Episode 6 with Guest Marie Moe

Marie Moe

In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Marie Moe, to learn what it’s like to be a Cyborg, Scientist, Infosec Consultant, and an Associate Professor II at NTNU! Gosh that is a lot of amazing stuff she does! Marie is well-known for her TED talk, “Can hackers break my heart?”, where she details how she hacked her own pacemaker, while it was inside her.

53:07 Shownotes


welcome to the we hack purple podcast where each week we introduce you to a different and new guest who’s a member of the information security industry when so i’m the host i’m tanya janca and when i joined information security i found it really hard to figure out which basically which job i wanted and what the options were and how to get training and what training did i need what job experience did i need what job was right for me i ended up becoming a pen tester because that’s what my professional mentor was and that’s what i thought i wanted and then it actually took me over a year or two to figure out you know what this isn’t what i want i actually really want to work in application security and then it turns out i love it and so we at wehack purple started this podcast to try to help people figure out where they fit and so we are inviting all sorts of different amazing people including today we have Ashish Rajan and i want to tell you just before i reveal him to you because it’s really exciting when i reveal the guest this um this episode is sponsored by thread fix which is also partnered with denim group and i want to thank them for being our podcast sponsor they’re our sponsor mostly for the rest of the year and i really really appreciate it but now what you have been waiting for for 20 minutes because we started late ashish rajan so let’s say hello to him all right wait wait and wait wait i’m trying there there we are all right we are both set up yes he’s here this is the best i’m here finally so glad to be here and the crowd goes wild yes oh i’m so pleased thank you thank you thank you for everyone who waited we really appreciate that and we’re sorry we’re a bit late sometimes the internet is just dumb so raj i’ve shared the updated link on youtube for uh for your folks on twitter and linkedin as well they’re just new links so they’ll they’ll get there eventually yes thank you so the tables have turned i have been on your podcast so many times and now you will be on mine i know like i feel like i should do the simpson where i just go slowly go back and just like cartwheel myself out of the picture i know that’s exactly right like maybe i should be nervous but she’s a friend as well so she’ll be nice she will but she has to tease you a little bit do you remember that yeah you me and terry showing her muscles so i’m now showing that to the audience this is from appsec day in australia last october so almost exactly a year ago when i met a sheesh in person for the first time and you can see that obviously terry and i have really really really big muscles but it’s nothing versus ashish’s muscles okay and they’ll stop teasing you and stop showing that foot and the crowd goes wild again it’s like don’t take the other picture that’s such a good photo i have it on my wall i actually like i really love that photo it’s so funny oh thank you thank you appreciate that it came out really well thank you it did so i have some interview questions for you are you ready yes i am none of them will involve math equations i promise uh i’m gonna disappoint all my brown folks if i don’t have any much sure there’s no map it’ll be really embarrassing it’s like there’s no mats how can i be the indian guy with the last questions basically how all the brown people on your part on your podcast have just dropped off they’re like that’s it no matt i’m not interested in this no please don’t don’t worry guys i i i scored out i’m really good with geometry i think i’m really good at math i loved calculus really oh there you go wow you’re tanya you are multi-skilled and clearly super smart okay so i have a bunch of questions and they’re all pretty much easy since they’re about you you will know the answers hopefully yes but it’s like a conversation so feel free if something makes sense to just add it in okay yeah yeah for sure okay so the first question is what is your name and if you have a handle online what is it sure my name is ashi shojan it’s the same as hashish without the h and my online handle that’s why is hashish john with the a [Laughter] i was surprised when i was looking you up i’m like why are there so many people named ashish that aren’t the one that’s my friend i’m just like too many twitter handles all of you go away you are not the one i’m looking for that’s this was the only way i found out i could stand out because no one else uh could link that hashish choke but it’s so obvious why don’t all of you get this so that’s why i started taking over all the hashish names out there but then i have to be careful because that also meant that when people do hashtag hashish the kind of images that are coming our way different that’s why i had to go on my uh live streams these days i’m going live with hashish instead of hashtag hashish so i’m like because someone thought it’d be a creative idea to go hashtag hashish on instagram and linkedin right but yeah i had to change that on linkedin so now hashtag live with hashish on linkedin that’s to be easy and not provocative hashtags are really important when i started the mentoring monday i felt like that was too many letters so i just did the hashtag mmm and well let’s just say um no that was that was a very different topic that was being not not for office i guess apparently it is pictures of very nice derrieres um so yeah yeah have had our it is of this perfect yeah i know exactly what i found and i was like why are so many people destroying this that is not mentoring monday i’m so sorry i didn’t anyway okay so the point of this story is always check what the hashtag is before you use it yeah because you might think you’re being super creative but suddenly you find out there all these other people who were equally creative yes and so we’ve already learned one important lesson today from machine that’s right watch check your hashtag on the internet that’s the number one thing okay okay so the next question is what is your job title and describe your job and i feel like you have two jobs you have like your day job and then you have your podcast job so do you want to tell us about one and then the other yeah sure uh so my nine to five is i am a head of security and compliance for a company called page up we are a recruitment software company as a sas company it’s a global tech company so my nine to five is usually i guess that’s what i’d spend doing outside my nine to five i run a podcast called cloud security podcast and uh it as it’s kind of like the same format as what you have it’s a live stream every sunday 8 a.m australian eastern standard time based out of australia so australian eastern standard time and um yeah you guys can catch it every week we talk about cloud security because that’s something i’m passionate about and that’s something that i’ve kind of found that i’ve been able to kind of share that knowledge with the with the wider community because i’ve always felt that cyber security has a very gated approach and i always felt like why is it because i never met any people like you know when i met you as well you and i were so open about what we know what we don’t know but for some reason on twitter and everywhere else people feel that that’s not really true so that’s why i thought i started my podcast absolutely free for anyone who wants to consume and every cloud security knowledge out there i can provide to people that’s kind of like the goal to create a whole cloud security community and bring the value that’s my outside i guess that’s what i’m doing in the midnight i guess i love it i love it that’s awesome and head of head of security sounds really good head of security and compliance and i was like i just i just i’ve got the crown picture right here just for that like that’s my if one day when i get my house this is going to be the picture on the wall art my wife’s already agreed to it but uh just waiting for that day if i can have that space do you feel like you should add the covid beard to the picture i think i should yeah hopefully covert goes away by then i can get rid of this and i can actually go to a barber shop considering we’re in curfew mode because barber shops are not open as well and we have in melbourne we have a curfew where we can’t go outside the house between 9 00 p.m and 5 a.m and no barbers are open so yeah that makes things better challenging i guess but i’m hoping for by the time i get my house and that picture would actually be me as well or i would have to make another one i guess or maybe have one more on the side as well i i have the same problem i mean my bangs are they’re just like they’re they’re out of hand oh that’s why i started sweeping it to the side because i’m like i can’t see anymore uh well uh don’t let me pull my hair down as well although my wife has been really nice and uh let’s say our marriage depended on the haircut she gave me i think your hair looks great i i was actually joking with my friend i’m like i have to let you go i have to do my hair because my guest has really great hair oh thank you that’s uh all kudos to my wife though she definitely did a great job of giving me a decent haircut if you would have seen me out two weeks ago yeah i’d definitely look like a bushman i like her better there are a lot of people that look like that and it’s not just you don’t feel bad oh thank you though thank you but i have a reputation to maintain when the crowd goes wild they don’t go wild for a bushman oh my god it’s like screaming and running away it’s different it’s not the same oh yeah it’s a different kind of wild yeah true it’s the other kind of uh vial that people are going not the kind you want okay so i have a question what is a day in the life like to be the head of security and compliance like do you do you walk around slapping people’s hands with sticks please say no uh well i wish that was a joke but thanks to covert that’s been avoided but i’m just kidding uh i as the head of security i feel like my most of my days are usually planned for for the week um and i think i know we will probably talk about some of the skills that required as well but i’ve planned for the week usually because it’s kind of like a varied thing where um it can be a mix of talking to a product team or it could be talking about instant response or it could be talking about something is a low or a high risk so it i feel like i kind of work better if i plan for it on a monday or actually usually sun turns out to be sunday night after the podcast is over but i decided to send me a request saying i think i found a bug like so responding to those or you talk about risk um anyway that’s kind of like the mix but it’s i think it’s a great role where i get to do so many things uh based on the experience that i’ve gathered over the years do you do you feel that when you’re explaining the risk to people that they understand or do you have to use a bunch of different ways to explain it or do you have like sock puppets that you just kidding oh i wish i had those uh i have kind of you see i i found one of my skills has been the fact that i’ve been able to kind of explain security in a very layman way like for example when i talk about security and why people should care about security i talk about um the level of maturity that internet has like i think i did a presentation yesterday internally about online safety for everyone which is different to us we have a security awareness training as well but it was different to that but the goal behind that was the fact that when you go on the roads it’s a sign board for this is your speed limit you should slow down it’s a school zone slow down there’s nothing like that on the internet nothing goes on the internet and tells you tanya by the way the website is going on there’s a virus on it so you should not go there like google tries to do a great job at it by having that small the site has been hacked but it doesn’t really uh like it’s not proactively looking out for you whereas we i i feel like we haven’t matured in that context so i tend to when i talk about risk i tend to use that as an example where if i can relate it to something that they see every day like i consider them i consider security guard rails as airbags for my car like i know i’ll never use them but if they’re there then i i know i’ll be safe i love that i love that especially because everyone understands car habit it’s like five seconds it’s totally not sexy but when an emergency happens they can actually protect you against a whole bunch of things or reduce the harm of so many different types of attacks it’s like one line of code usually unless it’s csp which is like very hard and complex but still worth it yeah or yeah i i think so as well and i think one of our jobs as security folks are is probably that that you should be able to explain something to anyone like otherwise if we would just talk like for lack of a better word talk nerdy all day we would not be making many friends apart from more nerdy friends and probably it’d be a really small cult group that we’ll have uh but we want this to be a wider thing because it’s everyone’s safety online not just ours that is the i love that it’s everyone’s safety on the line not just ours i feel like t-shirts t-shirts should be yeah we should totally uh have the t-shirts out someday uh actually maybe we should probably copyright it before someone else makes a t-shirt yeah well we’re actually the we hack purple company is like making a swag store and so we’re actually planning to make t-shirts and mugs and stuff so we’ve been like thinking about all the different slogans we could have oh nice like we’ll hack for coffee on a coffee mug oh that’s a good one well you got just got another contribution for your uh swag store as well it’s perfect speaking of uh awesome swag this is not a great segue i’m trying um i wrote a book did you know that oh i wonder what’s the book called it’s called alison bob learn application security and oh it could be alison bob or where’s the other way around alice and bob i was going to say alison morbid like alison bob i feel like i should be allison you should be bob however bob bob’s a white guy and alice is a nice looking brown lady so i feel like we’ve got all the bases covered between the two of us oh yeah we definitely have that covered for sure yes we may have just switched the gender for this context but we definitely have the bases covered yes well basically both of us know lots of apsec and so that is the main base that the book covers and yep and my publisher told me they’re like listen you’ve sold like 74 books and your book comes out at the end of october and the record that we have set for pre-sales for a technical book is 300 books and so i am extremely competitive i have no doubt about it so anyone listening to this you just look up alice and bob learn application security and check it out and i’m very biased but if you want to learn how to make secure software i believe it is a fantastic i may be a bit biased as well but she’s a really good friend and she talks security so you would definitely learn quite a bit just saying it out loud right now go buy it i’m actually on amazon right now i think i might have bought it sorry [Laughter] so it’s a hint that’s on amazon as well if you guys want to go with it yes someone just added buy one for yourself and for your friends yes i agree absolutely with ahmed he is the best listen to him but now back to like actual questions about you um so being the head of security there’s a lot of different types of personality traits and aptitudes that someone might need and i’m wondering what types of aptitudes and or personality traits that someone might need to be good to be the head of security and compliance sure um i’ll probably start with something that’s probably not taught in unity much and i had kind of had to pick it up as i went along as more soft skills right really to be honest i always felt that when i started my career i always felt like i needed to be the best programmer the best pen tester the best this admin but i kind of realized slowly that all that kind of withers away after a while because there’s always the next thing like you would be a php expert but right now only facebook wants you i guess no one else wants you um but uh that is if they still use it like no things like that um and i still know for sure that empathy uh is probably one of the skill that i would definitely recommend uh people look into and and i don’t mean empathy in the fluffy sense more in the context that you should be able to work with people in other parts of the company you should be able to understand what the goal of your company is so you have some business context but at the same time empathize with that oh this is probably not the right time for me to bring in this conversation about the super security uh super important security project that i think is important when the company doesn’t i think that’s for me is probably the more important skill and then you can add few layers of compliance knowledge as well as some technical knowledge about the cloud and other things in there as well but i think i definitely feel empathy is probably the biggest one because you can work effectively with other team members as well so that’s the best answer um i feel like almost everyone every week says that but not in a way where i’m like oh that’s a bad answer it’s because it’s just so true um yeah yeah you’re not even dot this as well right you kind of have to like pick this up as you go on the job and someone and i don’t know why people don’t like write it down somewhere number one skill for any job in security because you have to work with other people even if you’re a pen tester because you start to explain to someone why something is important in a layman term you need to be able to emphasize as to when they come back at you and say no no this is not a problem you i should worry about it’s a low risk it’s not a high risk as you mentioned you need to be like no no this is high risk you can’t like stand your ground there you kind of need to take a moment go okay explain to me why it’s low risk let’s just talk about it and empathize from that put yourself in their shoes well and sometimes for instance you have to like if you chain a whole bunch of low vulnerabilities together they become a critical vulnerability or if you’re revealing a whole bunch of different information suddenly it becomes sensitive information because it’s a combination of things and do you feel um since you’re the head of security do you feel that leadership skills are required i definitely feel leadership skills are required but i i’ve always looked at leadership as more for i’m i’m serving the team so i look at leadership very differently i i feel and i know there’s a lot of definition in the industry about what leadership is and what management is but for me i think it’s all about their it’s about working together as a team so my most of my conversations leadership yes 100 but probably the definition of leadership for me is more com more being their friend and understanding where they’re coming from rather than uh i’m going to be leading the leading example of um i don’t know insert really awesome task over here i guess that’s good i couldn’t think of an example but i think 100 so empathy leadership but leadership in the context of insert awesome job here no i think i really loved how you said um like that you kind of serve your team because i kind of feel that way too like i’m always like i don’t want to be a bottleneck like i’m here to enable you to get your job done and if i’m not responding when you need me then i’m sucking at my job yeah yep and sorry i was just perfectly add because you may ask them to do a job but if they’re not comfortable to the to do the job then kind of goes back to the empathy as well you need to be unable to say that oh i enjoy pen testing but you want me to do what again you want me to do compliance like maybe not because you want to retain your team as well right and not just go this is what i want you to do so because this is what the directions company is and not understanding i feel like that’s kind of where um yeah you 100 on the money there leadership is a lot more complex they’re just serving the people it’s not about being in charge it’s all about being serving so yeah the higher you go the more people you have to serve i feel oh wait i muted yes no no i i really really agree with you quite a bit actually i love it when my guests say the thing i’m hoping that they’ll say um so we actually have a question in the chat do you mind doing a lot of questions that cool no no no problem yeah okay so um oh okay so first of all there’s a quote from gandhi which i really like there go my people i am their leader so i must follow them i think that’s really beautiful yes and has to be a brown guy as well thank you yeah um okay sorry i can say i can i can say that sorry i i probably should have clarified i can feel like i’m being a brown guy as i mentioned mahatma gandhi’s brown guy as well okay so we have a question from david o’brien so how does the head of security make development and operation teams care about security that’s a great question that is and he’s a good friend as well david hi david by the way uh yeah the i think the way at least it’s different from all different organizations the way at least this works for me currently has been getting involved in conversations where initially it was because i feel it’s a bit about knowing the person who’s leading the team and getting their buying on how much do they know about security or do they care about security and it’s been a really interesting conversation where all developers want to write good code no one wants to be known as the person who wrote really shitty code i don’t know if i can say [ __ ] but yeah people can you can i guess i’ve already said it yes um but yeah it’s too late already it’s already the the cans all as they say in texas the horses are out of the barn already i guess i don’t know where i got that from but someone from texas told me that um and um but the the the one thing that i feel is in in there all developers want to write good code because they know when it displayed in front of another senior developer they don’t want it to be like oh my god you missed this you missed that you missed this um so if i get an understanding from a senior developer or i guess their team leader that they have that mindset as well and their experience i tend to find it as an easy conversation for me to introduce concepts like the whole security championship like i’m running a security championship program in my company at the moment we’re trying to introduce some kind of software composition analysis tool in there and it’s really interesting yes i know uh it’s really interesting how it kind of had to be trickled through because not everyone may see the value instantly but you kind of have to find some folks you so you talk to your i guess whoever the team leader is to find out who these people are who are really passionate about security because they all stand out every time they see a bad piece of code they’re the ones who are saying nah this is wrong i cannot make this work this way and i think tanya you mentioned this in my podcast as well but but you were working with a few people and you kind of almost walked away from the job as well when they didn’t like listen to what you were trying to say so i know there are a lot of people like that in every company and it’s all about finding them and you and basically working with them to drive security initiatives because the reality is there is no company that i know of which has a big enough security team to serve the entire company oh my gosh that’s so true so you have to work with them empathy again i want to make a t-shirt that says i am the security team and everywhere i’ve worked it’s like hi i’m the security team it’s just me [Laughter] yes that’s the sad reality of our field but hey it’s a great feel if you love laughing and want some fun uh you get paid to find out bugs within the company so it’s perfect yeah i love our field okay i need to ask the audience a very quick favor if you are watching this please click the thumbs up button if you are enjoying it and if you are not already subscribed please consider subscribing because we have lots of other guests coming on in the future which i will tell you about later but for now if you could just click the thumbs up button that would be awesome and now for the next question it’s very tough question what types of technical skills do you feel someone needs to do your job and also like what types of training do you think could help get those and i don’t mean like name like this specific court like obviously you’re like oh tanya you should get her to teach you but what i mean is is like what types of things do you need to learn to get your type of job sure and um i’ll definitely start so something that i’ve been passionate about recently and that’s why the whole cloud security podcast and cloud security academy whatever but i think for me i feel cloud skill has definitely become quite important for this kind of a role because a lot of people are moving into cloud or they’ve already moved into the cloud like my current company is fully in cloud we are in multiple clouds uh that’s becoming a new reality for a lot of people so having an understanding of the security controls that can be available for you from the cloud provider which are cloud native or if they’re not available or to be able i think to be able to ask the right questions from the cloud provider and and when you’re trying to secure your own cloud environment that’s probably number one technical skill unfortunately there’s no official training per se that’s why i’m trying to create one or at least i have a beta program going on for one because i couldn’t find one which is officially saying that if you do this you’ll be secure or this is why you would be actually i do know someone i was she’s a common friend terry she has a cloud security train that she runs another one that i can think of is scott piper i had another guest on my show alexander he’d so but i can count them in my fingers basically that’s the number of people who have uh courses which are really out there talking about cloud security in a way that it should be done um so i would definitely say as a skill know about cloud um you don’t have to be like a super expert just snowball cloud you don’t know about application security because everyone’s developing a product and if you check out alison bobler on application security probably it’s a great starting point just a sweet plug in there and it’s a and i think if you i’ve kind of done um tanya’s application security 101 version which was the previous version i’ve kind of gone through that course a bit so it’s very good to have that basic understanding because you may not be the best developer but when you do talk to a developer to get their respect you kind of have to have some understanding of why someone should fix something uh but maybe if or at least have enough of a technical understanding that you can explain it to someone now granted if you’re a big team you would have people who would do it but i prefer knowing it myself as well that just i guess the kind of nerd i am i guess but definitely two kind of skills i’ve seen i feel product security uh cloud and sock which is instant response oh my god if you have those three covered risk and compliance is usually uh something which is already there and you kind of have to call someone external for that anyway so i always feel that you can always call someone from from an external company to come and guide you on it so you don’t have to be an expert unless you’re trying to be an auditor um someone at a as a head of security you just need to have a basic understanding of what do you need to comply by and what do you need to notify your executives on if you aren’t breached off that’s how i see that there is a question from the chat from darpan so how do you find a good balance of tech skills you know cloud containers kubernetes and certifications and management and soft skills in order to be the head like in the the role of head of security right but i know darpan as well thanks darpa for that question hi there but uh he’s been my guest actually both david and darpan have been guests on my show very previously and uh great question as well i think the way i find so uh maybe it might help if if i just kind of start with where i started i started in the identity and access management field um because i kind of thought that initially i thought pen testing would be super cool i got into it then i have to read a manual i’m like this is not for me now this i just cannot read a manual for the for the life of me for two hours so i backed out of that really quickly and i started off with an internship in identity and access management which is really fun because identity is a new king of clouds so it works out in my favor i can ask identity questions as well as well as cloud questions but um i kind of felt that i kind of had to go through different the way i kind of planned for it because i always wanted to get into this role i’ve been on this trajectory for the last six years i feel everything that i did was almost strategic to the point that i ticked off identity access management uh and the previous company before this i take off sock i knew about instant response i knew why it was important i spoke about risk with executives just to understand what that’s like i feel like you don’t have to be an expert in one but as you do something more you kind of and this is just me personally i feel like in certain things i love being super detailed or but in some things i love just being superficial just knowing enough that i can have a conversation but i don’t have to be an expert in it that’s how i’ve approached this and it seems to have worked for me so far where i’ve been able to go um or i started off with an identity access management went into a consulting firm which is probably i normally recommend people go into a consulting space just because it gives you insight into so many different industries as part of your job that you get to see oh this is how the media industry works so this is how the telecom industry works this is how i don’t know something with an operational technology kind of technology it works a bank like you get to in you get introduced so quickly to so many different things and you get to talk to people and find out oh this is why stock is important oh this is why risk is important and because a lot of these things unfortunately not taught in uni which unfortunately they just tell you that uh this is how you do identity access management this is how you do pen testing good luck and next thing you know you figure out yourself wait do i like pen testing or is it just the idea that i can hack something that i like i could not agree more with you also they don’t teach pen testing over where i’m from yeah in school oh i mean we don’t have one i only had one subject i did a master’s degree in information security because that’s where it was called back then but it was one subject in a semester for pentesting okay i don’t know how you how do you do that that you just you can’t learn everything been testing in one subject so let’s just say i i thought it would be great the more i spoke to the tutor who was who used to work for a bank back then and he was saying yeah i mean this is just not even scratching the surface you basically ticked off one box in like a list of 30 items like oh great so i do i have to read the manual for all 30 of them he’s like yeah i’m like okay then i guess what i don’t want to thank you so much [Laughter] that’s an awesome answer though that’s a plus and also i agree with like everything um so i would like to take this moment to thank our sponsor threadfix they are the most stupendous application security management platform in this part of the galaxy or the whole galaxy if you you know have done more exploring you’ll see that all the other galaxy vulnerability management platforms not that great compared to thread fix just so you know elon musk is just like wait there’s another galaxy no there’s totally tons of galaxies come on science nerds let’s do that yes okay so let’s say someone wants to get a job just like yours they would like to one day be the head of security so i want to ask what type of learning path could they take to get there and maybe what types of work experience you would suggest they try to get so that they could one day aim for where you are sure um i would definitely depending on the person whether if they are already an auditor or they want to start so there are quite a few and i love how someone once told me this security is an inch deep and a mile wide and you can isn’t that hollywood the suspicion an inch deep in a mile wide oh i thought it was like but somewhere it came from but i kind of like that because i feel like we have risk management where we talk about risk and governance then we have so that’s grc then we have sock then we have identity and access management and then we have the whole network security you can just keep adding layers and i would say it’s definitely not possible in one lifetime to go through everything i’m pretty sure they’re people out there but i don’t think i had i’ve i would have had the patience for it so the way i chose the path was once i got into identity access management i knew if i wanted a leadership position i would have to have some exposure to risk management so i started looking for opportunities in risk management space what that allows you to do is be more i guess have a conversation with an executive because no matter where you go at unless you’re unless you’re working a cyber security company no one else would want to know about cyber security unfortunately you would have to be that person to change your point i am the security guy the t-shirt you kind of would have to walk around with that t-shirt so like oh what is that like just to get just to generate some interest from people to they’re like there’s this guy walks around with a security t-shirt i don’t know what he does like i think it’s kind of those ones so you would find yourself unless you want to be that guy who’s in a basement somewhere i mean totally fine if you want to but if you want to be out there like you know tanya has got a heck but purple i’ve got i’ve got just like this beard going with like a thing on the background if you want to be out there and talking about like what you’re really passionate about you kind of have to be you don’t have to color your hair purple or make a portrait out for yourself but you at least need to be able to go and explain to someone who probably has the money to support your initiatives then this is why this risk is important or this is what the risk is um so i kind of choose our path that was my second kind of entry okay so i need to take that box somewhere and as i was going through that process i kind of started getting uh involved with pen test activities and i realized the importance of when talk been talking about different vulnerabilities in the company they don’t understand cross-hat scripting or crosshair requests for audio like what is that is that like a technology should i buy it like uh no you don’t have to buy that it just comes free for vulnerabilities in your software i guess um so from that perspective uh it it’s always an easier conversation to have with uh easier to kind of have a conversation with but with risk so i did identify access management and i started doing risk which introduced me to the con to the concept of cloud pen testing and sock i dug deeper into the cloud space because i realized the moment i saw it like oh this is going to be this is where people are going data center is going to be just basically left behind and so i doubled down on it basically for the next five years after that i was primarily working in the risk and the cloud space any project that i could find which was in cloud or about security in cloud or risk management i’ll just be all over that [ __ ] against that [ __ ] again it’s like a stranger oh my gosh now it’s like your fourth time because then you apologize for saying [ __ ] yes i know it’s like probably should have a counter going the entire like if you if you were i would make like a make like a short video you just have like a counter going for the number of times i said [ __ ] i guess i would be fun videos the editors can have a lot of fun it’s true that’s right yes uh just so that they can uh like why this guy keeps saying [ __ ] they’re going war so i have a question and then there’s a question from the audience from ahmed yep so first my question because i’m the host and i can do that so a thing that a lot of people want to know that they don’t know how to ask is is does your job pay well in your opinion so so like when i first realized that i’d made it in my opinion was when i went to the grocery store and i was like i’m gonna buy cheese and then there were two types of really fancy cheese that i really wanted and then i realized i’m like i’m so rich i can buy both and so then i was like i am upper middle class now look at me with my two types of cheese and so does your job well haven’t you seen my background like really i’ve got plenty of money hanging around everywhere it’s like i’ve got my own portrait i’ve got every everything going on for me so um to answer your question yes and i it’s funny um one of the panels that i was part of uh for students and we were talking about uh why should someone go into cyber security like it pays well i said bloody hell you should go into this like why would you want to go for a job that doesn’t pay you well and especially if you’re working you might as well but um obviously the range varies based on the organization you work for but you definitely get to buy as many varieties of cheese as you want you can actually go to the point of saying actually do you do i like the smelly cheese whatever that cheese is called i i or do you like the blue cheese or do i like the french bread or i’m not i’m not a cheese person i guess i kind of am a cheese person i don’t mind goat cheese is probably my extent of exquisite cheese i guess one of my wife is definitely into her cheese i guess blue cheese is our favorite oh i love cheese so there are a whole bunch of people in the chat that are saying so every time you swear you have to buy a book and then they’ve been counting and so they said you have to buy eight books [Music] uh that’s uh i have to be really careful now it’s gonna be an expensive podcast episode for me okay so the the question from the chat is what is a technical issue that you are currently struggling with in your job that is both frustrating and exciting and i know that you know most security people sign non-disclosure agreements so try to think of one that you’re allowed to share and then and then give her yeah um oh sorry what’s the name of the person who asked the question uh so it’s ahmed that asked it and um just so you know giver is canadian for like just go for it because we said we say everything’s right and then i realized no one knows what i mean yeah yeah uh and so yeah i’m trying to think of a uh so thanks for that question ahmed it’s a good question and i’ll probably say the problem that i’m dealing with right now and probably exciting for me as well is the it’s cloud security because i love the cspm space i don’t know if you guys know much about csv but cloud security posture management and i love the space because it’s it’s equipped the security guys to come out and have some visibility on the cloud landscape that they have in the environment and the challenge that i’m facing right now and the challenge that i feel a lot of other security folks should be excited by as well it’s kind of like taking a step back from cspms which is just telling me that i’m compliant to cis i’m complying to iso i’m compliant to blah blah let’s insert compliance degree here they’re not making me ask the right questions they’re not making me go should this really be public or should this be private what’s the architecture like like i mean if i were to walk into an organization and i’m just i just buy cspm probably great move because you just get instant satisfaction that yes i’ve got coverage across all my cloud but what it doesn’t do really well is something asset management like digital asset matching to precise a lot of people still have excel spreadsheets as asset registers and i feel this is we live in the 20th century or 21st century whatever century we are in it’s surprising when azure google cloud and uh all these other people have they haven’t thought about the fact that uh we should probably and these by the way they’re great solutions out there for this already so i’m not trying to create something new over here i find it really interesting how we don’t go into the into that conversation so for me cloud security was kind of like okay let’s talk about assets first and what do we have so that can at least talk about uh csp and i think it’s not the fault of the cspm as well it’s actually the the right way to go forward because you want to know instantly what’s wrong you don’t wanna like i’m just gonna do this fluffy asset management because my compliance requirement or whatever and i think that’s been really interesting challenge and i feel it’s something probably not the market is ready for at this point in time because there’s not enough maturity for cloud security yet but i i definitely see it coming so that’s an ex that’s a challenge that i’m excited by but i also do know that it’s not right now that people are okay with it people are going to be okay with it in the same three years or four years when they can start everyone would be asking for it and then there is like i’m sure there’ll be like an amazing product that will come out and solve that problem um so the audience noticed that i when you were talking about asset management being tracked in microsoft excel uh so ahmed was commenting so when you’re nodding your head so hard tanya during the excel asset management that’s pretty awesome but it’s so true it’s so true and it’s very frustrating and i feel like the cloud providers lots of them have provided these really amazing tools some of which are free free like if you’re paying to subscribe it’s perfect subscription cost right and i’m just like turn them all on if it is non extra cost if it does security turn it on please yeah i get i give workshops and training on azure cloud security so i’m just like please turn it on okay so i have another question but first i’m supposed to tell everyone we just released a new course at wehackpurple.com so please check that out marketing complete um so what do you like the best about your job and what do you like the least about your job i think the best part about my job is to be able to work across um different areas every week as i was saying earlier about the monday uh flying day and the sunday night nine days i i love that part because i am i guess this is probably the corvette thing as well but i’m actually a lot grateful that i get to work in such different spaces within security and i feel a lot i definitely feel grateful for that opportunity so that’s what i love with the most i am solving a different problem sometimes it’s a human problem that i’m trying to solve but sometimes the technology problem that i’m trying to solve and uh the least favorite part is actually which is slowly turning into a good part is talking about budget to vendors initially i used to be like um i would not be comfortable talking about money but the more i’ve kind of matured i’m like actually enjoy this now i’m like i i would bargain for a dollar now like so i kind of i probably didn’t answer the question directly but i think like i started hating it initially but now i’ve kind of gone i kind of enjoy this i should uh do more of this can i have more budget so i can i don’t want anything more but i just want to be able to talk to a vendor so i can you know just grill them for a bit this is not a good price give me a better price you should do better you know what i love haggling because in canada we don’t do it but when i travel even if i know i can afford the price i’m like no i want to haggle and so now my company we’re always having people try to haggle with us and i’m like yeah let’s hang out this is going to be awesome and it’s sort of like fun i think so as well i i and some people like uh some people i know they would particularly hate it they just want to pay the money and walk away but i’m like but how often do you get to have this conversation it’s like you’re not haggling at mcdonald’s but i i think i think they’re like tanya get out of here stop your haggling yeah it’s like a wait so you want to hang it for a two dollar burger and you what sorry two dollar happy meal you don’t really want me to be happy do you i think my my favorite one has been so far where i went to a cafe and i asked for a discount and she said oh do you work in this building like yeah yeah yeah i was like oh okay then i did not know this but apparently people who work in that building if you or if they order coffee from that place they get like a dollar cheaper and from that day onwards every morning when i walk to the office this is when i was walking to the office i would go past that yes and they remember me my name they think i work in the building i wasn’t really cheating per se but i mean it’s kind of like i felt like like what i would did i did tell them one day that look i don’t work here then she’s like that’s not my money anyways so it’s not the owner all right okay cool if you don’t mind i don’t mind let’s just continue keeping that secret which is out in the public now i can i can talk about it because we’re in covert times and i’m pretty sure i’m not going to the city anytime soon for that coffee [Music] i love it okay so we just have a few questions left so if someone wants a role like your role and they’re they’re like she seems awesome i want to have a job like him what advice would you give them to try to get there like maybe an actionable step or two sure uh i will definitely start with um knowledge of cloud first and i feel that the reason i say knowledge of cloud as a actionable step is because the more you expose yourself to i guess going into a role where you’re working for a tech or a product company and it would kind of become obvious that a lot of people are expecting security to be technical not technically in the context that you’re writing code but technically in the context that you would understand the network of a cloud environment you would understand the nuances of your cloud environment you don’t have to be able to just do a full devops pipeline and like i mean if you do that it’s awesome like i can do it but that doesn’t mean that i would do it every day it’s just not my thing like if i were to tell someone i i would probably prefer the security aspects of it so how to design it and maybe some nuances i really i’d write really bad um i was gonna say [ __ ] but i didn’t but i say it again uh i really i write really bad uh python code uh so i would not even put myself in that in that bucket but i think i feel that knowing cloud is probably a great practical skill to have uh if you’re trying to get into a product space as well just because it’s for me if i were to look for replacement for example anyone who’s listening right now and if i were to look for a replacement for myself my absolute important would definitely be more than risk and compliance would be some knowledge of cloud because it’s so much in there and a lot of the conversation that i’m having with people is around the nuances of cloud or a particular cloud provider you can pick any doesn’t have to be you have to be only aws or you don’t have to know all three i feel it’s a bit unrealistic to know all three uh although darpan who’s listening to it he’s done all three he’s done oracle cloud as well so he’s amazing like that but i feel like this that’s that’s definitely a rare breed it’s not everyone who can go all cloud because it’s almost like knowing i don’t know if you you’re knowing something php like a really good php and then you really get java and then you’re really good at python you’re like that’s just not the case at least i haven’t met someone like that i feel that’s the same case with cloud as well you do one really well and you’re able to transfer most to the skills from that age to the other one that you learn so that would be my actual advice get some knowledge in cloud learn some empathy give some hugs security hugs that’s right that’s right oh my gosh another mug get your security hugs here we hack purple oh yeah that’s right yes basically i’m just like i’m gonna go over this episode and steal everything you said and then make mugs out of it and then i’m gonna make hundreds of dollars [Laughter] okay i have two more questions before we say goodbye and then at the end i’m gonna read some reviews of the podcast because so obviously everyone listening has subscribed to the podcast but maybe they haven’t reviewed it yet did you know that i believe in bribery and if you review our podcast and then you send us an like a link to your review we will mail you physical mail cute stickers that’s right i’m so not above bribery i’m i’m below bribery i don’t know i’m okay with it in regards to stickers and podcast reviews but before i read them to you oh no someone says you have to buy me some cheese [Laughter] that would be too expensive we can’t afford afford the cheese okay so i have two questions so the first one is do you do things outside of infosec outside of your nine-to-five job and i guess probably your podcast but first of all do you want to just give a pitch for your podcast and then tell us another thing that you do outside of your nine to five yeah sure um so cloud security podcast started in jan 2020 and on the podcast it’s a weekly podcast live streams every week on linkedin youtube twitch and periscope and each week we basically talk to a cloud practitioner about different topics so the topics may range from application security devsecops cloud security infrastructure security and chaos engineering who would have thought i’ll talk about chaos engineering as a thing that um and threat intelligence is another one that we’ve covered so yeah if you are someone who probably is interested in that field you don’t have to be an expert you might be someone who just wants to get into the field and just are curious about what’s that feel this we have a lot of episodes where we talk about some of the basics on where you can start around what kind of questions you should be asking and some episodes we go really i guess quite deep as well to go into a bit more uh deeper understanding of what something i guess if you want to secure something in cloud what you should be doing uh if you can follow that all on http://www.cloudsecuritypodcast.tv and um yeah that’s kind of where my most of my nine to five is but sorry most of my post 95 is outside of that i’m massively into i guess men’s fashion and that’s why i thank you comment about the hair and like i blow dry my beard like to the point that like i did not do it did not realize the investment that i’m taking on with my covert beard that i have i have to blow dry not just my top hair but also my beard so that’s something that i do outside my nine to five which is google how to maintain a good looking beard that’s pretty much what i did i love your beard you look great i mean you look right without a beard as well but your beard’s looking awesome trust me i have seen some pretty scary looking rugged coved beards and not rugged like they’re outside doing things like rugged like i don’t take care of myself i’m gonna pass this to my wife as well someone else i also appreciate about the fact that i’m maintaining because she’s like why do you spend 15 minutes on your beard like then you just like i’m like it takes time honey like all the hair strength uh yes so that’s something else that i do outside my nine to five i was thinking of putting on a nicer t-shirt i just like work can’t have t-shirt but i was like i should change because she’s just going to be there but well i mean i i wrote my cloud security podcast t-shirt so yes oh that’s such a good shirt oh i love it yeah thank you i just like had to be bright so the like you can thank the wife for the design she’s a creative one oh really it’s good i like it i also shared a link to it because we want people oh thank you well but of course um okay so the last question and then we say our goodbye and then i will read podcast reviews and hopefully they’ll say nice things um oh someone says tell her that you are representing her so you have to maintain the beard and look good and also you are the best dress cloud security consultant all around oh in the galaxy in this galaxy in this part of the galaxy so like we haven’t checked the other parts yet so you better hold your breath yeah that’s right i’m like i was going to say in every galaxy but then i realized oh there are other galaxies as well like yeah maybe in this galaxy let’s go with that there’s another ocean another galaxy it’s probably like blow-drying his beard right now and he’s like i’ll get that ishish i’ll [Laughter] okay so the last question because people probably were like okay this guy’s awesome i need to follow him so where can they find you do you have a website or an event coming up or any links or anything that you want to promote sure um so i usually hang mostly on linkedin just because that’s where uh where the livestream happens but the second place that i hang out is just ashish rajan over there second place that i hang out at is on twitter but if you’re not looking for i guess you’re looking for episodes for me you can probably go to my youtube channel everything can be seen on http://www.ashishan.com uh including my artwork if you want to buy that i i’ve made it a point so apparently on my patreon program someone wanted my um a picture of this on my uh on a mug i’m like sure i’ll uh i’ll give you this one a mug so if you want a mug with that picture i can totally make it happen on my patreon program but sure uh that’s kind of where you guys can find me just go to ashisha.com oh i’m i’m giggling and i’m muting at the same time so that doesn’t work okay so i’m just sharing it on the screen so that everyone can see it and everyone in the chat can see it and it will be permanently there i just found your website and it is wonderful okay so thank you so much for being on the show i really appreciate it i feel like the time passed so fast so like the time was very slow while we were technical troubleshooting and we were trying to connect i felt that that was about four weeks and then the time once we started it’s like it was super sped and then it was like only a few minutes thank you yeah i know we got we got the image either i think i probably should tell we should tell the audience we were just going to be act cool if it worked in the first five minutes we’re like totally we were just this is like we were just doing celebrity entry we were just coming late that’s pretty much it yeah we’re just like fashion cool showing up late because we don’t that’s right respect our audience no that’s not true like that was that was us five minutes into it that ten minutes into like oh [ __ ] this is gonna take a while but that just went down very quickly you have now reached double digits of books you have to buy that’s right so you’re going to have to be like cannot pretend to be fashionistas anymore can i have to make this work they put the nerd hat on oh my gosh okay well thank you so much for being on the show my friend i am going to now do the wrap up so goodbye and i will see you next time probably on your podcast okay hundred percent foreign you should listen to me if you’re listening to me you should probably listen to her as well so just go to alice bob learn about application security that’s it thanks so much for having me my pleasure and everyone subscribe to his podcast too thank you all right bye the uh okay so now i’m going to read to you first of all tell you who’s coming up next so up next we are going to have on this podcast mary moay that is the woman who hacked her own heart and she is going to be on at a very special time if you want to catch the live show it’s going to be tuesday september 29th at 10 a.m pacific time the reason for this is she lives in another country and her time zone was really weird and obviously i wanted to have the woman that hacked her own heart and then next thursday at this exact time we are going to have juliette you occupy and she is the ceo of a cyber security company and she’s also ridiculously funny and charming i saw her be the host last year for the women’s cyber jitsu awards and i was just like you’re amazing and can i please be your friend and then she wasn’t weirded out and didn’t run away so then i asked her if she would be on the show and she said yes the following week we will be have tracy martin she is the founder of defend con a super off awesome conference that eyes on and that is october 8th and she’s a principal security engineer for iot and so that’s pretty cool and then the week after that october 15th we’re having katie paxton fear and she’s going to talk about first of all what it’s like to be a phd student because that is wicked hard and then also how to be a bug hunter and the week after that we have dominic west and she’s gonna talk about what it’s like to be a cloud security consultant you might know her from security and color it’s a podcast um also there’s a website and there’s a twitter feed and there’s all sorts of cool stuff around her and we have a whole bunch more guests coming up and you can find out about all of them at wehackpurple.com podcast.html yeah that’s right old school.html now i’m going to read for you just a couple of the podcast reviews in hopes that you think that maybe you want to review a podcast too so um the first one is from nav s15 from india is that a podcast i wanted the name she hacks purple in infosec community is well known and probably we are all waiting for insights from tanya and some other great folks and i was happy to hear from melissa the queen of code knowledge from the people who make appsec interesting is great looking forward for more amazing cons content thank you so much another one just says we hack purple and it’s from colin brd from the netherlands thank you um another one from ray ken from the united states awesome career advice tanya is well known in the industry and really good at what she does the director of strategy is a tough role that was mario platt and it’s a tough role to get into there were great insights into the role and expectations highly recommend this and future podcasts another one from abhivan from india so one of the best infosec podcasts tanya certainly knows how to make learning fun this podcast is an amazing place to get going and if you’re a beginner you should definitely give it a try thank you thank you um we have another person sf hummingbird uh the it says amazing if anyone’s looking to get into the field or want to move upwards this podcast is for you tanya jenka has such is such a great influencer when it comes to sharing knowledge and connecting folks to mentors thankful this podcast exists for the security community and the last one xander from india great podcast for those who want to get into infosec i definitely recommend these to all of the infoSec-ers out there thank you so much we really really appreciate it when you give us reviews thank you and like i said if you send us a screenshot and a mailing list mailing address we will actually send you a real live sticker to say thank you so much i really appreciate you tuning in thank you again to our amazing sponsor threadfix who has sponsored most of the rest of the entire year i can’t tell you how appreciative we are i appreciate the guests and again i’m tanya again i’m tanya Janca thank you so much for joining the we hack purple podcast