We Hack Purple Podcast Episode 15

Teuta Hyseni

In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Teuta Hyseni to learn what it's like to be an Application Security Engineer! We talk about what each day is like, the types of skills you need, the fact that an automated scanner can never find all of your business logic issues, how many jobs there our in this field, and how much fun it is! Twitter

Sponsored by ThreadFix!

welcome to the we hack purple podcast where each week we meet a new guest from all sorts of different backgrounds within the information security industry and this week we have Teuta Hyseni and we are going to talk to her about what it is like to do her amazing and very interesting job this week is sponsored by thread fix and they are our longest term sponsor and i just want to say that we at we hack purple are so ridiculously grateful i want to say happy thanksgiving to all the awesome people in america who are you know eating delicious turkeys or tofurkeys or whatever it is that you are doing i also want to let you all know that tomorrow is black friday and we hack purple is doing a special deal where if you buy our bundle of application security foundation courses you get a 30 minute free consult with me yes you get to hang out with this giant nerd i don't know i told them i'm like i don't know if this will sell more or less anyway without further ado the person that you actually want to see our guest Teuta Hyseni let's just bring her on shall we okay here she is yes welcome hi tanya you are so amazing um yes hi everyone so my name is um and well for most of americans i'm Teuta Hyseni and so yeah i'm a security engineer at microsoft and i'm super happy to be actually with tanya janca today it's thanksgiving and you know like grab some turkey and listen to us yes we met when i worked at microsoft and if you meet awesome people i feel like you should just stay in contact with them so that's what we did and yeah thank you so much for saying yes to being on the show i'm like pretty excited to have you it's my privilege i have a surprise for you um so you happen to know the people at thread fix and as a surprise for you they donated 1 000 in your name to girls who code is it isn't that so amazing we wanted to do something awesome for you and they're like we've been planning this for a while and so i was like this is super great um well now just i get emotional because the threat fix and denim group has been like a company that i worked like for longest and i think i learned so much it's it's yeah um well thank you uh thank you dan thank you john and whoever um i i know that um i will always be a friend uh even though i have not have been uh you know kind of gone now for three years but i know that i always have a friend there um and this is such an honor and i don't know how to thank you this is great um and it's actually it's a cause that i really care because i am really vocal in terms of you know uh educating women especially like girls from young ages to actually code and be part of technology so this is just awesome i know i thought it was like the best idea i was like you guys are great i yeah i don't know this is so great i cannot i i'm super super excited i know we wanted to make it a big surprise and i was like i'm just going to spring it on her at the beginning yeah well just a virtual hug to everyone in the denim group of thread picks um it's just this is great i i don't know how to express my gratitude more and it's thanksgiving and just like this is so amazing i don't know um well you y'all got me this is this is amazing i don't know how to even be surprised it's so lovely and i mean the thread fix people are lovely to work with and they happen to be hiring so if you're looking for a job in application security you should check out their careers page and i'm gonna have to like look it up at some point and like put it in the chat so people can check it out yes so yeah um for those yeah for those who are also interested to join um application security that's how where i actually everything started for me so i got you know i got taught by best in the industry i'm just gonna say that yes yes they are great and we love our sponsor and not only because they're a sponsor yeah they're good they're very very good okay so now i'll actually start the podcast so so please tell us about your job title and describe what your job is like for us yeah i um this uh this whole start is actually amazing i'm um i'm you know just i'll um i cannot stop laughing but so my job title is security engineer i work for microsoft i work for office 365 and what i do is i'm more specialized in application security basically my day to day would be architectural reviews of new or existing features also do a lot of you know investigations um and the incident response and then also a lot of education because we have this you know culture that if we want to educate our engineers to empower them with the right tools so then whenever they build features they they already have the you know the base whenever they build something it's built on a good base and foundation so a lot of education i do security champions and then of course i'm also involved in legal privacy that's always fun but my main kind of focus is in application security side cool what is it like to be kind of like a day in the life of doing that like what is what is like your day-to-day are you in meetings all the time do you get to hang out with software developers are you coding [Music] so um all of that i actually don't do a lot of coding but my day-to-day one thing that i love is that it's never the same you know you wake up and you get a lot of surprises so it's one of those jobs that maybe you can plan forty percent of your you know quarter but sixty percent let's just say that it's gonna be always surprised so every day is a surprise um and so you know you never work on the same thing but just to you know kind of recap like from high level um i spend a lot of time with engineering product team because as i said one of the things that i do is threat modeling and threat modeling from design phase which means that all requirements security are put in place before the feature is actually executed and then of course a lot of chit chatting for example oh can we use this or can we use that so a lot of console consulting even though it's an engineering job but it's you know um or our job is to consult engineers in the best practices the best possible outcomes that a feature can be implemented a lot and it's interesting my relationship with engineering and product is like a partnership meaning that whenever we work it's like we work on towards the same goal um their goal is to execute a feature they want to make something easy and everything and then we want that feature to be secure so that's kind of like how i spend my day is with engineering a lot of meetings a lot of um discussion a lot of like architectural reviews and then of course sometimes um there's like uh privacy and legal eye and this is don't necessarily am a privacy engineer or manager but it's there i am like that glue that glues everything and then like a distributed whatever whether a task or something across like different teams um and then as i said education i would um so i initiated this program called security champions um i would organize like at least one per month sometimes a um a topic and i will talk about i am not sure like let's say crosstalk scripting or something and then that will help engineers to you know understand um from basic to more you know convoluted things um and then um also it's really important to keep updating to keep up with what is going on in our industry and so another thing is i also try to keep everyone kind of up to date with what are the trends and what we have to look for okay okay cool i am i am losing your picture for a second a second uh zoom app window plus i'm doing something wrong on the screen here and i'm not sure what i've done but it just got really confused about who it's supposed to be seeing it's definitely supposed to be seeing you interesting we are in the we are in the corner and we're really small and i want us to be the full size it's like we're really really little and i'm just like dragging us around the screen whatever i'm going to ask you another question and i'm going to figure out what it is decided to do in the meantime but so your job has a lot of different parts there's like a lot like you have to be able to be social you have to have like a technical mind you have to be able to explain like really really complex abstract concepts to lots of different people who are all super smart but all have different backgrounds what types of personality traits do you feel like someone needs in order to be good at your job um definitely so as a security engineer so i can at least compare with with software engineer um so i was software engineer before as but the difference is with security engineer you have to have you have to be really resilient um and you have to be able to deliver not so good news uh it's interesting if or you know as a software engineer you're all like flashing and you know showing off your features and as a security engineer it's a little bit different but you have to be able to deliver those those particular news in a way that is digestible by by everyone so communication really resilient you have to have strong personality you have to be really happy person because you know the the interest you the reason why you're working on what you're working is you know it's not it's so it it drains you so you have to have a lot of power a lot of energy and then of course curiosity um because so if you think about a you know just from technical skills and then you know you have to combine that with your personality such as uh curiosity you have to have that detective mind you have to be able to think on a different perspective always when you look something you have to switch lenses and think uh from we we have heard this you know hacker perspective but it's actually like you have to be able to think through all the steps that a militias user will do but then that is you know it's it's draining um you know because you have to go down to that level but it's interesting because it's a it also has to do with you know you have to understand the philosophy of a different people different backgrounds different intents um interest on what like and also another thing is you have to also be able to understand your product um your product what are the weakest points in how what are the most valuable things so a lot of analysis goes besides technical skills um and definitely you have to have you have to be really resilient and be able to perform in practice whenever like if it's a daring situation so um definitely a lot yeah it takes a lot to um a lot of energy a lot of you have to be a positive person to be able to you know power through because sometimes it gets you know hard and when you know things get hard you have to be able to motivate yourself so those are things um i would say oh my gosh i feel like okay so i do apptech so i'm very biased so i think your job is the best of all the jobs and hyposec um so what types of i i don't know if this question's sort of the same as the previous question and so if it is you can tell me but like in the last question it was like personality traits like do you need a lot of leadership do you need to be empathetic but what about like you know like aptitudes like a person that has hyper focus or a person that has like great attention to detail um i don't i don't know if there's certain aptitudes that make someone better at apsec than someone else yeah so um you know attention to details is you know really important i mean it's it's what it is you have to have you have to be laser focused on on things and analyze like small pieces because those small pieces make a lot of difference be able to understand patterns you know um not just patterns like in shapes i'm talking about like action in pattern like patterns in terms of action uh you have to you have to be able to follow those things um because those are like pieces that make um you a better like i would say like engineer security engineer than others because you have to as i you know always say technical skills is there but you have to be able to have that ability to recognize your small changes for example um when you analyze in an application um not necessary all the vulnerabilities or like one vulnerability will you know will be like flashing in your eye um sometimes you have to piece things together it's like okay so this and that and this one this is gonna be combined together it's gonna make this you know whole attack possible so you have to think on that terms um so um you know imagination and you know as i said thinking on the lower level as a malicious user those that have bad intent you have to be able to understand their background their philosophy and then act on those levels and then analyze your product but definitely also piecing together piecing pieces together attention to detail small details um in my experience um i think um there is a story like when i was uh before as a consultant there are like cases where applications been like assessed for ages and they were like oh we feel really confident you know that this is you know it's just a routine or something but it took only one small issue that i you know had you was able to get to you know the god mode so you know those little oh my gosh those are like that make the whole i mean as i said vulnerabilities be something that you can scan and um so there are technical vulnerabilities and there are logical vulnerabilities technical vulnerabilities are easier to catch because you know they all have tools you can automate some of the things of course there's false positive but still um logical vulnerabilities are those more dangerous ones because it's where the logic feels felt short and that's where you know you have to be really really in like able to understand your architecture and then know what are the gaps and fill those gaps because those are make a huge difference do you do so like so i i'm biased again for the 55th time but do you feel um that business logic security vulnerabilities so like security flaws we could call them are able to be found with automated tools super easily or do you think we need security experts to find them so yeah and business flaws or logic flaws or something that you cannot explain to a scanner what to find right you can you the scanner whatever scanner you have um it's not going to be able to understand your business um and so that's where you have to have security engineer security someone who has expertise on this field because that's uh for example when you think about product you cannot like automate a product engineer like a product program manager you cannot automate his knowledge or her knowledge uh it's same like you cannot automate security expertise when it comes to business logic because those are like where [Music] i i don't want to say like less or more but that's where like the expertise are mostly needed yeah i i mean i set you up to say the thing that i think so i don't like my words i right away understand like where are you trying to go no but it's true it's so true so like a thing that people ask me about a lot with becoming an absec person they're like so sometimes people will ask me do i need any technical skills to be an abstech engineer and i'm like yeah and they're like which ones and i'm like oh what types of technical skills do you feel that a person needs because you need a lot of like communication skills and social skills but like you know so much so what kinds of things yeah so i you know i don't want to sound but this is just my opinion again but for me so what helped me to be a good security engineer is my background as a software engineer and the reason why i'm saying i'm not talking about other engineering fields but application security um [Music] you have to you know as i said i spend most of time trying to consult to give advice to do like okay so here is a remediation plan and this is how you can solve it you have to know you i don't spend time coding but i have to be able to you know explain okay so here is this function this is where we are like we we have the issue and this is how we can fix it so technical skills not i don't say again it depends from company and then there are some some roles so you can actually you spend time building tools but at least for my perspective currently i don't code a lot but you have to be able to at least know once uh programming language um not saying on you know trying to code features and that is not necessarily required but how would you how would you give advice to an engineer when you don't have the background of engineering at all so i i mean it's not it's not that it's not doable and there are so many you know nuances of different roles you know you you you have security when we talk about security it's not like just application security and infrastructure security there are like different flavors that your skill set and you know you can find yourself but for application security is best when you actually have at least one programming language you can read the code how would you how would you recommend something else you know how would you find the issue so i agree 100 if you if you could see the little picture of me beside you i'm just like it's like nodding vigorously the whole time i want to suggest that everyone follow you on twitter so yeah her twitter handle is slightly different and i'm going to spell it out for people who are because you would think it would just be her first name and her last name but it's slightly different so it's t e o o t a h y s e n i so just like at or you know just twitter.com and i have it on the screen right under underneath oh we have a question in the chat someone is saying is there a specific language that you would recommend learning uh okay so i it and you you you know to answer this question correctly we need to go back and see like what are the trending languages but in enterprise level mostly you have java c sharp ruby these are like kind of the common text tech that are used in um bigger companies but then you have python um i would so whenever i said you have to know at least one language is you have to understand how programming language works and then once you are once you're good with one language even if it's slightly like if you switch to python or from java to c sharp or every or whatever you will be able to read the code that's i think like that's what i think a minimum minimum bar would be but i you know i i would have to defer the answer would be um based on the trends uh but majority of companies use either javascript ruby so those are other languages yeah and then of course you can get more fancy golang and scala and everything else but um those are like at least it will take time to replace these languages um so you know i will give a decade if not more to be able to replace all these applications with you know these languages it is so true it's so true people are always asking me which language to learn i'm like just learn one that is not thousand years old so then oh so someone someone else is saying so once you are proficient in a code like two to two to five years you could focus on absec in that code i would say that no you could focus on appsec in any language like you don't you don't like learn just one and then work in just one i would say yeah no so yeah like when i said one language is the reason why i said long language is just so you get you get the structure of programming how it works like data structures and how programming language works and then once you have at least one language that you are proficient then it's easy for you to switch back and forth on different languages so that's in the context but you don't have to work only one language that you know never limit yourself if you can you know i am a really big on learning and and you know if i would say i'm you know i'm just going to limit myself that is you yeah you should not do you should not limit yourself always aspire to learn more i am agreeing with her 500 and we are at the part of the podcast where i am going to thank our sponsor so i want to thank thread fix powered by denim group because they are the most stupendous vulnerability management system this side of the galaxy i told them i would say whatever they wanted and i was like oh my god this is the best sentence i ever get to say ever and then i also want to briefly tell people about a book so i wrote a book it is called alice bob learn application security and um so i'm showing like a little picture of what the book looks like and you can buy it from basically uh anywhere on the internet because wiley is awesome like indigo chapters amazon all those places and so if you want to learn lots of cool stuff about how to secure software specifically or how to build an appstack program all of those things that is the type of nerd i am the type of nerd i guess we both are and so um yeah so i have now officially done my marketing i am amazing listen bob so um yeah and then for people i actually followed tanya and all her presentations i would go and listen to her and then so that's how i learned as well so yeah i would follow her on all the conferences i follow her too just to be clear we follow each other she's also awesome and everyone needs to follow her and then i'm gonna put her twitter handle on the screen again um so i have i have i have so many questions um so let's say someone's like okay that sounds awesome i want to work in apsec what types of training or work experience could they get or do or pursue so they could try to become an absec professional like what types of things could could they do like whether it be like getting specific work experience getting specific training you totally can recommend things that do not come from my company just to be clear this is not a trick question where i'm like you can only say me well so one thing is of course because as i said i followed you like even before you opened your company so i know your level of knowledge and level of expertise um for so i myself how i got to secure application security is i did a lot of hands-on projects uh osp is my favorite i still go towards to read things because i think that i always need will need to have like because there's always new things you can try you know um your knowledge you know download kali linux and you know uh work on and all the tools but in terms of experience i am again a little bit like i don't want to you know be siding but i would say uh work if you want to uh start so if you wanna the best way to learn for me and this is how i learn is by uh doing it and so i would i would say if you want you can start very beginning with some software engineering work uh just so you get used to programming and everything but that is not necessary requirement and then for me i just learned everywhere like whatever i i could like all the sources that you have in um us i think your your great start that's it and then you know you can read books you can take classes there are online classes for free now i you know i am amazed the amount of knowledge we have compared to like a decade ago so definitely for me i would recommend you know and this is based on my experience and based on my how i got to learn um is by just going off of um different youtube uh videos you may know like even that that helps so and definitely you know tanya's glasses yes i agree my classes are awesome we hack purple courses you should definitely check them out if you want to be an appstack engineer that is obviously the first place to start but i actually agree with all of your advice especially owasp and especially like trying things out for yourself building things learning to secure them like trying to kind of hack on them and break them and then seeing how you can make them stronger it's like such a good way to learn i want to add to your list the owasp devslop project like specifically like it's a really so i'm biased because it's i'm part of this open source project but basically like we just wanted to learn about devsecops so i'm like let's smash [ __ ] let's make a pipeline let's add things and like let's invite cool people who know stuff and make things with them and it just like try i couldn't agree more with you all the things you said so good we have a question in the chat so the question is are people skills or soft skills underestimated or underrated or underrepresented in appsec or cyber security in general do you think i realize that i added a lot of words there yeah i would say no actually so um as i said uh at least you know as application security engineer even as a absec consultant before number one thing that you do is communicate with people and you have to be able to you know elaborate things um and then also it in part of partnership is you know you have to have the empathy you know towards engineering towards product team because everyone um are you know kind of trying to do their best right so people skills actually is really important as a security engineer because you don't want to be that security team or engineer that people will hide from you or like right or hide or not just physically hide but hide their stuff you know hide their not trust you not trust things with your knowledge exactly so then they can find a way to bypass you as as much as possible because that's where like then you you know it's it's not good um and and so like you have to be able to have a you know you have to cultivate your people skills you know i would say not like but it's it's it's it's you know it's one of the aspects that sets you for success yeah i i think that the way you said it was so perfect like don't be the security person that the devs hide from this is so true it's so true um so someone or someone is saying basically that they agree with you you have to have empathy you have to have understanding everyone is trying their best you don't want to be that security engineer that people hide from so i i think they're 100 percent agreeing with you in the chat i so the next question is like ever so slightly um sensitive so i does working in appsec and your type of job and your field does it pay well [Music] um well i would say like pay me billion dollars never enough no i would say that it actually it is a well-paying job um and um it is because what in for example let's just say you know i'm going back a little bit in history and how security has become number one problem for non-ceos but ceos so it is something that is especially like giving the pandemic and everything like more things becoming online or remote or whatever you want to call it um it's it is a well it pays well because of the level of stress you have um of course and the level of expectations from security are when when security is good everything is quiet you know when when there is no problem it's in when you know i would say like if you want to know that you're doing good isn't when nothing happens you know it's like everything's still um so you know that's that that the the level stress and you know the all those kind of different flavors of skill set that i've mentioned um are that needed to actually have a well-formed engineer are you know generously paid with from different companies so a way that we have so inadvertently on the first episode i talked about when i was a dev and the first time i felt like i've made it i am an adult i am making good money i had gone to the grocery store and there's like two different types of cheese and i was like both these types of cheese look super delicious and then i realized i made enough money i could get both cheese i'm like i could get anything i want in the grocery store so someone in the chat who watches every week is like i demand to know the cheese pay so can she buy all the cheese she wants i actually am a fan of cheese once i realized he said i can't buy mozzarella cheese with that as much mozzarella as she wants does someone wants to say hi to you in the chat efren sures says hi good to see you ah efrain right yep yay um okay so i know him hi everyone awesome so my next question is are there a lot of opportunities in this field do you think there's jobs yeah yeah definitely actually if if you're interested let me know i get reached out by a lot of recruiters so based on that i would say there are a lot of opportunities and this demand is not going to decrease anytime soon giving the ratio of application well it's not application but given the ratio of um day-to-day things that we're making or we are empowering or powering with applications it's just exponentially growing i don't think that it's going to be sorted i mean short is in opportunities actually it's just going to be short maybe short is in demand i mean in um supply which would be like engineering yeah definitely it's good i mean it is it is interesting if you know i have a philosophy it's kind of you know when you think about it it's kind of sad right because you have you know the number of you know what your purpose is to defend so you know that's kind of the but anyway yeah like i i tell people that if you want to be a good apsec engineer you're trying your your damnedest to put yourself out of a job you want to make everything self-service you want to teach the devs every single thing they need to know you want to have every single thing set up so that all the magical things work in like nothing bad happens and you're like i can relax which you never can but like that's the goal right [Music] [Laughter] wait was that a movie you're like that's not real tanya good luck yeah no um i wish that was the case but um that's actually like what we constantly strive for we want so we want to automate things that can be automated so then or focus actually it's more and more things that matter and there are that requires mental power and you know analysis that a you know still uh computers say do whatever what we say you know what we teach them or what we how we feed them so um definitely that is like constant uh kind of we constantly work on trying to automate things that can be automated and then you know so then we can we free ourselves to do things cool cooler than everything that's so true it's so true it's like we automate so then we can do the super cool tasks i tell that to people and like they're like really yeah there are cooler tasks than run like the first time i don't know about you but the first time i ran a scan i was like i am amazing but then the tenth time i ran a scan i'm like okay so while that's running what can i do that's way better exactly um yeah definitely the you know things that can be automated we always try to do that so we do cool stuff i mean no one wants to run schedules every day right yeah so okay so the next question is so there's like a it's a two-parter so the first question or part of the question is what do you like best about your job and your work and the second question which you already probably could see coming is what do you like the least about your job and your work yeah um so should i be the person with the good news first uh i will say the first the good part you know and then you know um so the good part from what i love about my job um is the mission um i don't know how to explain how so whenever i moved to security i did not understand really like the implication the the altitude and and you know how how how impactful is you know security until i moved to it um so we as tech you know as a tech industry we build up so many tools which is great we want humans to have more time but you know we also responsible really responsible to make sure that those tools are not hurting um and when i say hurting um because when people say it's a virtual world no actually everything that now is tied to an application actually is impacting my life and that's not virtual at all it's actually real time right now if someone does something to my account it's not a virtual world actually it's my bank account and my money and my sweat and my tears so you know so those are things so giving the fact that we are trying to digital digital uh digit uh digital digital eyes lies everything because i got so emotional uh given the fact that we are doing you know we're putting everything on powered by application we are responsible to actually protect um those who can protect so the thing that i love about my job is that i know that i'm doing something good um so you know i'm i'm trying and i'm you know i'm protecting those who can't because not everyone you know is technical savvy um and so my mission it's like a life mission it's like i'm protecting those who can't and that's like what makes my life in my job really easy i i know that it gets hard and you know rusty and everything and you know dry and you know sometimes it's like ah should i do some more security or should i switch to something else but no uh that what makes it really easy it's mission and so that's what i love about my job um sadly the bad side and i'll go back to flipping side it what makes it hard is it's draining it it drains your your energy and your ha it sucks your happiness sometimes you know because knowing that you know there are that much of malicious people um that you know that's easy to me like something that i i you know it drains mom you know which i don't really like um and yeah but other than that it's it's something that i really enjoy it and i do it every morning it's like okay but i i just go behind my mission and that's it awesome i love it i i agree so much i feel like i'm just like nodding a lot so if anyone is listening and they're like why is tonya so quiet she's just nodding vigorously and and also i wanted to mention so if someone is watching this episode and they're enjoying it they should click the thumbs up they should subscribe they should follow we hack purple and our amazing guest on youtube so or on twitter so i'm gonna put like her twitter handle up again and try to convince people again to follow you because i've been flashing it all day and then i feel like people should subscribe if it's an audio version that you're listening to you should subscribe to that but also write us a review did you know that we prescribed to bribery yes that's right if you review our podcast and you send us a screenshot on twitter we will mail you stickers yes that's right we are buying our reviews with stickers it doesn't matter what your review says we will send i hope it's a nice review yeah i actually you know i i still have a handful of stickers from tanya the what was it raccoon was it yeah yeah raccoon doing all the cool stuff teaching the dev security security's everybody's job flashing the owasp symbol oh yeah that raccoon is cute we have new stickers now which obviously i should have one handy but i do not i there's a question from the chat that i wanted to ask you before we wrap up because i know we're sort of running out of time but that's okay but someone was asking do you have any tips for teaching devs and like reaching devs so if you're trying to like reach out to developers and teach them about security like how do you reach them yes so it is challenging but um so how i go about it and you cannot teach someone who doesn't want to be taught right so first thing that i've done is asked for volunteers that those engineers who so for example the security champions is across all the teams um at least one engineer per team you can you know i the first thing that i have done is ask people around who are interested to learn about security because i mean um there are engineers who are not interested it's fine but there are engineers who actually care about you know their features and they want to know they want to stay up they want to stay updated on you know all the security matters and so the first thing that i will suggest is see who is interested already a little bit in not switching your job you know saying but there are engineers who are interested in security because that's you know when a person wants to learn that's easy you know half of your half of their job is done because they already have their willingness and they are paying attention whenever you say something or when you're presenting something it's it's already the attention because it's naturally there you're not pushing of course there are like all other methodologies um because engineering is kind of tricky um sometimes um i also gamify things you know make make them make make it interesting um appreciation goes long way um when i say for example when an engineer does something you know that is you know it's not out of the way but it's you know it's a good good practice and they already you know without someone pointing they have done something from you know from security perspective appreciation is you know goes a long way you know they want you know everyone wants to be appreciated so uh you know i try to do that as well so there are those are similar techniques um that i've used and um there are really interesting uh that works i'm i'm not saying like a hundred percent it's not bulletproof but you know those are some of the tips i would say you know start there and then you know there are all the teaching techniques but those are successful as well cool so let's say someone is is listening and they think oh my gosh this is the coolest thing ever i want to work in appsec do you have some actionable advice of things they could do to move towards this as a goal like if they want to work in appsec besides saying hi to recruiters but like before that like let's say i'm a software engineer or i work in help desk like what are things i could do so i could aim there yes um so hey just switch like i did i just switched that's hard it's just like i was like okay no that's not bad um so if you are already working um i think you you know if you want to switch to a security engineering you have to you know first of all reach out to the engineering team on your company and just you know see what what they're doing and if that you know is something on your interest um secondly um don't switch your job right away because you know that you know like it's i mean i don't know but i i i loved it so much i just were like this is it but uh try to um kind of test drive you know work on you know like if you can partner with some security engineer um and then you know shout at them so then you can see from kind of first hand how things work and what are the things that that the security engineer is doing and then in terms of uh from switching completely you know the kind of the gear from help desk to application security it's not that you can it's it's as i said um i think i i mean education you know degree um or it doesn't set you for what you want to do is you know it's a professional um like computer science degree will not um kind of dictate you whether you're going to be a good engineer or not there are so many uh free learning um as i said hands-on for me i mean i don't know like you have to understand your learning patterns what are you how do how you learn because you know i'm you know again just from my from my perspective um start hands-on projects first start read about application security and then start like hands-on projects see how you how you work like what is synergy with that you know the type of work um and then slowly like um now it's pandemic but there are so many conferences right um even now on you know or like so many conferences that you can attend that exposes you one networking you know you know more people in that field two you can you know of course knowledge and then there is like on those conferences there are also recruiters so that is like some of the things you can do to you know uh plan kind of your switch and your you know your next move this is awesome advice so we have come to the end and i have to ask you the super difficult tough question which is okay so let's say people probably think you're awesome now how can they follow you how can like if they want to learn more about you where can they find stuff about you i heard you might have been in one of the tribe of hackers books i don't know do you have a website um so yeah definitely linkedin twitter uh those are two things that i actually use um um i do i do mentor others um so like i already yeah i i don't i haven't i have it somewhere else but yes um and my chapter is the 30th um so yeah twitter linkedin and don't you feel free to message me um if i don't respond it's not that i don't want to respond but maybe i just opened the message on and a time that i should not you know and then i forgot to answer your question but feel free to thank me um i i you know i make myself almost available for questions and i'm more than happy to help in any way i am going to spell out her twitter handle so that people can know it so it's t e o o t a h y s e n i but if you're gonna follow her on linkedin it's t e u t a right and then space and then same last name h-s-h-h-y-s-e-n-i so twitter handle's slightly different than linkedin but she's the only one with this spectacular name and someone has also mentioned in the chat if your absent career doesn't pan out tanya you could become her salesperson because i like the book her twitter handle like i'm like i'm vanna white okay thank you so much for coming on this show it has been such a pleasure to have you and like it's nice to see you again after working with you which was a total and complete pleasure and with that i am going to thank you i am really yeah i am excited so we are going to share all of this on our website and this episode's going to go out shortly but for now i have to i bid you farewell and then do the outro fancy pantsness that i always do so thank you so much for coming on the show thank you for having me this was great you have been watching the we hack purple podcast where each week we introduce a different member of the podcast community sorry of the information security community so that we can learn about what it's like to do all their different jobs we hack purple is a community an online community a podcast and an academy where we teach people all about apsec and i know we talked about apsec today gosh there are a lot of jobs in that area but all of it and the goal of this podcast is to help you figure out where you fit into our industry because we need you we need more people to join our industry i'm not just saying that because i run a school all areas of information security need you i want to thank very much our guest oh my gosh she was so awesome and um i'm just i'm so excited to have like a fellow absec person on uh i want to thank threadfix our amazing sponsor powered by denim group and i totally forgot to introduce myself i am ridiculous my name is tanya janca i am also known as she hacks purple on the internet and i am the best-selling author of alice and bob learn application security but before i let you go i want to tell you about our coming guests so every thursday except for during the christmas break we are having super awesome humans on our show so thursday december 3rd we're having gabrielle but so she is a leader for wosack she is a penetration tester she's a cyber security blogger she's a podcaster and also she's totally awesome the following week we're having shelly guys branch which i know i'm saying wrong she's also known as nerdocity on the internet and i've been following her for years and i'm so excited to like kind of get to one-on-one with her instead of just awing at her from the internet and she's gonna talk about doing instant response and that is an intense job after that we're having mahidina afrin and we are going to talk to her about what it's like to be a bug bounty hunter and then we are taking a christmas break until next year in january we're having nashua lindsay and she's going to talk about what it's like to be a forensic investigator because we want you to know what every single type of job is like so that we can have more people join our field so again i'm tanya janca our amazing guest today was Teuta Hyseni and thank you so much for listening i hope you subscribe and write a review