Failing a Pentest is not the End, It’s a Beginning — My Beginning
They say “You never know the value of a moment until it becomes a memory” and this is the case for me and my start in information security.
I love this story because it starts in failure but has so many great results in the end.
In 2006 I completed a degree in Computer Science and started happily down a career path of programming, ultimately settling in as a web application developer. Everything was great until one day in 2010 when my manager walked by and dropped a report on my desk, pointed at it, and said “I need you to fix this stuff”. I picked up the packet of papers to find that it was a security audit or “pentest” of my web application that was scheduled to go live soon. It had a lot of red text on it, and it explained that my web application had multiple critical security vulnerabilities which included SQL injection and Cross-Site Scripting. I had never heard of either of these before and I couldn’t even believe what I was reading. Someone could type “or 1=1” into one of my text fields, followed by any database command they wanted to execute, and it would be executed?! This means they could see, change, or delete anything in the database! I was flabbergasted. I went to my development machine and tried the sample code that was provided, and to my horror, it worked.
I went home that night with my shoulders hung low and explained to my husband that my application was completely hackable and how I had completely failed. I realized that I couldn’t be a great developer if I didn’t know anything about security, so in my mind, I had two choices. Either quit being a developer or embrace this information security thing and learn as much as I could about it. After leaning toward the quitting option for a few hours, my husband talked some sense into me. I returned to work the next day and asked for recommendations for where I could learn information security and was recommended to look at the SANS training. I quickly signed up for a 5 day “Defending Web Applications Security Essentials” course. It was phenomenal. I had never been in any training that compared with the expertise and value that it provided. After taking another course, I learned that SANS had a Master Degree program in Information Security Engineering. This seemed like an amazing way to overcome my day of failure and to set up a great future for my career. I proposed to my organization that they sponsor me through this program so that I could bring this much needed expertise to our organization, and they agreed!
While studying, I learned more about being a pentester — a legal, well-paid, hacker for hire. It seemed like breaking everyone else’s applications would be more fun than making mine work, so I set my heart on being a pentester. I did everything I could to build my resume to qualify. I sought out assignments at work that were related, and even invented some. I played the NetWars competitions as much as I could, and I talked to everyone I could for advice about how to make it happen.
In 2014, I was so privileged to be able to join the Black Hills Information security team for my first pentesting role and it was amazing. Shortly thereafter I graduated with my Master Degree from SANS. I have since expanded to both red team and blue teaming roles and all have been very rewarding.
In my time at SANS, I was greatly impressed and influenced by great people like Ed Skoudis, John Strand, Eric Cole, Josh Wright, George Bakos, Jeff McJunkin and Judy Novak. Besides helping me learn so much about information security they also inspired me to want to try to do for others what they, and so many others, had done for me. This is the reason I started teaching for Anti-Syphon training (an affordable alternative to SANS), speaking at conferences, and posting free content online. Mentoring others has been the most rewarding part of my career. I love to have a part in another person’s success story.
This whole experience has not only been amazing for me, but also for my family and friends. In 2016 my husband was a high school math teacher and he saw how much I was enjoying my work in cyber security and he decided to join in on the fun. At age 42, he went back to the university to pursue a degree in Computer Information Technology and earned 3 industry certifications. In mid-2017 he also became a pentester and has loved it every day since.
Our love for this field of work has influenced our kids as well. Our 3 oldest children (2 daughters and a son) are Software Engineers, two of them work in the cyber security department but ALL of them know what SQL injection and Cross-site scripting are and I am proud of that! Our third daughter just started her Cybersecurity degree from WGU, an amazing online university where the program includes 15 top industry certifications from CompTIA, Linux Professional Institute and more. The cost is only $4265 for 6 months of access and there is no limit to the number of classes you can complete during that time. In other words, if you work fast, you can save a ton of money. There are no homework assignments, only an exam or two which are graded pass/fail. On top of that, if you work part-time for Kentucky Fried Chicken (KFC) you can get 100% of your WGU tuition paid for.
The list goes on. My son’s best friend was looking for career direction and I encouraged him to work for the local Walmart and take advantage of their “Live Better U” program. This is an amazing program covering the cost of tuition, books and fees for a large list of degrees. Just this month he graduated from the program with a bachelor’s degree in cyber security from Bellevue University. I’m so grateful for companies like Walmart and KFC for supporting their employees.
I hope that my story encourages you to believe in yourself and work towards your dreams and gives you some ideas for moving forward.