We Hack Purple Podcast 16 with Gabrielle Botbol

Host Tanya Janca Learns what it's like to be a Penetration Tester, with Gabrielle Botbol! Gabrielle is a pentester, cybersecurity blogger and podcaster!
https://twitter.com/Gabrielle_BGB
https://gabrielleb.fr/blog/

This episode sponsored by Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.

Subscribe to our newsletter here:
https://newsletter.wehackpurple.com/

For corporate virtual training contact info@wehackpurple.com

welcome to the we hack purple podcast

where each week

we meet with a different guest from

the information security industry we

want to learn what it's like to do their

job

what is a day like in the life of a pen

tester or an incident responder or an

application security professional we

want to know what kind of training they

need to do to get there because we want

you

to be able to find the job of your

dreams

hopefully in infosec i am tanya janca

your host from

we hack purple we are an academy

podcast and online community

that wants to help everyone create more

secure software

this episode is sponsored by threadfix

wonderful sponsor of many weeks now and

we really appreciate their support and

our guest this week is grabber

is gabrielle and i know what you're

thinking tanya stop talking we want to

see gabrielle i know i know

it's okay here she is and

oops of course i press the button twice

because i'm

impatient so here is gabrielle welcome

thank you thank you tanya for this great

introduction

thank you so much for being on the show

it is

uh i am honored to have another member

of wosec

women of security uh on the show

i'm wondering if you could introduce

yourself briefly

and then maybe uh i'm gonna ask you to

tell everyone what wosack is

sure so well my name is gabriel botbol

as you said

and i am at gabriel_bgb on

twitter

i am a pentester in canada and so as

you mentioned

women of security is a community for

women and the people who are

underrepresented

in the security field and we

are doing uh events and we

join we are trying to make people

who are underrepresented more visible so

that

they can work in cyber security and be

and we can be more and more women there

and and so

i am uh i started a chapter in paris

and i moved to canada so now i'm i just

joined forces with the montreal chapter

and so you are responsible for the

chapter in victoria now so

yes um so that's how we met

and i was really excited that she said

yes to being on the show

um because there are not that well for a

hundred reasons but

there are not that many women pen

testers and also i wanted

because you've been in france and now

you've been in canada

so i feel like you have a whole bunch of

different experiences that you can share

and for the people who are hearing a

small accent

yes she speaks french parisian french

and i know i speak french and some of

you are probably thinking why is this

episode not in french

and it is because it's sponsored in

english

and and the whole show's always in

english and if we have an episode in

french

it will be very confusing for our

listeners

but maybe one day we'll have another

thing in french

so what

could you describe what it's like like

what your

what your job's like like what do you do

so i'm a pen tester and pen testing is

the process of attempting to break into

a system to check

how safe it is so it aims to find

vulnerabilities

so that they can be patched and so

there are different phases in the pen

test you know we

always sleep and tester as always

attacking and everything but

we do not go straight to the attack

phase we need to plan it with the

customer

so we define the scope because there are

a lot of legal matters for this

and then we so this is the planning

phase and then we

need to gather information about the

target like how does it works

understand a little the technologies and

everything so this

is called the discovery phase and

after we attack and we make nuts in the

process and we gather proof

and so this is the attack base and

finally

we are going to produce a report with

explanations

on how to reproduce the flow and how to

correct it

and we will give resources and

everything so that

uh people who read the report can be

able to

uh like the the ideal thing would be

that they would be able to reproduce it

on their

on their own so that they can see for

themselves and

and have a better idea on how to work it

and how to correct it and everything

so this is what pen testing is cool

i feel like um i feel like we should

we should expand pen testing to explain

its penetration

testing um just in case someone doesn't

know that term

yeah exactly would you say that

[Music]

that pen testing is

possibly the most well-known of the

information security types of activities

or jobs

yes you you're probably right because

uh well people uh people

i i feel like people in the industry uh

are very you know there are there is the

red

team part and the blue team part and

they're always excited about the red

team part but we

tend to forget that we have blue team

also which is very important because

they are the one

responsible for um

protecting us and protecting uh industry

citizen and everything and we tend to

forget this but

i really think that blue teamers and red

teamers

should work together because uh this is

this is how um the

this is how it should work i mean we we

are all people we are all different but

together we can make a difference and we

can maybe bring cyber peace one day

let's hope for this

i've never heard it called that before

cyberpeace

i love it

so um yeah i agree with you completely

that sometimes red team seems to get

kind of like more uh

attention and and without

blue team i mean we would all have very

bad days

every day on the internet

um can you tell me what a day

in the life is like of a pentester

yeah sure so i do what

maybe everybody do i open my

mailbox and i'm sending

an email to the customer because i i

need to

announce when i will test their

infrastructure

it's important because in case it's

visible for them

they need to know it's you but it it

really happens that

people notice you but because we are

very stealthy people

we try to be but uh yeah so

we um also tell them when it's done at

the end of the day but

we we have to be careful with emails

because we get a lot of those obviously

we don't spend a lot of time on this we

have

we take we take time to read those at

specific hours

sometimes we have calls with customers

to prepare

new projects and

in my company once every two week we

have meeting

with the team to talk about our projects

how we can be more efficient

in our work and everything and so most

of the time

uh the the core of the of the job is to

uh work and attack and write reports and

everything

so you you learn something every day

because you see different technologies i

mean i'm always amazed at the

quantity of technologies and different

different

systems you you you see in the in the

field it's

it's pretty impressive and so this is

the cool part because you get to learn

a lot of things uh every day i mean i

there's not a day when i don't learn the

things so

this is very nice

okay so that's awesome that

okay so now i have to ask the

contentious question

so how how often do you get noticed

when you're doing your job

uh what will happen sometimes is that we

are going to launch

uh automatic scanners because it help us

uh have an overview of the

thing we might find we do a lot of

manual testings but

the first part will be to make automatic

scanners and sometimes

there are some features in the

system we are testing that with send an

email and so

it happens sometimes that the customer

will tell us i received

like 2 000 emails could you please

do something like because

it's like uh very invasive so and so we

we stopped the scanner thing right away

and we continue everything manually

but yeah it's very rare and it's it's

so and we we can also um

make our automatic scan to be careful

with these kind of things so we can set

them up so that they don't

uh get too intrusive as well so

cool cool oh my gosh i've had that email

situation before and they're like oh no

um do you ever have to go into

a data center and how cold is it

[Music]

uh well when we do sometimes we do

um uh physical pen tests so

like you know physical intrusion so this

is going definitely going to be one of

our target

to see if we can get into the data

center so

that's very cool and it's yeah it's cool

and cold at the same time

because when we get there yeah we get

cold

but it's it's a yeah it's an exciting

part of the

of the job do you ever have to

um like when when i was a pen tester

i would actually have to go physically

into the data center and work

from the data center sometimes do you

have to do that

uh i never have the opportunity to do

this uh

when i go to yes

it's so cold after eight hours you're

like i hate myself

yeah so you bring like your scarf and

your

hoodie and everything and you're like

this i wear a hat

and then i have mitts where it cuts off

the fingertips

and then i type like that because i get

cold

because some customers they're like oh

we don't want to let you through our

firewalls you have to go

in and i would plug into the server

directly it's really weird

and old okay so i never done that before

but i

i'm really curious about this

it was it was not ideal and

also i was surprised how easy it was to

get let in after the first date they

just kept letting me in

they're like oh yeah the the pen tester

ladies here

i if another woman had walked in like if

you walked in they'd probably be like

brown hair she can go in

like it was like the first day was

really strict and then after that

they're like

[Music]

okay your job sounds cool so far

um what types of personality do you

think

someone like

could have or should have to be a good

pentester

like if they're shy or they're

extroverted or they're

you know all those things

um i'd say that you have to be very

curious

because you need you really need to

question everything like if you see

something

like even if you have just a feeling you

need to

to go see what it is and so you really

have this

curiosity thing that is i think it's one

of the most important

thing to have uh you need to be creative

because sometimes you are going to try

things that will not work so you have to

find

a creative way to make it work and

you need to love learning and sharing

and uh because you learn something new

every day but you

you will always have new people in your

team and everything who are new to the

industry so you will have also to share

and everything

so share your knowledge with people ask

them

what they are good at because you also

like gain a lot from

asking questions and everything so yeah

that those would be

the things you i would say for the

personality okay

i like it um a lot of the pentesters

that

i ended up meeting i would say

like no i wouldn't say like all of them

by any means but

a noticeable amount um that i

unfortunately met i would say like maybe

10 or 20 percent

were very arrogant have you

have you met cause like you're not

arrogant i know you

and so uh but have you ended up meeting

other ones where you have noticed that

uh i i would say i don't know if it's a

pentester traits i would say you

always have arrogant people everywhere

unfortunately

but uh yeah it can happen and so

it's not always easy to handle

to handle it but yeah i try not to

to take it personally and i try to

like you know just do my work and

so yeah it can happen but and

sometimes you will have people who think

they know better than you

and i don't know yeah as a woman

sometimes it's even

uh i think it's it amplifies this

because

yeah uh you're just a woman so why are

you talking you know so

just let me explain to you things you

know so

but yeah i mean we are here today and we

are

getting stronger and stronger so

hopefully

we are going to be all over the place

very soon

yes i agree i look forward to the day

where

women make up around

half of the security industry because

then we can finally fill

all those jobs that are they keep

talking about how there's all these jobs

unfulfilled i'm like well we just need

the women to show up we'll be all set

it'll be great yeah i make it sound very

simple don't i

so now i have to talk about my book

because that is a thing that i'm

supposed

to do so i am going to put up on the

screen

a thing about my book so i wrote a book

called alice and bob

learn application security i'm just

going to hide myself from the screen

there

um and basically it is a book all about

apsec it is not

a book about pen testing if you want to

be a pen tester

like some of the stuff covered would be

helpful but you should buy

a different book if that's what you

really want like the one by georgia

weidman

called penetration testing um i own it

it's a good book but if you want to

learn how to create secure software

alice and bob learn absec is the book

for you

okay advertising over all right

i have way more questions for you

gabrielle

um so what types so this is probably the

the question that is

hard to answer but what types of

technical skills

does someone need to be a pen tester

because it feels like there probably

is a lot yeah so

it can be hard to tackle at first but

i would say knowledge in programming is

not mandatory

but it helps a lot because you need to

be able to

understand god injection and to

develop your own exploit if you if you

want to go really far in the practice

i mean it's you you will have to

to get into programming let's face it

it's very important

it's not mandatory to start but i think

it's

good to get it along the way uh

knowledge law because you get to

test networks and everything

uh you have to be comfortable when you

use virtualbox and vmware

you have to be able to know how to

install a virtual machine

uh this is something i i mean i cannot

uh work without a virtual machine no

it's

it's like it's very

important for me

you have you need to have a good

understanding of linux because

uh i think the the best tools are in

linux

for pen testing and

if you have a good comprehension of

operating system it's definitely a plus

like when you are going to

uh do some what we call internal pen

test where you have to take over

a network like if you have a network on

windows you have to understand

everything about windows like so

yeah so those i would say those are the

main technical skills but

you i mean you don't have to be an

expert on all of them for the

for the beginning you just you can get

to know things along the way

i don't mean to make you jealous with

all the nice food i'm eating

i prepared a snack of fresh vegetables

and berries

and cheese yes when we work from home we

can

make the best snack ever

yeah that's a really good that's a

really good list though gabrielle

and i you said it in a really concise

way i really i like the way you

explained it because sometimes people

will say

you need to be an expert at everything

and i'm like no one's an expert at

everything

it just doesn't work out that way and

i agree with you too that like if you

know some coding

it really helps but i see lots of people

get by without it

kind of yeah okay

i'm just like nodding and agreeing so if

people they're listening tanya's like

nodding a lot well gabrielle talks just

so you know

so let's say someone is like

pen testing sounds very interesting to

is there training that someone could

take to become a pen tester

or like a book you feel they should read

like what kinds of ways could they try

to um

to train themselves or or

if there's a course or whatever

so um i think it's important if people

are not comfortable with

writing skills to to learn about

uh how to make good report and

everything because it's

a big part of the job you need to

be able to make

technical concept very easy to

understand for people who are not

technical and for technical people as

well because

in fact a pen testing report is cut in

two parts you have an executive part so

you where you will have non-technicals

who will read them

and you have the technical parts just

after with

a very detailed things and technical

things so

writing skills is very important

and also a training a specific training

i i would recommend platforms like

try hack me which is very good for

beginners

and because they explain like they even

explain how to use

their platform so it's like they're even

a box to

they will explain to you how to set up

your vpn how to connect to the box and

everything so

it's very nice and when you get used to

try hack me

they have also more advanced box and

everything

so they have all levels but it's i

really like it because it's very good

for beginners and

then you can go to hack the box which is

for more advanced user because you have

to like hack the invite code to be able

to get in

and to register there which is very cool

and also you can practice with bug

bounties

and you mentioned earlier the book of

georgia

weidman which is awesome and

uh even though it was written a little

while ago it's still up to date and it's

still definitely

a good one to read so those are the

the things i would and also there are a

lot of platforms

uh like um you learn security

like also

you have a lot of on udemy

the the classes are not that expensive

so if you don't have

a lot of money for the moment and you

just want to

to learn and everything it's it's a good

it's a good step

and if you want more information on

resources and everything

i happen to have a blog with our in

which i put

a list of resources and also

there's an article on how to get started

with spend testing that could be

of interest so feel free to

to go there yes and gabrielle could you

say your blog address out loud for the

people

who are listening and can't see me

flashing it on the screen underneath you

so my blog is gabrielle b dot

fr slash blog and

so from there you will you will have

many different tabs and you will have

one

with a podcast where you will have dania

drankia on a podcast

yes the tables have turned so rece well

previously

i was on gabrielle's um podcast

and so she was the host and i was the

guest and so

it's very fun to switch positions or

spots or whatever you want to call it

so for our listeners um her

her website address is spelled

in a french way so gabrielle is g a

b r i e l l e

b dot f r slash blog so

there's the l e on the end of gabrielle

because it's french and that's feminine

and when you hear it as an anglophone

they might not realize

that there's it's e-l-l-e at the end

because

[Music]

because she she is she is female

and then that is how we spell it i just

want to make sure everyone can get to

your blog

because i've been to her blog there's so

many good things on there

and so i'm gonna flash it again later

don't worry

but um i have more questions as you

might have guessed so

let's say someone is a student in

university or college

or they're switching into i.t from

another

area of tech and they're thinking oh i

saw the hackers movie with angelina

jolie and she's so cool

and i saw swordfish and clearly it's

effortless to be a hacker

and which obviously is not true

and they're like i want to become an

ethical hacker i think this is

an awesome job for me so what types of

work experience

would you suggest they get or can they

just go can they go right out of school

or rate from another field to be a pen

tester or should they try to get other

jobs first what do you think

okay so i love this question because

i always say that there is no linear

or unique path to success in pen testing

personally after high school i studied

dramatic hearts to become an actress and

to finance this training i was also a

receptionist in the

luxury hotel industry in paris

so this is completely different but

in my spare time i programmed websites

about theater

and art in general so this was the

technical touch of this part of my life

and after traveling meeting people

getting to know myself better i just

i i decided to reorient myself and

i 26 years old

i decided to train in application

development and i

i got a bachelor degree in computer

science

and immediately after this i worked for

a large international company as a

developer

but you know then again i went there and

i was like

uh what is what is the security of the

things i

deliver like you know i wish they were

all thinking that

oh continue and we we did not have we

hack purple at the time so we could not

study about this so

[Music]

like and and i've always had like

justice at heart so

the and the field of cyber security

actually addresses this value because

it's

it's about protecting business it's

about protecting

data of individuals and society and

everything so

so yeah so in a way you know a

non-technical experience can lead to

cyber security

due to the meaning you want to give to

your life so

oh i like that a lot

i like yeah i like that a lot

so now is the part of the broadcast

where i

ask people that are listening to click

the thumbs up button if they're watching

the video

and if you're listening consider giving

us a podcast review

because if you give us a podcast review

and they show us

a screenshot of it you send it to our

twitter account which is at

we hack purple we will

send you stickers in the mail yes that's

right bribery from wehack purple

also if you do a review of my book alice

and bob learn

application security there's also

sticker bribery

there for you if you want it um but more

importantly i want to thank our sponsor

threadfix fix is the most

stupendous vulnerability management

system

this side of the galaxy

and a wonderful supporter of we hack

purple and i really appreciate dan and

sheridan and all the people there

and all the things they have done to

support me and my career

and our company so yes

um i still have more questions for you

though like

you're i hope you weren't thinking like

oh we're done now no

no okay so let's say

someone so we have um more people

watching us than normal

which is awesome so thank you to

everyone that is watching us live

and i think it's because they might want

to become pen testers

and that's awesome what what type of

learning

path do you think someone could set up

for themselves so let's say

they're like in the next like year i'm

hoping to move into this

like what types of like if we could

create some sort of like little mini

plan for them

like what would you suggest like do the

try hack me

and then the hack in the box or read

books or

what what do you think so

um there are no specific paths because

it's a

cyber security is a young field so

there's not

a diploma or certification to get into

pen testing

so i would say that you need two

essential skills

which are adapting to the environment

all the time because

technologies are constantly changing and

you need to know how to transfer skills

that you previously acquired

into cyber security skills so those are

two important things

and also

try hack me is good you you can make

your

own uh like

you should you can try to define your

learning profile like

how do you learn best do you learn by

watching videos do you learn by reading

do you learn by talking with people

and if it's all of that just mix it up

and and you can

adapt your learning to your your style

of the way you learn and everything so

that's what i did and i was so

so to i i had like more of um

i'm someone who who needs to practice so

this is why i always try

talk about try hack me and everything

but also

i like to read things i like to listen

watch videos and everything so uh there

are

a lot of amazing youtube channels out

there that

you can learn from um definitely

and also you have a lot of nice moocs

and everything and

just don't stay on the technical side of

things

you can it's always good to have

a holistic view of cyber security you

know this is not only

uh knowing how to get into a system it's

also knowing that

uh you have uh a lot of things like

legal matters like geopolitic

and everything so i went to conferences

about

geopolitic and cyber security so

you have a lot of uh it really depends

how you learn like do you like to

practice and everything and

make something according to your

learning style

i love that you mentioned the types of

learning would you say that it's really

important

specifically as a pen tester to make

sure you know the laws

in the country that you are working

revolving around cyber crime

so you don't accidentally commit one

yeah i think it's it's good to be aware

of those things

like uh because well

most of the time the company you work

for will help you with this so

this is something really uh like

important and so we have like most of

the times you will have to sign

a non-disclosure agreement and things

like this

but it's always good to to know for

yourself

and to to do some research

on the country you're in uh how is the

law

and how does it work and everything

because yeah you definitely need to know

those things i would say

um i want to caution our listeners

so gabrielle is a professional

and she works at a company and she knows

what she's doing

and so do not ever

attack a real website that you don't

have written permission

to do so she's a professional she knows

what she's doing and she has contracts

and she signs all the things and dots

all her eyes

and crosses all of her t's and that's

why she's a professional

do you want to tell people that are

learning about things they should not do

yeah like exactly this don't like use

uh you can use they are on van hub they

are

a virtual machine that you can hack

it's made for this you have lots of uh

different things and places to learn

online like uh so

don't don't hack don't if you see a

website that is

that you feel like it's uh not

that safe don't don't hack it just uh

it you have to have the permission

before so

you can do bug bounties where you you

have

uh this is real context if you want

something like more

than hack the box which is not a real

pen testing in a way

this is just uh boxes so which are very

good to practice

but if you want more real context you

have bug bounties so if you want to

practice in real context just go to back

bounties but don't

decide that you are going to hack i

don't know like the pentagon or the fbi

or anything

just don't do this and and

you you really need to have something

written to

to say that you have the right and you

are authorized to do so

because this is a job you you were

monday twice yes and it has to be your

name not your boss's name

my first professional mentor had me do

things

uh and totally told me it was okay

because he had the contract but now

that i know a lot more i'm like gosh he

was he taught me a lot of very bad

lessons of how to do things like giving

me credentials to things that i should

not have had etc this is why i never

named my first professional mentor

in cyber security because i was like oh

my gosh

that is so not cool um

and i think it's really important that

people know like if you have a

professional mentor

and they're like be make sure that what

they're showing

you what to do is legal make sure that

your

name is on any contract or any agreement

in order to attack things because i want

everyone to have a good experience okay

up next the super tough question does

your job and your type of job does it

pay well

in your opinion

so um when you start you will get

a decent average salary but

when you get more experience the salary

becomes very attractive so

in my opinion yes but don't expect

something big

right at the beginning you have to learn

it's normal so you will get something

but it's pretty decent it's average but

decent so

yeah oh yeah yeah so some of the jobs

when we've been interviewing people

and we asked that question they're like

no the pay is awful

i have to have another job like it

depends on

and i think it's really important that

people understand if something pays well

or not because if they're like looking

really hard to go do a thing like for

instance

um we've had some bug bounty hunters on

the show

and they have explained that there are a

few people that are

that are famous bug bounty hunters and

they'll make like

half a million dollars in a year but

almost all bug bounty hunters

it's because it's fun and it's a passion

they don't get paid well it's not even a

part-time job

for a lot of them like it's a hobby and

pen testing pays

this is good this is good i know

the audience is probably expecting me to

talk about cheese

because in one of the episodes we talked

about like i was trying to ask them

if it pays well or not and

i knew that i had made it as a software

developer when i was able to buy

multiple types of cheese at the grocery

store i was like looking at two

and trying to decide i'm like i can

totally afford both yeah

and when i became a pen tester i was

like i can have three types of cheese

i can have all anything i want in the

grocery store

yeah it's good it's good it's good pay

you're not gonna

you're not you're not going to roll

around in piles of hundred dollar bills

on your bed or anything

like unless you're a weirdo like

it's not gonna be like in the movies um

and

also this assumes you don't break the

law and you don't end up

yeah yeah it's um okay i'm gonna stop

are there many opportunities to get a

job that's similar to yours

yes uh there are plenty of opportunities

but i have to say unfortunately

companies ask

a lot of experience even for beginners

it's very useful like

apply to a lot of job offers whatever

the level of experience is required

just apply you you need i mean you are

going to be able to see

from the inside the expectations of the

employers so this is

always a good experience and like for

instance this is what i did

and i was able to show my skills by

doing a ctf during my trip interview so

don't be discouraged thanks

and if the interview is not conclusive

because you know

it's okay i mean each interview will

allow you to

be better prepared for the next one so

think of it as an exercise not as a

failure

and also something that was really

helpful for me

when i was looking for an opportunity is

my blog

like this is a real portfolio of who i

and what i do and now so

employers like to to see this this and a

blog is perfect for this

you it's not mandatory of course you you

have like you can write articles on

linkedin about things you do

like share ctf write-ups explain a

concept that you're passionate about

like it can take many different forms

but try to

find a way to show what you do what you

know what you love

it's it's always helpful and

also meet people go in the wild meet

people

from the community get involved in the

community go to conferences

talk to speakers talk to attendees and

create an association with your friends

like it doesn't have to be tanya but you

can create

like join a uh some sort of warsek or

something and

and do do it that is such good advice

all of that is totally awesome advice i

would like to just

note that i agree 1000 with everything

she said those are all

and then i put underneath you fantastic

advice

because i was like i don't know what to

say other than just like nod my head

really hard

so if if someone um

[Music]

it what is your what is your favorite

thing

like what do you like the best about

your job

uh learning like learning from my peers

discovering new technologies trying new

things

this is yes this is like i never get

tired of this

so this is my favorite thing that's

awesome

because you definitely have to continue

to learn if you want to be totally

awesome at pen testing

that's good so then what do you like the

least

about your job um

i think i really love everything about

my job but

however what i like least in the field

more globally is the lack of women and

minorities in cyber security

like i mean in order to pacify and make

technology accessible and adapt it to

the

greatest number of people like it is

really urgent that women be present

at all levels in all technical fields

because

yes this way the the future will be

written by

all the ends in this in that society

is society is not only men it's woman

it's lgbtq plus

it's all the people who are

underrepresented so

and and it's exactly also like i said

about before about blue team and red

team

they need to work more together because

they will

make people and organizations stronger

so that would be the things i would

change

you know i could i agree

so much it hurts i really

really really strongly agree i would

like to personally encourage every

single person from

every underrepresented group in tech to

apply to join us to join groups that

support

you so for instance we made wosek a

whole bunch of us

because we wanted to make lots of other

friends that were like

us and we use the the most wide

definition of women

we want every type of woman tall or

short

gay bisexual straight trans cis all of

the types of women

all of them and non-binary folk as well

like yeah if they're if you are in some

other

underrepresented group like joining a

group

just so that you can vent about crap

that happens at work that's not

cool like just being able to go have

brunch with a whole bunch of women and

be like

this happened do you think this might be

sexism and having them all say

yes and like agree with you because if

you ask

a bunch of men that you work with they

will 100 of the time

well not 100. 94 of the time they'll be

like no

i don't i don't see and it's like but

it's just like it's you want i don't

know to have people that have had the

same experiences

as you and can relate to you and

it's so valuable

[Music]

it's important it's important to be able

also to like

see what other people are doing to deal

with problems they're having

and also wosec has resulted in a lot of

people

finding jobs it's like oh you're not

happy where you are we're hiring

because it's hard to hire a skilled

security professional

and i am not above stealing them from

other organizations

and like yeah oh

i feel like you definitely um pressed a

hot topic for me

um what makes you feel the most

pride or the most proud in the work that

you do

so my work is to protect

digital data of all forms and

uh of entities from from companies to

local authorities so

apart from the technical aspect i would

say that

the title of pentesters for me is to

pacify the cyberspace

like to allow the greatest number of

people to surf the net in a

safe and secure way so it is this value

of freedom trust and security that

motivates the meaning of my life and

so you know

like the task is long it's complex

because

of the power struggle of the great

authorities as we see

every day like every minute i would say

in this like geological battle and the

emergence of

cyber criminal groups that are becoming

more and more numerous

every day it's crazy and it's obvious

that

individual liberties democracy

economic stability sovereignty are in

danger

so these challenges they really require

that the population

the population to be informed you know

about the issues of cyber security in

our societies so

yeah what makes me proud in my work is

participate in leading society towards

cyber peace this is

i love it i love it i i often tell

people that working in cyber security

that it's a noble

profession because it's literally our

job to protect others but you're the

first person that i've talked to that i

feel has said it

even better i really like it thanks

yeah that's good and i love the idea of

cyber peace

like i'll say i want my mom to be able

to use the internet safely

like a super smart person but who's not

expert at cyber security i don't want

you to have to be an expert to be able

to go on the internet and buy some shoes

you should just be able to do that

safely

[Music]

yeah thank you what advice

would you give to someone who wants to

try to get into a similar role

as you maybe something actionable

if you can

so it can be scary when you arrive at

first in the industry

but i would say that splitting a big

goal

in small steps and setting up deadlines

would make it easier so

and most of the people in the field they

are willing to share

your knowledge so ask questions whenever

you feel lost

uh what helped me a lot was going to

conferences

going to summer school participating in

workshops

and talking to as many people as i could

and also

social media is a great resource like

influencers in the field dm people to

ask questions or advice

or just make contact so yeah it's not

simple

to break the barrier at first but

getting involved in the cyber community

is really helpful so 100

yes i agree

a lot as usual i agree with gabrielle

just feed that cow

um so uh so we're nearing the end

so i have a more personal question and

you can totally deflect it if you don't

want to answer but are there

other things you do outside of

information security that you want to

sure so so the so uh we talked about the

fact that i

uh on mosaic uh i'm also

a vp communication at northside

conference

it's a conference about cyber security

and they host

an amazing ctf every year uh

and i give talk and workshops about pen

testing

and i love to work on ctf platform and

do peer-to-peer learning with my friends

like we

often meet and and practice together

it's

really motivating that's awesome i would

like to know

i love north sec oh my gosh i love

montreal and the north sac organizers

are so awesome oh my gosh i had

so much fun at that conference and like

yeah montreal is just the culture is so

wonderful

and yeah i love that conference

uh one of the organizers reached out to

me and she's like i heard that you were

saying really good stuff about us

thanks and i was like oh yeah i

had so i loved it and the and the

speaker's gift

was amazing it was whiskey maple syrup

so it was like maple syrup but like or

bourbon

sorry and it was like so delicious and

so french canadian

i am i love french canadians i was

living in quebec before i moved to

british columbia so

um yeah i love northside i'm so happy to

hear you're part of the organizing

committee

they're awesome um okay i'm gonna stop

fangirling okay so last question

um but first of all everyone please

subscribe to the wehack purple podcast

if you are not already subscribed either

on youtube

or on your favorite podcast app or both

both is good too i'll take both okay

but back to you if someone wants to know

about gabrielle but bull where should

they find more about you

do you have a website are there events

or links i can share

so there's my blog as we mentioned it

before which is

gabrielle b dot fr slash blog

and there's there you will find a

podcast

which is called the walter podcast in

which you you can only participate

it and i am on twitter at gabrielle

underscore bgb and on linkedin

it's easy you just type gabriel and you

will

very certainly find me because i think

i'm the only female gabrielle named butt

bomb so

that's pretty easy and i

regularly post events i participate in

so on on those platforms and

you can find also videos of my previous

talk on my blog

on the category talks and also

follow nurse tech conference on twitter

because we are going

to organize a lot of online activities

before the conference

and they will be fun to participate in

so just follow them

and participate to those events you will

love

We Hack Purple Podcast

We Hack Purple Podcast 16 with Gabrielle Botbol

Listen to this podcast on