I Mentor and Now You Can Too - Casey Dunham

I'm going to do your formal intro to see you now so everybody we're actually ready to get started today I just want to quickly introduce you to Casey Dunham so Casey is a penetration tester for in now undisclosed at the moment askin later company I say undisclosed I really don't know exactly what the name of the company is what work for PSR okay thank you so Casey and I actually have been working together since about October of last year he's actually my mentor and so it's my great pleasure to introduce you to Casey on penetration tester application security kind of fear and mentor we'll hear more from him later what happened line nomar's do enough

mm yeah how there's a bunch of circles like so anyways uh everyone hello everyone welcome to today's talk so oh come on all right kids did a great job giving do my intro I'm a senior security because security consulting with VSR which is also part of NCT group this is all ass tonight I'm around I'm not really going to George bio someone discussed some stuff about you know my life feel a little bit further on but I normally wouldn't get into in a normal presentation so what we already up to back like when we used to turn mentor like what are we actually talking about right and I want to discuss a lot of like this kind of term because they

might talk into the relationship that Keith and I have is kind of a more formalized relationship than somebody is a friend but mentor originally comes from Odyssey and it was an actual name of the guy that leaves of Telemachus his teacher and tamarcus was the son of Odysseus and Odysseus went off to war left him with mentor and over time the word mentors evolved to meet a trusted advisor a friend teacher for your wise person and that's where it actually comes from now I thought that's kind of interesting that I know that what sure was not yeah this word like keys aren't working either oh that's I'm sorry falling here

no it's furries my Internet's keeps going out that's nothing that's not the clicker

all right the downloaded version um so my inspiration for this talk is that throughout my life I always essentially where I am today not because of Education not because of you know certain jobs and like that but because of the people I've met who have encouraged me to do things and some of these people have been you know it drove my life you know for decades if not longer some have been pleading for maybe a year or two and don't keep in contact anymore but I felt a lot of them and I want to you know essentially share my knowledge and experience and to solidify them own knowledge and I think that is a very

valuable way of doing it is by helping other people learn and grow so some of my highlights of being mentored is you know I initially I never had any intention going to college in high school I was a musician and playing a bunch of rock bands I got I'm going to be a drummer like placement death metal myself and I was never no intention of going to college and in some of the Air Force and the army but actually through that's three times and I never joined any branches of military and you know it was kind of doing this and I'm better at their friend of mine and he really got me was okay like you should go to school

I was already doing a lot of programming you know I didn't have any desire to do that and he really convinced me there's something I should do and I dated you know I thank him for that he also throughout the years you've got me in my first professional programming gig working not with him but you know in a similar area that he had I've had mentors that have helped me learn networking like the IT networking aspect where you know I growing up like I didn't have a lot of computers to play with and so the networking and operations kind of standpoint that a lot of people take for granted a I never really learned you know I still kind of

laughed a bit of laps here but I've been able to work with these mentors and help you know teach me that stuff which has been great also getting into security itself I've been going to cons for a long time and I actually turned down job offers for years from different security firms because none of them really fit what I wanted to do and the people I've met and network with you know like the just got here Dave so did you know we really kind of like got me into it and you know that's how I got security people you know you get insecurity break into it well networking is a great thing but also understanding

that meeting people is great and getting yourself out there networking but also like trying to figure out like where are you even looking to go and that can be a big question and you know don't wait to really figure that out it's like meeting people doing the same job or getting out there and finding somebody that can help guide that career path and then you know also like just being able to push you know myself like help having somebody guide and like I write like you're kind of flatlining you need to push yourself a little more just like a you know gym assistant or you know personal trainer so in over the years these people become

like some of the best friends and I'm sorry about the slides um but so one way I decided to mentor is that uh you know I've done it throughout my jobs you know whether it's teaching silly some programming language or helping guide them through developing some application or getting them up to speed on some security stuff but I met Keith and you know we had a brief meeting then here's hey I'm looking for somebody to teach me some application security stuff and I'm like hey I can do that and it kind of just be started doing it and we've been reading weekly if not more than that sometimes for nine months now almost and cover yourself in basic a lot of things

all the way through some more you know projects and working through stuff but I think there isn't a lot of value in this methodology of apprenticeship and you see it a lot of other career paths you know doctors have their residency program there's professional engineers and novice engineers in order to get your PE certification you have to work under a novice of a professional engineer for four years and before you can take the test to get signed off on and that's a lot of like on-the-job training and kind of distilling that knowledge and experience from the professional engineer into the one you know coming up in that field and there's a lot of second now even with all of our

information security programs there's a big aspect of it that's just not hot right unless you're picking it up on the side and you know you're interested in it you're going to go do that there's just a lot that you're not going to learn in school whatever so saying you know for years sans degree or you know college any world that has an information security program and you know your Jedi and Padawan relationship so what is mentoring um you know this is one Wikipedia had a pretty good idea that kind of aligns with like what I kind of viewed mentorship has and its relationship to what's a more experienced a knowledgeable person helps to guide the less experienced

knowledgeable person that's essentially it but this also doesn't have to be you know technology-based right my mentorship the case is very technology focused but also I've you know helped other people like guides our career like where you want to go like you don't want to do this so you know help kind of did that or even salary advice or like how do you get to a technical interview or something like that I also do mentoring as a leadership in action so the best managers I've ever worked for have been ones that you know I'm not just a person there to do a job you know that to be managed but somebody that they want to help grow and be

successful and provide the resources of tools for that to happen and you know if you allow something to do that and allow them that air to breathe you know you'll see you you know you can get some pretty successful people out of that and you know it part of that is if you're managing somebody or you're working somebody you want them to you know go beyond you you want them to grow and to move on or you know take over some like that and you know when you're it's like raising kids I know how many people kids here but you know why because mom and I ever since the scene was born we've always been under the you know the

thing that we're not raising a child we're raising a future adult and so we've always treated him like that and we want him to be successful and grow I also view the relationship between the mentor and mentee or what everyone call it it was a professional relationship and Keith and I you know even you know I mean we haven't quite gone that far but you know it's like we have like this you know every week and we're going to do this meeting or it would be professional about it but you know I also a lot of people like I'm friends with that ask questions of and you know like that's great like that's thing but you know

ours is kind of a more formalized thing and we'll talk to you more about that in a few slides here

and keeps our great quote the other day of mentorship is like two swords at sharpen one another and you know because it is like we've helped me like learn a tremendous amount and I felt him learn a lot and we're still doing it and it's one of those it's a great relationship from that perspective where you know even if you're an expert at it you're still going to learn stuff so one thing is to is like you know like if you're interested in mentoring somebody it's like you know what understand your motivations for doing so like why do you want to do it you know um do you you know figure out like why air is you're

knowledgeable in right it doesn't have to be like oh just I want to mentor you and like security or something you know you can picked a specific area and also look at you all the time like don't overcome yourself because it's not fair to you or anyone else or the person you're mentoring to Tom but it does have to be long either you know I mean Keith and I like me an hour a week but so you know to be a good mentor like one of these like you know know your motivations know your limits patience communication and be vulnerable you know we critique each other all the time you know keith has helped me go over all

like the workshop we did yesterday all the slides and like this is not you know add more here you know and you need to be able to eat those criticisms fine and it opened off of all things but you know patience you know if you're you're just like anything else you're teaching you know it can be really frustrating sometimes I talk college for a semester I've done a lot of workshops and presentations and it can be very difficult to teach somebody so you got to like kind of patience back off but know your limits too it's like you know if your overburden or you like don't time don't do it if you're getting the stuff that you don't know a lot about

just say so you know so you know funny Amenti yeah they also call like when the teachers ready except like you know that type of thing but also you know getting out there networking there's a lot of people around here I know a lot of companies are hiring there's a lot of people looking to get in the industry and you know this is something where Austin veterans you know where people have been in like can help get these people started like we do need more people in our industry we also need to find the right places for them to go and that's something that you know walk around and you know talking people on tables is not really

help you because everyone's trying to hire you or something Keith also has InfoSec mentors net project it's you know you can sign up and say I'm looking to be mentored in these subject areas or I'm looking to teach in these subject areas and then it will match you with people that the same things and emails like a matchmaking thing it's pretty cool we'll talk about that so so practical like we do all of our meetings of our hangouts and we summer for quite a bit because there's something I want to try out from SpiderOak and it's just like a kind of a slack kind of private flack channel type thing but so you won't be set for success you know

meetings we try to have measurable goals so we say okay like what is it we want to accomplish here and we make sure that we time box of meetings okay it's an hour like see you next week let's go we try to have an agenda every meeting and that might be just something we're going to discuss that one meeting it might be something we're discussing over the course of a month or two and you know try I refill at this but try take meeting notes it's helpful to refer back to like it comes up like don't derail everything put in the notes come back to it later wait every time two week schedule annex meeting are is a fairly recurring but

we've also had to adjust things like patents and their you know we we use hangouts and summer for like I said mostly but I mean there's a lot of ways to conduct these things so the first meeting one of the things are key tonight sat down for when we first started was we just the first movie to still can discuss you know what was going on and it kind of get to know each other little bit better and figure out like what he wants to get out of it and what I wanted to get out of it and we kind of like use that as you know our takeaways and like what we're going to

do we've done some more for more like lesson plan type stuff where I build like some applications and we do some walkthroughs and some different exploits you know introduce some tools that type of thing but we also discuss like art what is our schedule going to look like you know it can we do a recurring one and use kind of got all those details out of the way and then you know the desired outcomes you know what is it that we're trying to hear so this could be an example where you have somebody is trying to take like the osep exam and pass that it's like if you have done that you know somebody out like art so our goal is to

get you knowledgeable enough to past osep and maybe you focus on that for a period of time and then that's it that's the end of your you know little vent or relationship or something like that but you know it's just understanding like where you're going you know so that every meeting is not just like a rant that you're actually getting something out of it subsequent meetings um you know like I said take a review notes because we can go back and you can review them like we were talk about this like did you want to revisit that or move on something else we do all that previous work discuss the next steps look at your

progress goals like if you do have a goal in mind like passing the exam or the CSS P maybe for somebody getting in industry or something else where are you progressing on that level and you know what do we need to do to make sure that you're going to be successful in that the other thing is that you know Keaton I trying to be very respectful to each other's times I think everyone should be I'm a big proponent of that and we try and keep things time boxed and not you know drag things out or you know bother each other like all hours a night like I was doing with him like last week um but uh yeah so we have

you know fairly communication travel but your respect your other people's time and don't over extend the order you know both on both parties right don't try and take too much of the other person's time you don't expect like somebody else to spend like you know all week on something and also something that they're really interested in so when it's time to end you know things change you know it could and hopefully it ends well your friends and move on you know I definitely have had you know a lot of that but it doesn't always in that way but you know maybe you reevaluate like okay like this has been great for you know this period of time

but now he needs to back like you know we're getting too busy things change not a big deal but you know don't look at it as like oh I'm going to get you know irritated with that if my mentee like disappears or something like that you know it is what it is but also like I told I really try not to burn bridges because this is a small world especially in InfoSec and like you know you want to leave a good impression and that's on both parties - right and I would hope that I wouldn't need to say that but you you know I don't know there's there's a lot of people out there you know feelings get hurt

sometimes so collateral dem damage or developments from the stuff that we working on from both of us and so the kid you know Keith wants to come up here and we can talk about similar stuff what student so this is a little loud sorry so one of the things I did before this meeting as I told Casey it was panicking a little bit building his being in class and then preparing the slides like I said well we're both going to be at this thing if you need someone to pitch in to help you feel some time I'm happy to maybe do a bit of a Q&A and talk a little bit about some of the projects that we worked on

so Casey would you rather start with talking about maybe projects or maybe ask the questions first and come back and kind of wrap up thoughts on the projects because I think that's a place do that I'm so glad come on stop messing with us so one of the things that I just wanted to mention is part of the reason me one of the reasons that we even started this mentorship is last year I started working on the implementers project or the relaunch of the InfoSec mentors project and for me it was a situation where I knew that there are a lot of people starting out in the industry that needed mentorship there were people that

were interested in providing mentorship and I wanted to look for way to bring those people together I was learning flasks I was learning web application security it was a big driver behind that and so I reached out on Twitter because I needed help I mean admittedly I couldn't build this thing all by myself so reached out in case you said yeah you need a mentor or a short why not and as you'll see as part of the code commits on in post like Mentors Casey did a really good job helping to set up like a testbed environment for vagrant gave me a lot of feedback and regular basis as to how do I get that up and running and

as a result of that as of just a few days ago we have over 300 people registered on the site we have something like a 33 percent mentor to mentee matched ratio so it's when you sign up three skills that you could potentially teach someone three skills that you'd like to learn then you're basically signed up had suggests it'll match you with someone that meets the skills that you want to learn and then you can connect with them and if they agree to connect then you've got a mentorship setup right there so it's really great expectations in case you did a really good job helping me get that launched so that was a collaborative effort that came out as

a result of my mentorship or Casey's mentorship of me I'm sure that I probably bothered you way too much with that but feel free to jump in and add some thoughts no I mean it was pretty cool like actually he extended the project that was picked up from some other people in the industry that kind of languished and he rejected that and I didn't even really touch any code on it I don't think I did at all today no it's fully developed by him in every funk that but I just kind of guided like I like this you know works great this is cool like you know maybe change this or that just based on my development background

experience but everyo definitely recommend checking out the others that came of this is a something that I got out of it was December November maybe you know we were going through some abstract vulnerability stuff and you know looking at okay like some exercise and sequel injection type things and he so he brought up stack a like you know writings off the mean stack I'm like I what is the mean stack oh and it was something I was like the nodejs stack a lot of stuff it was something that I've been interested in kind of learning about him getting into for a while and just haven't really made it a priority and so he brought up because we were

discussing bug bounty programs and a lot of the bug bounty a lot of the applications that you know are on these bug bounty programs like heroin or bugcrowd a lot of them are more and more making use of either various components of stack or the entire stack itself and we're like hey this is you should get into this so we both bought a book called of you know developing and I mean it was getting me hitting me and it was funny because one day we were talking about it I started reading the book and I bought it on Amazon and she just said I was like this I'm reading this because I felt like it was worth learning to

attack that framework and then so we're talking and I said weird it'd be great Casey if we actually did something like being mean like you know being that mean person and attacking that web second so a little bit I know actually Casey kind of started working on this project as an idea a concept put a CFP forward got accepted here - besides Boston I was like oh hey wait I know the guy that wrote that and then we actually worked on it together so we really kind of spent like the last couple months whatever like learning the meaning staff we build some applications together and just kind of you know work on various parts of it and

apply my vulnerability knowledge and social knowledge into what we were doing like our like how I was just exploited you know I've done some angularjs exploitation in the past but as a guard we have this other stack and nodejs thing and so do this to kind of start to come together and there's like you know we both ran this workshop yes traitors pretty good we had like what 40 people here at 30 talks something like that yeah and it was awesome about it too is as part of this my interest in in kind of the student side of really learning something has driven Casey's development of knowledge from attacking that web stack and so in a way it's like he goes

out and he's learning it and that I'm also learning the e attack portions from Casey all learning the building portions on my side as well and as a result of that I think that yesterday I saw one of the students came up with the idea of how to do some of the more automated cross-site scripting exactly like I know how that would work from the templating engine side because I learned a lot of that and it that's been an awesome effort in terms of building that out I think that we're looking at building an each-way actually a longer class I've convinced Casey are I think I've convinced Casey to turn it into a plural site course just because it's a stack

that you don't see a lot of security knowledge in yeah it might I might do the thing that show that gonna do like a free like webinar WebEx or whatever excited a lot of people are hitting me up about it and like I mean it's like the information is out there for the most part there's a lot more research to do like that you know there's some stuff like especially on the MongoDB injection type the no sequel injection like not a lot of information on actual exploitation is out there and some of those can be really difficult or weird to exploit but something we're probably working on to you know we all said this idea for this talk to you like well

might as well like you know just talk on it we've also got this other project coming up called his kind of brainchild I'm gonna help him with tactic and IO so if you want to talk about that yeah yeah so one of the things that came about as a result of actually building the being mean workshop is is I realized as I'm learning a lot of different languages that I'm not practicing my web application security skills while I'm learning to develop Java and so as you start to kind of focus in one area the other area gets rusty and then if I go back and forth it was a problem of I'm getting rust the other way so why not

just kind of integrate it all into one workflow learn how to build vulnerable applications learn how to use the toolsets techniques and practices to actually attack the vulnerable application then go back and kind of take those developer half measures of fixing things so you eventually learn what bad code looks like how to attack it and test it and eventually what good code should look like at the end of that result and KC being a little bit more knowledgeable on the attack side is helping me out in kind of focusing and I'm building the attacks and I'm focusing on how to learn to develop at the same time so it's like a collaborative effort of quickly

cycling through the learning process learning all of the tools that are involved from the development through the attack chain and back and the other thing on the attacker inside the taxi and IO side here is like making all the time as an app set consulting you know especially I do developer trainings you always have to be able what tools or stuff out there and honestly I go out not really many that um you know but also a lot of uses like you know doing static analysis and JavaScript is extremely difficult you know there's only like one or two tools that really supported even or anywhere near like a decent job at all and it's kind of

developing a resource so I cook they're like we're developing a stack like what tools are out there like that are usable and come like a DevOps standpoint or really kind of fit that development pattern so like you know if it's like a IDE plug-in or something like that like your evaluate like how good is this how does it work right and actually building a kind of resource out there where you can kind of direct people to and we have a lot more you know stuff that we've been tossing on to and you know I'm not I don't think we're we're essentially trying to say like look but you know we're just trying to say like this it'll

stuff we've done that's been a direct result of you know even kind of talking being a relationship like this and I you know there's a lot of stuff out there it can be done and you know if you possibly us interested like maybe we could get together combine your forces and like you know go off and do projects it's been very like successful from that standpoint I've actually got a series of questions that I set up as well so what entities are either so I ever actually shared these questions with Casey and I thought it would be a good opportunity being that we're both here at this conference - you get a little bit of

like the mentorship view and kind of make this also a dialogue so for those of you that are like seeking mentorship maybe having Casey ask some questions of me as to you know from the mentee perspective like what should you do to prepare yourself to be collaborative part of this is you can see like a lot of the work that's come out of this mentorship has been very fruitful for both of us I mean KCC are talking today he was training yesterday and we both learned a great deal as a result of this mentorship it's not just a one-way street so the first question I had and I think this is important for those people that are newer to the

industry is if a person is very new to the industry do you think it's appropriate for them to get a mentor right away or should that person try to learn the skills themselves before they actually seek out a mentorship I think that to be really successful at that and the person should kind of see where they enjoy spending their time and if things you know like try things and figure that out because otherwise like you my take is like you'd want to find like specifically like we focus more on AB SEC you know if you were like hey I want you somewhere network security like I mean I got really that's not my gig you

know I mean we could play like learn it but I mean I think that it should be something that you go out and seek out and that's kind of creepy too like we'd be my mentor somebody I think I think it naturally will come about and I think that just getting in and kind of taking and going to conferences like you know your loss meetups or chapter meetings or the opss ball centers from the regional ones where you can meet people in your area I think it's a great way of doing that and so I think that you know when it'll happen naturally but I don't think that you should be out there like looking for like find somebody mentor I

think you might even want apply to people you talk to you about career choices but you know that's sir yeah so more or less than just kind of a summarize that your idea is a person should know what they want to learn before they engage a mentor is that fair yeah I think so so another question is a follow-up to that is also for that those people that want to figure out what they want to learn are there any resources that you recommend to those that are newer to the industry to explore or kind of feel out those areas I mean everyone's you know essentially want to start with a loss but my suggestions like don't stop there I mean else is

kind of a great like starting point but I mean there's a lot of stuff it doesn't cover there's a lot of other things that you should also be looking and just just doing your own research digging in and just take something and focus on it for a while and like just dig in and see what you can learn about it awesome I mean as well my side when I was figuring out kind of what I like to learn i used cyber ruit to go through a lot of the free education courses just I've never refused any of those so I don't know yeah yeah for me it was like I didn't know where to start so that's kind of

where I started to figure that out and then I met Casey and I definitely want to do ab sex so it's it perfectly yeah and a lot of the regional conferences like BSS Boston or if you're somewhere else they always do like workshops or something you're usually pretty cheap like I think mine is like 35 bucks but I think well yeah right right they're like the first yeah I mean it's like you know so I'd like to think that there's a lot of good information there and people learn a lot but I also get an opportunity like you know for essentially you know almost no costs are free to just try something out and see

if you're into it or like it or not so my next question is as a mentor how important is it that your apprentice comes prepared for meetings pretty important I mean it's you know you're taking somebody's time and I I try and be as prepared as I can be be on time because like I'm one those people I will show up ten minutes early to a meeting and I don't like being kept waiting especially if it's somebody else's meeting and to me that's just a sign of respect and I think that like having knowledge that's why I think you know hey we're ending a meeting what are we going to discuss next week or what we

want to work on because if we want to like go over like okay can you work through some blogging sequel injection with me like as if I'm mentoring him and dad I need make sure I have something ready to go because it's kind of hard to teach if you're just talking about it you actually do it and so I need to you know do my part to make sure I'd have of app or something that we can demo and use together and then also you know it's very hard to teach blind sequel injection if somebody just shows up and Aaron what sequel injection is so it's like being prepared and like understand like what's going on and we've been I

think I think we've done a pretty good job of that I don't think there's really been any times unless were a few times we were both busy and traveling around but so I think it's gone pretty well from that perspective and I know as well - there have been times where it's been kind of like a last minute but we've had to cancel out you know on each other for different reasons and I think that being respectful of each other's time by making sure they don't show up and then you never show up without letting them know what's going on that's never happened to us which is good I mean it's not that I can remember I think there

was maybe one time or it was like hey Casey you're coming on you're like oh crap yeah I'll be there in a few minutes but that's happened to me at the same time cos so that curiosity this is more for maybe of my own knowledge can you tell when your apprentice hasn't prepared it yeah depends what we're working on you know I mean like so a big chunk of our times just being this workshop you know and I think that you know we've been working on that although I know about you I mean working on that workshop and various stuff coming out of workshop like ongoing for months now we kind of redesigned er I heard some reason like I

was told I was only give me a five hour of our shop it's a guys like an entire day also like oh crap like I need to redo this and like took a step back and re did what I was thinking about and so but maybe even like researching and you know digging into a lot of stuff for a while so our leaders would normally like just discussing what we've done like what we're going to be doing next on it and you know getting his feedback on what I've done like do you think this is enough do you think this is good enough what what can we do different and working to add to this to make it

different so having that feedback work when somebody on going like that has been really tremendous and helped helping build that and you know it was successful because of that and I think as well as part of like if you if you start to think about okay what can I offer to my mentor as feedback I think what's really well for us is I've been able to tell you even on like slide decks so you know this talk or the being mean talk is as a new person this is what I need from this slide deck and that's I think pretty beneficial from like the other side it's like you you might not think you have something to

offer but you do which is that perspective of being new to the industry you have an opportunity to provide that feedback so that's a person who's working on you know a talk or a training can get that perspective and that's hopefully pretty useful yeah folios so out of curiosity how much time do you spend preparing for meetings with your apprentice I've spent variously spent a lot of time actually um so when I I've developed so I've done a lot of developer training and I've taught people very specific things and you know why I built a lot of like kind of toy applications but there's like one week I think it was a sequel injection or the

leaders I won where I spent a lot of time like building out like a little test bed you know like re strategies and some of the ones are out there I don't like using off-the-shelf apps for like any trainings I do because I feel it's a little like cheating you know they're out there you can go do some whatever you want to but like when I do workshops were out trying you could specific to the workshop and that way also I know it in and out so I can be very like aware of like what's going on with it so I've actually spent a lot of time like building up these things like you know doing them you know

with a larger purpose to is that it's helped me control my training so that all this piece back and everything else I do and so I yeah don't waste none but somebody's in a few hours wonderful hours admittedly I think he actually finished reading the book that I didn't get a chance to finish for the being mean training so I can tell just how much Casey was putting in a lot of effort and I'd learned on the fly thankfully but I definitely picked up things along the way which I because like when we started working it's like I feel like three different mean apps like this really small things to try out stuff and like he was like I'm on

chapter 4 I was a little bit slower admittedly but thankfully I worked well on the fly and I think the code commits yeah that was what a broken finger having a flu for like three weeks straight so sometimes being a mentee part of your role is to make sure that your mentor is doing okay check another held supporting them any way they can I think at one point I was like if you need someone to type up your stuff for this class I will do it which was pretty awesome in the end it came out really well so we talked a little bit about what you do to prepare for meetings but out of curiosity how effective have you

found it working on projects together to me it's been one of the highlights of this entire thing because it's something that's come out of it the workshop and it's been great and honestly like I probably never have done that if I we hadn't discussed it in like like hey you should do this and also like you know he's still pushing me to do like you should turn this into a Pluralsight course and you know like because I've taken like all the Tori hunt stuff I've gone through all of that and other things my cat is like really basic and it does not watch out there for like some really specific abstract stuff and so we're disgusted I can't do more

trainings like figure it out more so if we can do that you know somebody who is an application security consultant now to expand their skills could take but also somebody's coming into application security for like network or networking background or something else that they'll have resources to take to that would be something I'd want to sit down for you know so so like to me like I love having these little goals where hey we're going to do this and work on this project together and this is the outcome for that project and like that's been thank you so at a curiosity what's been your favorite project so far or and then second or follow-up to that is what are

you most looking forward to from some of the work that we're going forward on I think that being me so um was my favorite so far because it's been like that that's something that's really benefited me a lot I am more familiar mongodb now I know how to test for you know various injections I know how to you know someone exploit those and you know especially on the the templating engine side or server side JavaScript injection like I never written a reverse shell in JavaScript before it's like there I learned how to do that and that was a lot of fun I didn't really look forward to factor them stuff there's there's a potential book will be writing

as well so he's gonna be my chief active editor on that I think I don't know if that's ever gonna happen but I mean think right now a my my the tactic working on the attacker and stuff to be kind of fun and again another benefit of being a mentee is you can harass them about what they say they're going to do and then kind of hold them accountable so and at the same time as well like you can be as case you pointed out you know be vulnerable to one another so I've had Casey be a critic of some of my work which is being good because he's got offered really good feedback for some of

the projects that I what was it what was the quote you suggest sure that workshop that was I was a UH oh you're an opinionated framework yeah so out of curiosity as well what skills have you developed as a mentor as a result of being a mentor or what have you found that maybe you were surprised about in terms of the skills you've developed um I I think that I know about skills developed but it's been kind of in some ways a reaffirmation even though I do the stuff professionally and like I find stuff for clients all the time and or you know hopefully I do they there's also like a like you know what like I

actually do have stuff to share and it's not just technical details it's knowledge and experience and that being reaffirmed okay like this is directly benefiting you I think it's awesome and that also helps me because like I am just like everyone else in this industry you know I don't know anyone that doesn't self reflect impostor syndrome right where you don't think you're good enough you know it's like ah what am i doing like I'm not gonna get to talk and just you know not good enough to you it's like yeah you are I mean look at my um so it's like you know getting over that is I reassurance like hey like this is valuable you know

you have valuable knowledge and experience to share and you know I enjoy sharing it so and what's been really good as well as I've never given a talk before at a conference and so it's been nice is working with KC to put together CFPs for other talks that I proposed and having his critical feedback and thoughts on that so I think that you know it's kind of a two-way street in that side as well because you're you submitted to Derby con for the MV side both Vegas for attack driven development so hopefully fingers crossed I'll get a chance to do those and that would be pretty awesome so also I just curious or you know after all the time

that we work together what motivates you to keep going a fear of failure okay okay I mean you know like Gary Vaynerchuk says I mean die tomorrow right like just keep going like got to do something and I you know I want to progress my own skills and career and this has been a way that I can help keep myself on that path but I just you know keep going nice so lastly in your eyes what separates a good mentorship from a great one when you look back on it like a year later and you have specific things like I couldn't have done this without this relationship or I probably wouldn't have you know like I mean because the whole

point of this is to grow your own knowledge and experience and if you're not looking back on that and you know if you picked up a few things great but you know it's so am i I have led me to entire career changes right like and something I think that's some of the greatest ones and I mean we've done this stuff in what 8 months not even eight months yeah it's like four really and we still you know we've got next year almost planned out of more things that we're doing so it's like to me this has been a great one we've got actionable items we've got stuff coming out of it and it would've been great to I would

have been enjoy to just you know teaching him sequel injection or cross-site scripting you know but like that's you could you know learn that for most anyone and I so I think this has been a great aspect from like the stuff we've been able to do and the stuff that we want to do so I know that for sure if I ever get my CFP accepted I'll be bugging the hell out of him to actually make sure my pockets is getting presentable but that's all the questions that I have her at this point thank you very much Casey for answering them and I'll let you finish your time yeah does anyone else have any questions

we're promotion to wrap up so if anyone has any feedback questions thoughts oh yeah or anything yeah out of bar at a bar actually yeah I have no idea so where were we in that bar for there was a Red Hook Red Hook brewery up in Portsmouth there was a get-together that so it wasn't Papa Rudess it was Bill Pelletier and a few other people were getting together in the area and they just wanted to kind of meet up and grab beers so I decided to go cuz I knew a few people I saw it on Twitter I kind of invited myself Casey was invited a few other folks that we know here were invited and I was at the time Matt

rapid7 currently but I wasn't there at the time and so we got talking we discussed I was working on this mentorship project at the time it was still kind of a pie in the sky idea in Casey had mentioned that he was really interested in helping out him pitching in and it was probably about a few weeks to a month later I finally kind of put out on Twitter that I'm looking for a mentor because I kind of hit a wall I needed some help Katie reach out and said cool how can I help and we just kind of took it off from there and that's a great point because like I know a lot of people industry and it hasn't

sure all you do and I think that overall this industry has been one where if you have questions or you need help with something people are more than willing to help you out you know I've had some great conversations with people like a likes to jump on a phone for an hour and discuss this and you know this okay like you know people that are making a lot of money or like really busy successful to take me like an hour other day like you know Boeing some dude and like Maine to like have a conversation with them so many think that's like this industry overall has been awesome from that perspective so don't be afraid to like

ask people stuff you know go out there and like ask for help and you know it doesn't matter how famous there are you know like even Dave Kennedy's like all these news channels stuff like that like I've hit him up offline a few times for questions and he's always be like right there helping and I've seen the same thing I mean even building the InfoSec mentors project I mean Casey has been a main tribute or to my knowledge that has helped build that but I've reached out to folks like Apollo Clark Jack Daniel and I have almost always found that when someone has time to actually interact with you they are actually more than willing to help and so it's there's

usually that hesitancy that kind of concern which is part of why I brought you know infants like mentors into being was hears people that are understanding that they are willing to provide some sort of guidance and there are people that want to learn and not actually led to him being on security weekly - yeah yeah that was around March night we should have that trouble taught them it was done so much we can't remember it all anybody question well thank you I

mean it's um I don't say no um I am also getting into a process where I'm mentoring a good friend of mine who I've known for years shooters in California um but she's trying to get out of like a more InfoSec policy type role into something more technical and I've been got helping her and she's like yeah you know until we start talking she never like exploited a sequel injection you know something like that's a pretty wide skill gap right and I get value of that too because I'd only I mean all these things add up like every time I explain a sequel injection cross-site scripting even if it took a basic like you know a wast 101 type

thing it always adds to my ability to you know explain it further and sometimes stepping back into that really basic thing like it's great you know and I like doing that sometimes because it does help me kind of baseline like all right like what am I even doing because you can get really lost in those step fours pretty quickly and I've also found too so with my apprentice or my protege she's actually coming from a role where she was policy-based similar and she wants to go toward penetration testing and I think that one of the benefits of kind of sharing that knowledge is it doesn't necessarily have to be that you're just sharing to recognize

he has with me for sometimes it's like these are the resources that I've used that have helped me like images you'll come back and ask questions about different things and it's just more of being like a guide like these are the points on the map that you want to make sure you touch upon to actually be successful and and so that relationship is a bit different than Casey and ours because that's more of like via email we actually just kind of will tweet at each other back and forth or writing emails to each other to kind of give that guidance if it was a more like regularly paced type role I think that having that

closer parity or at least having someone that is willing to do the work to learn those things is good but I don't think that necessarily having a you know vast gap in skills is a bad thing sometimes it's great because it will remind you of things that you may have forgotten but also I mean you have to you know it's small it seems like when I'm teaching my taught my programming class you know some people not really good at all just people like what what is programming it could be kind of difficult but it was valuing that too and so I mean I like yeah I I think it depends what you wanna get out of it you know honestly and if

they if you're trying like really kind of build your own skills up and they'll find somebody that is more closer you know because he's already in security just a different aspect of it right says he'll be different than trying to help out somebody in college or you know even younger like getting into just security as a whole right however like when I was like younger like when I was like 12 I used to be like 2600 meetings in Minneapolis and like my older friends we drive like you drive in and you know run away from home and like we go to 2600 meetings I learned a lot from people they're just like you know where to go next you know

build my first blue box for them and a lot of fun stuff so you can definitely learn from both sides of that followed brantford yeah I mean resources like I guess I should ask like on our is it more of like exploratory resources so like not really sure where I want to go or what I want to do or is it more like these are the books to pick up for this field versus this field versus another field so I think one of my general feedback for just about anybody and I know a few people that have really benefited from this as if to do well in this industry in general even if you're not just

necessarily someone that does you know penetration testing learning to code at some level even if it's a very basic level is incredibly valuable I mean I know one one of our friends here Audie she didn't know Python she was doing a project that would have required her to be up at like all hours of the night due to the change control that she was tied to she took two hours to learn Python and wrote a script and was able to take a multi-day process down to a matter of hours that was all automated and I mean honestly from that knowledge you can gain so much more in this industry as a whole I definitely concur that like as a you

know a penetration tester focused more on application security there have been times where my ability to code has led to me to actually able to exploit something that otherwise would have been there or even to find it so I got very valuable and you know I would expect anyone kind of coming in if I was hired as a hiring manager and I was looking for some apps like people even on the network side I expect them to be at least be able to code a little bit enough to you know make some HTTP requests and modify I'm you know I mean stuff like that it doesn't have to be a building entire like web applications

but that also I mean has a great you know has a lot to teach you about security as well you know it's like you can't really secure network unless you know how to build networks but uh I as far as I mean exploratory research and I don't know if there's anything that out there like if somebody's like I don't know if I'm gonna be a pen tester you guys just like kind of looking in and meeting people that are doing that work and like getting kind of lowdown from them and there's a library IT so CY BR ary IIT has it's all free content and they have you know multi-hour training courses to cover anything from your A+ all the way

through like your network plus through your I think they have some stuff now on CGH so certified ethical hacker if a person is just like I don't know where I want to go and what I want to do but I'd like to get into the security space going in and exploring those and finding what they think is interesting grabbing books I mean there is an ungodly number book no starch press is like another place that I my bookshelf is almost all no search press books in security that I've purchased quite a lot and there's a lot of I mean there's app sack there's penetration testing which is maybe not fully app sack there's software security

which is more of like code auditing yeah I mean all the way through policy all the way through even just doing like vulnerability management and and there's a parent layer to on like security jobs that don't necessarily aren't technical I mean because like we need those out of your company needs so same people that can speak to people who are not technical right so just you know security is really broad area I'm just like okay you're dr. awesome what kind and so I mean I think this would come in to places like this and talk to people and medium like figure out like what is it you actually do and you know the consultant life isn't for everybody you

know some people really great it I not a policy person there's no way I'd ever be I'm not working internally somewhere that's just I'm not cut out for that but there's some people I really like that type of environment and so I mean I think that it's you know important for people to get out there and explore and see what they're you know interested in and comfortable with

over the wire yeah over the wire I think zorg I'm not sure but so that's definitely there are so for example there are just if you had a like CTF time might be CTF - time if they wanted like explore some they're like those are all over the others there might be a little somebody's learner that might be a little much like for there's a you know some of basic Pluralsight courses on you know it's like The Lost top-10 I the Olaf stuff is great I mean you're there some projects that are also different projects are kind of you know already but they will branch out to a lot all of them are going to require

some technical knowledge into some you know of guides and tutorials on doing stuff they're just a lot of people written a lot of blog articles too so you can generally find stuff but the trick is then to take that basic information and really kind of extrapolate from that and like understand what's going on so then you can apply it somewhere else because yeah honestly like most of those are lots of examples like in sequel injection or whatever like I mean they're you're not really going to find stuff that's exploitable like that anymore but knowing how it's exploitable like why that's working is important because that's even come to help like my the MongoDB stuff I was working on you know

it was completely different platform but the knowledge and the understanding of like this is how something is exploitable and how I would explain it works so that also development background like you know being knowing that how to write code and develop that stuff like directly made that possible as well so I just yeah start there and keep going there's a are some books on it there's like a web application hacker's handbook so few years old now but I mean still want to only really good ones out there on application security specific stuff but I mean I guess we could talk more maybe come up with some more resources but the cyber cell or else I'd not sure what of sands

yeah yeah

yeah all the Web Apps stuff yep yeah so yeah the SANS Institute is amazing for as a resource to guide you to other resources I heard like vlog number ticket exams classes are pretty pricey but if you have you know the ability to do them I've heard really great things about a lot of them so so I think with that we're actually just about running out of time here we probably have time for Casey to wrap up Casey and I are both going to be around today I'm one of the organizers so I will be around look for me Casey we'll be around so please come up to us ask more questions we're happy to you know provide feedback as

well in person or Twitter so I know that we're both getting active there as well so yeah all right so in closing you know to consider I think mentorship is very valuable to our community and it's the only way we're going to grow the people we need as a consultant you know hiring apps like people it's like alright we need people who are doing application security or want to or do network security and a lot of the time you're not going to get somebody who's experience coming in they're going to be you know very new or potentially you know first thing they're really doing so I think this is super valuable to our community we need to do more of

it it's the only way we're going to handle fixing that knowledge gap and unemployment gap but it is also work you know it takes time it takes energy and it's also fun and so I highly encourage anyone you know who's interested to try and you know figure out like what you can offer other people and see if you can do that you never know what might come of it and with that so I say yep yeah so say thanks for thanks for coming really appreciate it and you know excuse I will be around so feel free to hit us up ask questions we'll be at around all day today and at the networking event later so I like to

see you all there thank you that case you down