm not necessarily looking for a job.

Chris: Or a boss told me on Friday I need to know how to do a thing by Monday.

John: Man, that actually happens.

Chris: Oh for sure.

John: That's not a hypothetical, as you know Chris, so anyway.

Chris: Oh yeah.

John: So yeah, regardless of your motivation, I guess, you're trying to gain a skill. So the question would be, why did you go to college and try to do that thing, get that degree? It's because you're trying to learn a skill to do something. So skills-based training gives you a very focused approach to say hey, I want to learn, I'll just pick Python programming as an example. I know I've talked about that a little bit. I wanna learn how to be an awesome Python programmer. What do I need to do that? And the answer is, you need to go learn, you need to go Python program. You need to either read stuff about it, read a book about it, you know go watch a video about it. But a skills-based training class, can give you the very focused information and education that you need to learn that thing right? Whereas if you took a four year degree, and again, I know I've said this a million times, I don't wanna make sound like I'm anti four year degree, 'cause I'm totally not. It certainly has its place. But if that's what you're trying to do, then go to a skills-based learning path and learn that thing. And that's the benefit in my mind, that you don't have to worry about the extraneous or the other stuff, that may be worthwhile as an individual or just as a human being or whatever, but you can learn this skill. I would say boot camps have their place as well. Boot camps are interesting because very typically boot camps are like hey, you're gonna go get this certification, I'll pick in CISSP, for example. You're gonna go get a CISSP. It's this mile wide and inch deep, this is the way I got my CISSP, is the way that it's described and all that stuff. And so you need to go focus for a week or whatever it is and just hit it hard and you're trying to get that CISSP and that's great. But it's not, so I guess it has its place, but again the skills-based learning, like a learning path or that type a thing, is gonna give you that specific skill that you're looking for and not bog you down with a lotta other stuff that you may not be that interested in anyway.

Chris: Yeah and also, you know, I think there's also a difference in what your company needs of you. Whether it's like you said, I need to know how to program by Python next or our entire department needs to be CISSP compliant in a month. You know obviously there's places where that happens all the time as well.

John: Yeah, yep.

Chris: As someone who has had, stacks of unread, you know subscribed magazines sitting on my table or a meditation app that's gone unused for weeks, without a professor assigning weekly tasks, it can be hard to be stay on track or meet up with your learning objectives. And so you know, skills-based, the thing about it, is that it's pretty open ended. You can do it on your own time. But the down side of that is that who's there to tell you when your own time is the right time. So do you have a tips to help life long learners stay focused on training and accomplish their goals with such an open ended opportunity?

John: That's a great question. First thing I would say is Chris, get those medication things goin' man, you gotta really bring it in. No I'm just kidding.

Chris: Yeah, yeah.

John: Exactly at risk of being super philosophical and all that right here, I would just say you have to stay focused. You have to, as an individual, you have to say, all right what am I'm doing here? And man I could go off. I won't get on my soap box here. I could go off on nutrition or exercise or you name it right? You need to have a disciplined lifestyle and you need to have a goal that you have set. I'll pick on PHP or Python or whatever, you know whatever... I wanna be a pen tester, right?

Chris: There you go, yes.

John: I wanna be pen test. I wanna be able to go to my next employer or my current employer and upgrade and up skill or whatever as a pen tester. All right, well what does that look like? Well I would say, of course shameless plug here for Infosec. I mean go and check it out, right? I mean you got a lotta great resources. So establish a path for what that needs to look like. And Infosec does a great job. I mean that's the whole goal of the skills learning path, right, to say hey if you want to land here and you're here, here's a good path to get you there. You know, reach out to friends and colleagues and stuff and ask them too. But at the end of the day, it's your life it's your experience and you are responsible for that. So you need to be disciplined. You need to stay focused. You need to have a goal and you need to work toward that goal. And so what that looks like practically is, you need to get out of bed in the morning, right? You need to go and get your blood flowing properly. You need to eat the right kinda foods. You need to engage your brain. You need to say hey I'm gonna learn something new today even if it's just a little bit along this path that I have established. You need to do that. And sometimes people find it good to have like an accountability kind of a person to say hey I'm gonna keep you in check here, or let's to do this together. That's a great thing to do as well.

Chris: Yeah, I set a certain hour of the day where I'm absolutely doing this.

John: That's right. And if and when you do that, that's a great practical tip as well. If and when you do that, then you need to do that. And just because Judge Judy is on TV, that doesn't mean that you need to skip your hour that you've set aside. You need to do that. So anyway and I get it. Hey man I got four kids and all that and I understand how busy life can be, but that's no excuse. You gotta do it man. So that's the answer. There's no like, hey let me just take this simple pill and boom I'm gonna know it all. No that's not the way life works. So get disciplined, stay focused, and man you're gonna love it at the end, but it's gonna take some work.

Chris: Yeah.

John: There you go.

Chris: So obviously there's a lot of skills-based education programs out there on the market, so tell me what you think distinguishes the best ones. Like you know for a consumer, what should you be shopping for when seeking out skills-based training?

John: Yeah so I would say find one, number one that has the content that you're looking for. So if I go back to the pen testing example or whatever, I mean find a place that has something related to pen testing, right? And then also, you know, kind of, I guess dig around in there a little bit. Find an instructor that resonates with you. Right, so I have, I won't name any names or nothing, but I have seen different instructors or presenters that just get up there and the read the slide, point one, point two, point three, and then flip to the next slide and that's it. For me personally, that's not the way to go, many. I do not understand that. So kind of dig around and find someone that resonates with you. And maybe that's not even someone, maybe that's a curriculum or a training style, that's like, hey man, we're gonna learn Python today. And so the first thing is this, and you're not even necessarily interacting with an actual instructor, or maybe you are. So one, I would say again, find a place that has the content that relevant to what you're trying to do and then find someone that resonates with you. Or you could say, hey man when that guy or that girl talks, it's like I can follow that. Like that makes some sense to me. And again, don't wanna go back to the whole education thing, it doesn't matter to me personally, I can speak for myself, it doesn't matter for me personally if that person has a PhD or a high school graduate, or whatever. Are they speaking truth and do they know what they're talking about? Does it make sense? Then bring it on man, so--Anyway so that's what I would say.

Chris: Okay so let's jump back to your area of expertise, specifically the OWASP Top 10 list. You know obviously this is a list that we talked before and should be monitored by cybersecurity professionals of all stripes and levels. So tell me a bit about the most recent updates to it. And also what do you think we should be watching for for OWASP Top 10 in years to come? I know it's not updated every year, but you know we like we watch, we sorta watch to see sort of like what was the last big change and the last big update and so forth?

John: So that's a great question. So I know I talked a little bit about OWASP Top 10 a second ago, but again the list of the 10 most critical security risks for web applications today. And by today, and you mentioned this too, they don't update it every single year. It's every few years, is what I'm gonna say. They seem to have been on about a three year schedule

Chris: 2018 the last time?

John: 2017 actually is the latest.

Chris: 2017, oh.

John: Is the latest one that they have released.

Chris: We're probably due then right? We're due at some point. I've kinda checked around, like hey has the Google told, you know the crystal ball of when they're comin' out next. But I have not seen when the next one's gonna be released. But I would say it's in the next year or so, probably, is gonna be released. So anyway, so yeah it's every few years they come out with that list and I talked a little bit earlier about how they determine that list. There are a few other things though, that I would say that we could watch for for OWASP specifically. And so while the Top 10 list a great thing and that tells you hey, these are the critical security risks that are out there in web applications, they also have another, they have, actually man, they have a ton of information. But one of the things I wanted to highlight is their Application Security Verification Standard. It's the ASVS.

John: What that does is it's a document or a framework that proves a basis for testing your web applications and looking at technical security controls and it also gives developers a list of requirements for how to develop secure code. That's a huge part of this, the security risks that are associated with web applications. A huge part of that is developers don't write secure code and they don't follow secure coding practices. So I would say that, you know... And granted if you're a developer and you're like hey I just got handed this web application and I gotta manage this thing or update or whatever, you can't necessarily go back and just scrap it all, and say all right, I'm gonna redo this thing. So I get that. But to the extent that you can, as a developer, if you're a developer, you need to follow secure coding practices and help yourself and help those that would come after you or that would use your code or whatever. It's a critically important thing. So and I guess in terms of what to look for from OWASP, certainly the Top 10, but also that ASVS, I wanna call that out. And then yeah, so, but we can look for probably a new list, you know, in the next year or so like we said.

Chris: Is it a ranked list, in the sense that it's sort of like weighted? Is like the number one the most important, number 10 least? 'Cause I feel like I've seen the numbers go up and down in the past. Do you see like any movement of things that are going up or going down or being handled?

John: Absolutely, so yes it is a rank ordered list. So the number one is the most critical whatever, whatever and then number 10 is not as critical as it were, but it's still on the list kind of a thing. And it is also true that these risks will bump up. You know the 2013 edition was different than the 2017 edition. So you know whatever on the 13 may have been number five and on the '17 it was number eight or something like that. So they shift around. And beyond that, you may have had one on the '13 edition that is not even on the '17 edition. Or what has also happened, you may have two of 'em that were on the '13 edition that are now combined into one on the '17 edition and it ranks at a different spot or whatever. So you'll see a lot of movement like that. There's some pretty cool graphics or images or infographic kinda thing that you can download and see how that movement happens. One other critical thing that I would mention, and I mentioned this in the skills learning path, is that just because the OWASP Top 10 list is the OWASP Top 10 list, doesn't mean that that's your specific company or organization's top 10 list.

Chris: It's not your manifesto yeah.

John: That's exactly right. So it's not an end all, be all for all organizations across the board. So for example, you know you've got insufficient logging and monitoring is the number 10 risk on the OWASP Top 10 for 2017. So they would say that that is not as critical as broken authentication, which is certainly higher up the list. For you as an organization though, maybe insufficient logging and monitoring could be the most critical thing you've got, right? So anyway, so you can do your own testing and run different reports. There's different organizations that'll come in and do testing, whether it's pen testing or like DAST or SAST type testing that'll come in and say hey for your specific web application and your organization, these are the things that are goin' on and this is how critical they are. And then it's also, it's a fairly personal, personal to the extent that it's your organization experience, because you have you have determine what kind of business impact that thing would have on your specific business. So it's very difficult to say, hey this is the number one or the number 10, whatever. It's good to know the OWASP Top 10 obviously.

Chris: Yes.

John: But I guess I wanna caution people to say hey don't just automatically assume that that is your specific top 10.

Chris: Yeah it's not a collect 'em all kind of thing. And it's also, you know, when we talk about, for instance like compliance requirements and stuff for different organizations. Like if you're HIPPA compliant, congratulations you have the baseline of security that you need. That doesn't mean you're completely safe from all bugaboos ever. So I feel like this is a similar thing. It's like start here and then do your own research and so forth. But at the same time you need to have the entire top 10 in your back pocket at all times I would imagine.

John: Absolutely, yeah, yep you said it, you said it very well Chris. A plus man, gold star.

Chris: All right, all right. I'll see ya for next week's lesson. Okay, so we talked a little bit about what students will learn from your OWASP Top 10 course, but like what are some of the, both practical and theoretical information that you class provides? What are some things they'll be able to do when they leave?

John: Yeah, well I mean first you'll know the top 10. You'll certainly, you'll certainly know what they are. So as I mentioned before, we do an overview of just the OWASP organization, where does it come from, what's it all about. How do they determine the Top 10? What's the methodolgy that they use to rank? Like how is number one, number one? And how did number two not just barely edge it out you know kind of a thing? So we talk about all that stuff.

Chris: Okay.

John: And then we go into each of the top 10. So as we dig into each risk, then I explain what it is. So I'll just use injection. That's number one. Injection's been number one for like ever, you know since my grandfather was a child. You know since before Al Gore invented the internet, injection was the number one risk.

Chris: Yeah back when Stu Hunk was just Steam.

John: That's exactly right. So anyway, but take injection for example, which by the way injection is not just SQL injection. There's a lotta different types of injection, LDAP and others. So anyway, but we'll look at injection for example, and like what does injection even mean, right?

Chris: Yeah.

John: What's the theory behind an injection attack at all? Okay, now that we've got that down, then let's look at how SQL injections work or are used or whatever, right? Or how about LDAP? You know LDAP injections are a thing, so we look a that. And then once we kind of establish, okay no I understand injection, now I understand how it can be used and utilized by an attacker. We talk about why an attacker would be so interested in, let's say in this case injection attacks. Because they can do a lotta crazy damage with these things. Then we look at, are you vulnerable. Like what are some telltale signs that you and your web application may be vulnerable to this specific security risk. And then I tend to finish it up by saying how could you protect yourself from this specific security risk. So we go through all 10 of 'em like that. So you're gonna learn kinda the basics behind what it is, just the foundational knowledge of what it is and then we'll get into some details on how it actually works. And that's where some demos and videos and all that kinda stuff start to come into play. And then I'll talk about, hey are you vulnerable to this one specifically and then how can you protect yourself. So once we get through all of that, then hopefully if you've paid good attention and if I've done a good job teaching it, then you would understand hey these are the top 10, you know.And then hopefully at that point, you would have a better, just sort of fundamental understanding of the landscape of the security world that we live in.

Chris: Like here you go.

John: Like hey attackers are trying to do bad things all the time. This is why and this is how they are doing it.

Chris: There's a million ways but these are the main ones, yeah.

John: These are the main ones, that's exactly right. There's a lotta ways to break into a house. These are the main ones that people use or whatever right? So let's look at those and understand that. So hopefully it will elevate your understanding or your awareness of the security world that we live in, whether you know it or not. I mean this stuff is happening regardless of whether you are aware or not, right?

Chris: Yeah, yeah, yeah. So as we wrap up today, where do you see cybersecurity education going in the years to come? Do you see any innovations that we can expect on the horizon? And what are some issues currently with us that you hope will be resolved in this terrain?

John: Yeah so cybersecurity education is growing and rightfully so. I mean it's a, you know, cybersecurity in generally is just, man it's exploding. Just because cyber, I mean everyone, everyone's using the internet. I was looking at some stat the other day about like internet of things and just connected devices and we've got the new 5G networks comin' out for mobile and all kinda good stuff.

Chris: Billions of new people joining the internet in the next five years or whatever.

John: Right, I mean everyone on the planet is gonna have like 50 internet connected devices or whatever, right? I mean your stoplight is gonna be internet connected or your whatever. So anyway, so I say that to say, this whole thing is growing. It is by no means slowing down or backing off or even plateauing, so it is growing. Therefore cybersecurity education continues to grow as well as this stuff changes and grows. And so anyway some things that I would say that you could do as a learner is go out to places like I mentioned on the internet and start to just learn some of these skills, whether it's coding and saying hey I can spin up my own, maybe I can spin up my own virtual machine and learn how this computer connects to this computer and learn more about this crazy thing called the HTTP protocol and how does it all work and whatever right?

Chris: Right.

John: And then we start to learn how to secure that thing. And then you know, whatever it is that you're trying to do, there's so many resources on the internet that you could you go to. And I know we talked about like hey what makes a good one or a bad one. But I would just encourage people to start that process, start the education. And I'm not saying that you have to become an expert in this but certainly if someone's watching this video, this interview right here, they're at least somewhat interested in this stuff, right? So anyway, so I would just, I would encourage them to say, hey take that first step. Go and do something really simple if that's where you need to start and check that one off your list and then go to the next thing. You don't have to do these big huge things, but over time you're gonna grow. And this goes back to that self-discipline thing where you have to take the responsibility yourself. Go and educate yourself and you know because again, this whole cybersecurity thing, or this whole cyber and connected devices, I mean it just continues to grow. So you can either learn about it and get to know more about what's happening in the world around you, or you an just stand still and watch it kinda move on past you, 'cause it is moving.

Chris: It is moving.

John: So anyway, yeah.

Chris: So in closing today, if our listeners wanna know more about John Wagnon and your other activities, where can they go online to see you?

John: Well I'm on LinkedIn, so connected with me on LinkedIn and message me there whatever, so I'm happy to do that. And then I know I've plugged a little bit of DevCentral for it's the F5 technical community and it's a great place to be. But I'm there. I mean that's my job, job, right? So anyway, so I post a lotta content out there. So if you wanna come check it out and there's a lotta great content creators out there as well. So come find me on devcentral.f5.com. So those are probably the two biggest place.

Chris: Great, John Wagnon thank you again for your time and insights today, really appreciate it.

John: Hey great to be here, man. I really appreciate the time Chris.

Chris: My pleasure and thank you all for listening and watching. If you enjoyed today's video you can find many more on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec. Check our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice. And again as I mentioned, because we past 100 episodes of the podcast, we wanted to celebrate with you our listeners. So please click the link in the description to jump to the Infosec's Skills platform where you can enter the coupon code cyberwork, that's all one word, all small letters, C-Y-B-E-R-W-O-R-K to get a free month. Thanks once again to John Wagnon and thank you all again for watching and listening. We'll speak to you next week.

Join the cybersecurity workforce

Are you a cybersecurity beginner looking to transform your career? With our new Cybersecurity Foundations Immersive Boot Camp, you can be prepared for your first cybersecurity job in as little as 26 weeks.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.