We Hack Purple Podcast

We Hack Purple Podcast 16 with Gabrielle Botbol

December 07, 2020 We Hack Purple! Season 1 Episode 16
We Hack Purple Podcast
We Hack Purple Podcast 16 with Gabrielle Botbol
Chapters
We Hack Purple Podcast
We Hack Purple Podcast 16 with Gabrielle Botbol
Dec 07, 2020 Season 1 Episode 16
We Hack Purple!

 Host Tanya Janca Learns what it's like to be a Penetration Tester, with Gabrielle Botbol! Gabrielle is a pentester, cybersecurity blogger and podcaster!
https://twitter.com/Gabrielle_BGB
https://gabrielleb.fr/blog/

This episode sponsored by Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter here: 
https://newsletter.wehackpurple.com/

 For corporate virtual training contact [email protected] 

Show Notes Transcript

 Host Tanya Janca Learns what it's like to be a Penetration Tester, with Gabrielle Botbol! Gabrielle is a pentester, cybersecurity blogger and podcaster!
https://twitter.com/Gabrielle_BGB
https://gabrielleb.fr/blog/

This episode sponsored by Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter here: 
https://newsletter.wehackpurple.com/

 For corporate virtual training contact [email protected] 

 welcome to the we hack purple podcast 

 where each week 

 we meet with a different guest from 

 the information security industry we 

 want to learn what it's like to do their 

 job 

 what is a day like in the life of a pen 

 tester or an incident responder or an 

 application security professional we 

 want to know what kind of training they 

 need to do to get there because we want 

 you 

 to be able to find the job of your 

 dreams 

 hopefully in infosec i am tanya janca 

 your host from 

 we hack purple we are an academy 

 podcast and online community 

 that wants to help everyone create more 

 secure software 

 this episode is sponsored by threadfix 

 powered by denim group they're our 

 wonderful sponsor of many weeks now and 

 we really appreciate their support and 

 our guest this week is grabber 

 is gabrielle and i know what you're 

 thinking tanya stop talking we want to 

 see gabrielle i know i know 

 it's okay here she is and 

 oops of course i press the button twice 

 because i'm 

 impatient so here is gabrielle welcome 

 thank you thank you tanya for this great 

 introduction 

 thank you so much for being on the show 

 it is 

 uh i am honored to have another member 

 of wosec 

 women of security uh on the show 

 i'm wondering if you could introduce 

 yourself briefly 

 and then maybe uh i'm gonna ask you to 

 tell everyone what wosack is 

 sure so well my name is gabriel botbol 

 as you said 

 and i am at gabriel_bgb on 

 twitter 

 i am a pentester in canada and so as 

 you mentioned 

 women of security is a community for 

 women and the people who are 

 underrepresented 

 in the security field and we 

 are doing uh events and we 

 join we are trying to make people 

 who are underrepresented more visible so 

 that 

 they can work in cyber security and be 

 and we can be more and more women there 

 and and so 

 i am uh i started a chapter in paris 

 and i moved to canada so now i'm i just 

 joined forces with the montreal chapter 

 and so you are responsible for the 

 chapter in victoria now so 

 yes um so that's how we met 

 and i was really excited that she said 

 yes to being on the show 

 um because there are not that well for a 

 hundred reasons but 

 there are not that many women pen 

 testers and also i wanted 

 because you've been in france and now 

 you've been in canada 

 so i feel like you have a whole bunch of 

 different experiences that you can share 

 and for the people who are hearing a 

 small accent 

 yes she speaks french parisian french 

 and i know i speak french and some of 

 you are probably thinking why is this 

 episode not in french 

 and it is because it's sponsored in 

 english 

 and and the whole show's always in 

 english and if we have an episode in 

 french 

 it will be very confusing for our 

 listeners 

 but maybe one day we'll have another 

 thing in french 

 so what 

 could you describe what it's like like 

 what your 

 what your job's like like what do you do 

 so i'm a pen tester and pen testing is 

 like 

 the process of attempting to break into 

 a system to check 

 how safe it is so it aims to find 

 vulnerabilities 

 so that they can be patched and so 

 there are different phases in the pen 

 test you know we 

 always sleep and tester as always 

 attacking and everything but 

 we do not go straight to the attack 

 phase we need to plan it with the 

 customer 

 so we define the scope because there are 

 a lot of legal matters for this 

 and then we so this is the planning 

 phase and then we 

 need to gather information about the 

 target like how does it works 

 understand a little the technologies and 

 everything so this 

 is called the discovery phase and 

 after we attack and we make nuts in the 

 process and we gather proof 

 and so this is the attack base and 

 finally 

 we are going to produce a report with 

 explanations 

 on how to reproduce the flow and how to 

 correct it 

 and we will give resources and 

 everything so that 

 uh people who read the report can be 

 able to 

 uh like the the ideal thing would be 

 that they would be able to reproduce it 

 on their 

 on their own so that they can see for 

 themselves and 

 and have a better idea on how to work it 

 and how to correct it and everything 

 so this is what pen testing is cool 

 i feel like um i feel like we should 

 we should expand pen testing to explain 

 its penetration 

 testing um just in case someone doesn't 

 know that term 

 yeah exactly would you say that 

 [Music] 

 that pen testing is 

 possibly the most well-known of the 

 information security types of activities 

 or jobs 

 yes you you're probably right because 

 uh well people uh people 

 i i feel like people in the industry uh 

 are very you know there are there is the 

 red 

 team part and the blue team part and 

 they're always excited about the red 

 team part but we 

 tend to forget that we have blue team 

 also which is very important because 

 they are the one 

 responsible for um 

 protecting us and protecting uh industry 

 citizen and everything and we tend to 

 forget this but 

 i really think that blue teamers and red 

 teamers 

 should work together because uh this is 

 this is how um the 

 this is how it should work i mean we we 

 are all people we are all different but 

 together we can make a difference and we 

 can maybe bring cyber peace one day 

 let's hope for this 

 i've never heard it called that before 

 cyberpeace 

 i love it 

 so um yeah i agree with you completely 

 that sometimes red team seems to get 

 kind of like more uh 

 attention and and without 

 blue team i mean we would all have very 

 bad days 

 every day on the internet 

 um can you tell me what a day 

 in the life is like of a pentester 

 yeah sure so i do what 

 maybe everybody do i open my 

 mailbox and i'm sending 

 an email to the customer because i i 

 need to 

 announce when i will test their 

 infrastructure 

 it's important because in case it's 

 visible for them 

 they need to know it's you but it it 

 really happens that 

 people notice you but because we are 

 very stealthy people 

 we try to be but uh yeah so 

 we um also tell them when it's done at 

 the end of the day but 

 we we have to be careful with emails 

 because we get a lot of those obviously 

 so 

 we don't spend a lot of time on this we 

 have 

 we take we take time to read those at 

 specific hours 

 sometimes we have calls with customers 

 to prepare 

 new projects and 

 in my company once every two week we 

 have meeting 

 with the team to talk about our projects 

 how we can be more efficient 

 in our work and everything and so most 

 of the time 

 uh the the core of the of the job is to 

 uh work and attack and write reports and 

 everything 

 so you you learn something every day 

 because you see different technologies i 

 mean i'm always amazed at the 

 quantity of technologies and different 

 different 

 systems you you you see in the in the 

 field it's 

 it's pretty impressive and so this is 

 the cool part because you get to learn 

 a lot of things uh every day i mean i 

 there's not a day when i don't learn the 

 things so 

 this is very nice 

 okay so that's awesome that 

 okay so now i have to ask the 

 contentious question 

 so how how often do you get noticed 

 when you're doing your job 

 uh what will happen sometimes is that we 

 are going to launch 

 uh automatic scanners because it help us 

 to 

 uh have an overview of the 

 thing we might find we do a lot of 

 manual testings but 

 the first part will be to make automatic 

 scanners and sometimes 

 there are some features in the 

 system we are testing that with send an 

 email and so 

 it happens sometimes that the customer 

 will tell us i received 

 like 2 000 emails could you please 

 do something like because 

 it's like uh very invasive so and so we 

 we stopped the scanner thing right away 

 and we continue everything manually 

 but yeah it's very rare and it's it's 

 so and we we can also um 

 make our automatic scan to be careful 

 with these kind of things so we can set 

 them up so that they don't 

 uh get too intrusive as well so 

 cool cool oh my gosh i've had that email 

 situation before and they're like oh no 

 um do you ever have to go into 

 a data center and how cold is it 

 [Music] 

 uh well when we do sometimes we do 

 um uh physical pen tests so 

 like you know physical intrusion so this 

 is going definitely going to be one of 

 our target 

 to see if we can get into the data 

 center so 

 that's very cool and it's yeah it's cool 

 and cold at the same time 

 because when we get there yeah we get 

 cold 

 but it's it's a yeah it's an exciting 

 part of the 

 of the job do you ever have to 

 um like when when i was a pen tester 

 i would actually have to go physically 

 into the data center and work 

 from the data center sometimes do you 

 have to do that 

 uh i never have the opportunity to do 

 this uh 

 when i go to yes 

 it's so cold after eight hours you're 

 like i hate myself 

 yeah so you bring like your scarf and 

 your 

 hoodie and everything and you're like 

 this i wear a hat 

 and then i have mitts where it cuts off 

 the fingertips 

 and then i type like that because i get 

 so 

 cold 

 because some customers they're like oh 

 we don't want to let you through our 

 firewalls you have to go 

 in and i would plug into the server 

 directly it's really weird 

 and old okay so i never done that before 

 but i 

 i'm really curious about this 

 it was it was not ideal and 

 also i was surprised how easy it was to 

 get let in after the first date they 

 just kept letting me in 

 they're like oh yeah the the pen tester 

 ladies here 

 i if another woman had walked in like if 

 you walked in they'd probably be like 

 brown hair she can go in 

 like it was like the first day was 

 really strict and then after that 

 they're like 

 [Music] 

 okay your job sounds cool so far 

 um what types of personality do you 

 think 

 someone like 

 could have or should have to be a good 

 pentester 

 like if they're shy or they're 

 extroverted or they're 

 you know all those things 

 um i'd say that you have to be very 

 curious 

 because you need you really need to 

 question everything like if you see 

 something 

 like even if you have just a feeling you 

 need to 

 to go see what it is and so you really 

 have this 

 curiosity thing that is i think it's one 

 of the most important 

 thing to have uh you need to be creative 

 because sometimes you are going to try 

 things that will not work so you have to 

 find 

 a creative way to make it work and 

 you need to love learning and sharing 

 and uh because you learn something new 

 every day but you 

 you will always have new people in your 

 team and everything who are new to the 

 industry so you will have also to share 

 and everything 

 so share your knowledge with people ask 

 them 

 what they are good at because you also 

 like gain a lot from 

 asking questions and everything so yeah 

 that those would be 

 the things you i would say for the 

 personality okay 

 i like it um a lot of the pentesters 

 that 

 i ended up meeting i would say 

 like no i wouldn't say like all of them 

 by any means but 

 a noticeable amount um that i 

 unfortunately met i would say like maybe 

 10 or 20 percent 

 were very arrogant have you 

 have you met cause like you're not 

 arrogant i know you 

 and so uh but have you ended up meeting 

 other ones where you have noticed that 

 uh i i would say i don't know if it's a 

 pentester traits i would say you 

 always have arrogant people everywhere 

 unfortunately 

 but uh yeah it can happen and so 

 it's not always easy to handle 

 to handle it but yeah i try not to 

 to take it personally and i try to 

 like you know just do my work and 

 so yeah it can happen but and 

 sometimes you will have people who think 

 they know better than you 

 and i don't know yeah as a woman 

 sometimes it's even 

 uh i think it's it amplifies this 

 because 

 yeah uh you're just a woman so why are 

 you talking you know so 

 just let me explain to you things you 

 know so 

 but yeah i mean we are here today and we 

 are 

 getting stronger and stronger so 

 hopefully 

 we are going to be all over the place 

 very soon 

 yes i agree i look forward to the day 

 where 

 women make up around 

 half of the security industry because 

 then we can finally fill 

 all those jobs that are they keep 

 talking about how there's all these jobs 

 unfulfilled i'm like well we just need 

 the women to show up we'll be all set 

 it'll be great yeah i make it sound very 

 simple don't i 

 so now i have to talk about my book 

 because that is a thing that i'm 

 supposed 

 to do so i am going to put up on the 

 screen 

 a thing about my book so i wrote a book 

 called alice and bob 

 learn application security i'm just 

 going to hide myself from the screen 

 there 

 um and basically it is a book all about 

 apsec it is not 

 a book about pen testing if you want to 

 be a pen tester 

 like some of the stuff covered would be 

 helpful but you should buy 

 a different book if that's what you 

 really want like the one by georgia 

 weidman 

 called penetration testing um i own it 

 it's a good book but if you want to 

 learn how to create secure software 

 alice and bob learn absec is the book 

 for you 

 okay advertising over all right 

 i have way more questions for you 

 gabrielle 

 um so what types so this is probably the 

 the question that is 

 hard to answer but what types of 

 technical skills 

 does someone need to be a pen tester 

 because it feels like there probably 

 is a lot yeah so 

 it can be hard to tackle at first but 

 i would say knowledge in programming is 

 not mandatory 

 but it helps a lot because you need to 

 be able to 

 understand god injection and to 

 develop your own exploit if you if you 

 want to go really far in the practice 

 i mean it's you you will have to 

 to get into programming let's face it 

 it's very important 

 it's not mandatory to start but i think 

 it's 

 good to get it along the way uh 

 knowledge law because you get to 

 test networks and everything 

 uh you have to be comfortable when you 

 use virtualbox and vmware 

 you have to be able to know how to 

 install a virtual machine 

 uh this is something i i mean i cannot 

 uh work without a virtual machine no 

 it's 

 it's like it's very 

 important for me 

 you have you need to have a good 

 understanding of linux because 

 uh i think the the best tools are in 

 linux 

 for pen testing and 

 if you have a good comprehension of 

 operating system it's definitely a plus 

 like when you are going to 

 uh do some what we call internal pen 

 test where you have to take over 

 a network like if you have a network on 

 windows you have to understand 

 everything about windows like so 

 yeah so those i would say those are the 

 main technical skills but 

 you i mean you don't have to be an 

 expert on all of them for the 

 for the beginning you just you can get 

 to know things along the way 

 i don't mean to make you jealous with 

 all the nice food i'm eating 

 i prepared a snack of fresh vegetables 

 and berries 

 and cheese yes when we work from home we 

 can 

 make the best snack ever 

 yeah that's a really good that's a 

 really good list though gabrielle 

 and i you said it in a really concise 

 way i really i like the way you 

 explained it because sometimes people 

 will say 

 you need to be an expert at everything 

 and i'm like no one's an expert at 

 everything 

 it just doesn't work out that way and 

 i agree with you too that like if you 

 know some coding 

 it really helps but i see lots of people 

 get by without it 

 kind of yeah okay 

 i'm just like nodding and agreeing so if 

 people they're listening tanya's like 

 nodding a lot well gabrielle talks just 

 so you know 

 so let's say someone is like 

 pen testing sounds very interesting to 

 me 

 is there training that someone could 

 take to become a pen tester 

 or like a book you feel they should read 

 or 

 like what kinds of ways could they try 

 to um 

 to train themselves or or 

 if there's a course or whatever 

 so um i think it's important if people 

 are not comfortable with 

 writing skills to to learn about 

 uh how to make good report and 

 everything because it's 

 a big part of the job you need to 

 be able to make 

 technical concept very easy to 

 understand for people who are not 

 technical and for technical people as 

 well because 

 in fact a pen testing report is cut in 

 two parts you have an executive part so 

 you where you will have non-technicals 

 who will read them 

 and you have the technical parts just 

 after with 

 a very detailed things and technical 

 things so 

 writing skills is very important 

 and also a training a specific training 

 i i would recommend platforms like 

 try hack me which is very good for 

 beginners 

 and because they explain like they even 

 explain how to use 

 their platform so it's like they're even 

 a box to 

 they will explain to you how to set up 

 your vpn how to connect to the box and 

 everything so 

 it's very nice and when you get used to 

 try hack me 

 they have also more advanced box and 

 everything 

 so they have all levels but it's i 

 really like it because it's very good 

 for beginners and 

 then you can go to hack the box which is 

 for more advanced user because you have 

 to like hack the invite code to be able 

 to get in 

 and to register there which is very cool 

 and also you can practice with bug 

 bounties 

 and you mentioned earlier the book of 

 georgia 

 weidman which is awesome and 

 uh even though it was written a little 

 while ago it's still up to date and it's 

 still definitely 

 a good one to read so those are the 

 the things i would and also there are a 

 lot of platforms 

 uh like um you learn security 

 like also 

 you have a lot of on udemy 

 the the classes are not that expensive 

 so if you don't have 

 a lot of money for the moment and you 

 just want to 

 to learn and everything it's it's a good 

 it's a good step 

 and if you want more information on 

 resources and everything 

 i happen to have a blog with our in 

 which i put 

 a list of resources and also 

 there's an article on how to get started 

 with spend testing that could be 

 of interest so feel free to 

 to go there yes and gabrielle could you 

 say your blog address out loud for the 

 people 

 who are listening and can't see me 

 flashing it on the screen underneath you 

 so my blog is gabrielle b dot 

 fr slash blog and 

 so from there you will you will have 

 many different tabs and you will have 

 one 

 with a podcast where you will have dania 

 drankia on a podcast 

 yes the tables have turned so rece well 

 previously 

 i was on gabrielle's um podcast 

 and so she was the host and i was the 

 guest and so 

 it's very fun to switch positions or 

 spots or whatever you want to call it 

 so for our listeners um her 

 her website address is spelled 

 in a french way so gabrielle is g a 

 b r i e l l e 

 b dot f r slash blog so 

 there's the l e on the end of gabrielle 

 because it's french and that's feminine 

 and when you hear it as an anglophone 

 they might not realize 

 that there's it's e-l-l-e at the end 

 because 

 [Music] 

 because she she is she is female 

 and then that is how we spell it i just 

 want to make sure everyone can get to 

 your blog 

 because i've been to her blog there's so 

 many good things on there 

 and so i'm gonna flash it again later 

 don't worry 

 but um i have more questions as you 

 might have guessed so 

 let's say someone is a student in 

 university or college 

 or they're switching into i.t from 

 another 

 area of tech and they're thinking oh i 

 saw the hackers movie with angelina 

 jolie and she's so cool 

 and i saw swordfish and clearly it's 

 effortless to be a hacker 

 and which obviously is not true 

 and they're like i want to become an 

 ethical hacker i think this is 

 an awesome job for me so what types of 

 work experience 

 would you suggest they get or can they 

 just go can they go right out of school 

 or rate from another field to be a pen 

 tester or should they try to get other 

 jobs first what do you think 

 okay so i love this question because 

 i always say that there is no linear 

 or unique path to success in pen testing 

 personally after high school i studied 

 dramatic hearts to become an actress and 

 to finance this training i was also a 

 receptionist in the 

 luxury hotel industry in paris 

 so this is completely different but 

 in my spare time i programmed websites 

 about theater 

 and art in general so this was the 

 technical touch of this part of my life 

 and after traveling meeting people 

 getting to know myself better i just 

 like 

 i i decided to reorient myself and 

 i 26 years old 

 i decided to train in application 

 development and i 

 i got a bachelor degree in computer 

 science 

 and immediately after this i worked for 

 a large international company as a 

 developer 

 but you know then again i went there and 

 i was like 

 uh what is what is the security of the 

 things i 

 deliver like you know i wish they were 

 all thinking that 

 oh continue and we we did not have we 

 hack purple at the time so we could not 

 study about this so 

 [Music] 

 like and and i've always had like 

 justice at heart so 

 the and the field of cyber security 

 actually addresses this value because 

 it's 

 it's about protecting business it's 

 about protecting 

 data of individuals and society and 

 everything so 

 so yeah so in a way you know a 

 non-technical experience can lead to 

 cyber security 

 due to the meaning you want to give to 

 your life so 

 oh i like that a lot 

 i like yeah i like that a lot 

 so now is the part of the broadcast 

 where i 

 ask people that are listening to click 

 the thumbs up button if they're watching 

 the video 

 and if you're listening consider giving 

 us a podcast review 

 because if you give us a podcast review 

 and they show us 

 a screenshot of it you send it to our 

 twitter account which is at 

 we hack purple we will 

 send you stickers in the mail yes that's 

 right bribery from wehack purple 

 also if you do a review of my book alice 

 and bob learn 

 application security there's also 

 sticker bribery 

 there for you if you want it um but more 

 importantly i want to thank our sponsor 

 threadfix fix is the most 

 stupendous vulnerability management 

 system 

 this side of the galaxy 

 and a wonderful supporter of we hack 

 purple and i really appreciate dan and 

 sheridan and all the people there 

 and all the things they have done to 

 support me and my career 

 and our company so yes 

 um i still have more questions for you 

 though like 

 you're i hope you weren't thinking like 

 oh we're done now no 

 no okay so let's say 

 someone so we have um more people 

 watching us than normal 

 which is awesome so thank you to 

 everyone that is watching us live 

 and i think it's because they might want 

 to become pen testers 

 and that's awesome what what type of 

 learning 

 path do you think someone could set up 

 for themselves so let's say 

 they're like in the next like year i'm 

 hoping to move into this 

 like what types of like if we could 

 create some sort of like little mini 

 plan for them 

 like what would you suggest like do the 

 try hack me 

 and then the hack in the box or read 

 books or 

 what what do you think so 

 um there are no specific paths because 

 it's a 

 cyber security is a young field so 

 there's not 

 a diploma or certification to get into 

 pen testing 

 so i would say that you need two 

 essential skills 

 which are adapting to the environment 

 all the time because 

 technologies are constantly changing and 

 you need to know how to transfer skills 

 that you previously acquired 

 into cyber security skills so those are 

 two important things 

 and also 

 try hack me is good you you can make 

 your 

 own uh like 

 you should you can try to define your 

 learning profile like 

 how do you learn best do you learn by 

 watching videos do you learn by reading 

 do you learn by talking with people 

 and if it's all of that just mix it up 

 and and you can 

 adapt your learning to your your style 

 of the way you learn and everything so 

 that's what i did and i was so 

 so to i i had like more of um 

 i'm someone who who needs to practice so 

 this is why i always try 

 talk about try hack me and everything 

 but also 

 i like to read things i like to listen 

 to 

 watch videos and everything so uh there 

 are 

 a lot of amazing youtube channels out 

 there that 

 you can learn from um definitely 

 and also you have a lot of nice moocs 

 and everything and 

 just don't stay on the technical side of 

 things 

 you can it's always good to have 

 a holistic view of cyber security you 

 know this is not only 

 uh knowing how to get into a system it's 

 also knowing that 

 uh you have uh a lot of things like 

 legal matters like geopolitic 

 and everything so i went to conferences 

 about 

 geopolitic and cyber security so 

 you have a lot of uh it really depends 

 on 

 how you learn like do you like to 

 practice and everything and 

 make something according to your 

 learning style 

 i love that you mentioned the types of 

 learning would you say that it's really 

 important 

 specifically as a pen tester to make 

 sure you know the laws 

 in the country that you are working 

 revolving around cyber crime 

 so you don't accidentally commit one 

 yeah i think it's it's good to be aware 

 of those things 

 like uh because well 

 most of the time the company you work 

 for will help you with this so 

 this is something really uh like 

 important and so we have like most of 

 the times you will have to sign 

 a non-disclosure agreement and things 

 like this 

 but it's always good to to know for 

 yourself 

 and to to do some research 

 on the country you're in uh how is the 

 law 

 and how does it work and everything 

 because yeah you definitely need to know 

 those things i would say 

 um i want to caution our listeners 

 so gabrielle is a professional 

 and she works at a company and she knows 

 what she's doing 

 and so do not ever 

 attack a real website that you don't 

 have written permission 

 to do so she's a professional she knows 

 what she's doing and she has contracts 

 and she signs all the things and dots 

 all her eyes 

 and crosses all of her t's and that's 

 why she's a professional 

 do you want to tell people that are 

 learning about things they should not do 

 yeah like exactly this don't like use 

 uh you can use they are on van hub they 

 are 

 a virtual machine that you can hack 

 it's made for this you have lots of uh 

 different things and places to learn 

 online like uh so 

 don't don't hack don't if you see a 

 website that is 

 that you feel like it's uh not 

 that safe don't don't hack it just uh 

 it you have to have the permission 

 before so 

 you can do bug bounties where you you 

 have 

 uh this is real context if you want 

 something like more 

 than hack the box which is not a real 

 pen testing in a way 

 this is just uh boxes so which are very 

 good to practice 

 but if you want more real context you 

 have bug bounties so if you want to 

 practice in real context just go to back 

 bounties but don't 

 decide that you are going to hack i 

 don't know like the pentagon or the fbi 

 or anything 

 just don't do this and and 

 you you really need to have something 

 written to 

 to say that you have the right and you 

 are authorized to do so 

 because this is a job you you were 

 monday twice yes and it has to be your 

 name not your boss's name 

 my first professional mentor had me do 

 things 

 uh and totally told me it was okay 

 because he had the contract but now 

 that i know a lot more i'm like gosh he 

 was he taught me a lot of very bad 

 lessons of how to do things like giving 

 me credentials to things that i should 

 not have had etc this is why i never 

 named my first professional mentor 

 in cyber security because i was like oh 

 my gosh 

 that is so not cool um 

 and i think it's really important that 

 people know like if you have a 

 professional mentor 

 and they're like be make sure that what 

 they're showing 

 you what to do is legal make sure that 

 your 

 name is on any contract or any agreement 

 in order to attack things because i want 

 everyone to have a good experience okay 

 so 

 up next the super tough question does 

 your job and your type of job does it 

 pay well 

 in your opinion 

 so um when you start you will get 

 a decent average salary but 

 when you get more experience the salary 

 becomes very attractive so 

 in my opinion yes but don't expect 

 something big 

 right at the beginning you have to learn 

 it's normal so you will get something 

 but it's pretty decent it's average but 

 decent so 

 yeah oh yeah yeah so some of the jobs 

 when we've been interviewing people 

 and we asked that question they're like 

 no the pay is awful 

 i have to have another job like it 

 depends on 

 and i think it's really important that 

 people understand if something pays well 

 or not because if they're like looking 

 really hard to go do a thing like for 

 instance 

 um we've had some bug bounty hunters on 

 the show 

 and they have explained that there are a 

 few people that are 

 that are famous bug bounty hunters and 

 they'll make like 

 half a million dollars in a year but 

 almost all bug bounty hunters 

 it's because it's fun and it's a passion 

 they don't get paid well it's not even a 

 part-time job 

 for a lot of them like it's a hobby and 

 so 

 pen testing pays 

 this is good this is good i know 

 the audience is probably expecting me to 

 talk about cheese 

 because in one of the episodes we talked 

 about like i was trying to ask them 

 if it pays well or not and 

 i knew that i had made it as a software 

 developer when i was able to buy 

 multiple types of cheese at the grocery 

 store i was like looking at two 

 and trying to decide i'm like i can 

 totally afford both yeah 

 and when i became a pen tester i was 

 like i can have three types of cheese 

 i can have all anything i want in the 

 grocery store 

 yeah it's good it's good it's good pay 

 you're not gonna 

 you're not you're not going to roll 

 around in piles of hundred dollar bills 

 on your bed or anything 

 like unless you're a weirdo like 

 it's not gonna be like in the movies um 

 and 

 also this assumes you don't break the 

 law and you don't end up 

 yeah yeah it's um okay i'm gonna stop 

 are there many opportunities to get a 

 job that's similar to yours 

 yes uh there are plenty of opportunities 

 but i have to say unfortunately 

 companies ask 

 a lot of experience even for beginners 

 so 

 it's very useful like 

 apply to a lot of job offers whatever 

 the level of experience is required 

 just apply you you need i mean you are 

 going to be able to see 

 from the inside the expectations of the 

 employers so this is 

 always a good experience and like for 

 instance this is what i did 

 and i was able to show my skills by 

 doing a ctf during my trip interview so 

 don't be discouraged thanks 

 and if the interview is not conclusive 

 because you know 

 it's okay i mean each interview will 

 allow you to 

 be better prepared for the next one so 

 think of it as an exercise not as a 

 failure 

 and also something that was really 

 helpful for me 

 when i was looking for an opportunity is 

 my blog 

 like this is a real portfolio of who i 

 am 

 and what i do and now so 

 employers like to to see this this and a 

 blog is perfect for this 

 you it's not mandatory of course you you 

 have like you can write articles on 

 linkedin about things you do 

 like share ctf write-ups explain a 

 concept that you're passionate about 

 like it can take many different forms 

 but try to 

 find a way to show what you do what you 

 know what you love 

 it's it's always helpful and 

 also meet people go in the wild meet 

 people 

 from the community get involved in the 

 community go to conferences 

 talk to speakers talk to attendees and 

 create an association with your friends 

 like it doesn't have to be tanya but you 

 can create 

 like join a uh some sort of warsek or 

 something and 

 and do do it that is such good advice 

 all of that is totally awesome advice i 

 would like to just 

 note that i agree 1000 with everything 

 she said those are all 

 and then i put underneath you fantastic 

 advice 

 because i was like i don't know what to 

 say other than just like nod my head 

 really hard 

 so if if someone um 

 [Music] 

 it what is your what is your favorite 

 thing 

 like what do you like the best about 

 your job 

 uh learning like learning from my peers 

 discovering new technologies trying new 

 things 

 this is yes this is like i never get 

 tired of this 

 so this is my favorite thing that's 

 awesome 

 because you definitely have to continue 

 to learn if you want to be totally 

 awesome at pen testing 

 that's good so then what do you like the 

 least 

 about your job um 

 i think i really love everything about 

 my job but 

 however what i like least in the field 

 more globally is the lack of women and 

 minorities in cyber security 

 like i mean in order to pacify and make 

 technology accessible and adapt it to 

 the 

 greatest number of people like it is 

 really urgent that women be present 

 at all levels in all technical fields 

 because 

 yes this way the the future will be 

 written by 

 all the ends in this in that society 

 is society is not only men it's woman 

 it's lgbtq plus 

 it's all the people who are 

 underrepresented so 

 and and it's exactly also like i said 

 about before about blue team and red 

 team 

 they need to work more together because 

 they will 

 make people and organizations stronger 

 so that would be the things i would 

 change 

 you know i could i agree 

 so much it hurts i really 

 really really strongly agree i would 

 like to personally encourage every 

 single person from 

 every underrepresented group in tech to 

 apply to join us to join groups that 

 support 

 you so for instance we made wosek a 

 whole bunch of us 

 because we wanted to make lots of other 

 friends that were like 

 us and we use the the most wide 

 definition of women 

 we want every type of woman tall or 

 short 

 gay bisexual straight trans cis all of 

 the types of women 

 all of them and non-binary folk as well 

 like yeah if they're if you are in some 

 other 

 underrepresented group like joining a 

 group 

 just so that you can vent about crap 

 that happens at work that's not 

 cool like just being able to go have 

 brunch with a whole bunch of women and 

 be like 

 this happened do you think this might be 

 sexism and having them all say 

 yes and like agree with you because if 

 you ask 

 a bunch of men that you work with they 

 will 100 of the time 

 well not 100. 94 of the time they'll be 

 like no 

 i don't i don't see and it's like but 

 it's just like it's you want i don't 

 know to have people that have had the 

 same experiences 

 as you and can relate to you and 

 it's so valuable 

 [Music] 

 it's important it's important to be able 

 also to like 

 see what other people are doing to deal 

 with problems they're having 

 and also wosec has resulted in a lot of 

 people 

 finding jobs it's like oh you're not 

 happy where you are we're hiring 

 because it's hard to hire a skilled 

 security professional 

 and i am not above stealing them from 

 other organizations 

 and like yeah oh 

 i feel like you definitely um pressed a 

 hot topic for me 

 um what makes you feel the most 

 pride or the most proud in the work that 

 you do 

 so my work is to protect 

 digital data of all forms and 

 uh of entities from from companies to 

 local authorities so 

 apart from the technical aspect i would 

 say that 

 the title of pentesters for me is to 

 pacify the cyberspace 

 like to allow the greatest number of 

 people to surf the net in a 

 safe and secure way so it is this value 

 of freedom trust and security that 

 motivates the meaning of my life and 

 so you know 

 like the task is long it's complex 

 because 

 of the power struggle of the great 

 authorities as we see 

 every day like every minute i would say 

 in this like geological battle and the 

 emergence of 

 cyber criminal groups that are becoming 

 more and more numerous 

 every day it's crazy and it's obvious 

 that 

 individual liberties democracy 

 economic stability sovereignty are in 

 danger 

 so these challenges they really require 

 that the population 

 the population to be informed you know 

 about the issues of cyber security in 

 our societies so 

 yeah what makes me proud in my work is 

 to 

 participate in leading society towards 

 cyber peace this is 

 i love it i love it i i often tell 

 people that working in cyber security 

 that it's a noble 

 profession because it's literally our 

 job to protect others but you're the 

 first person that i've talked to that i 

 feel has said it 

 even better i really like it thanks 

 yeah that's good and i love the idea of 

 cyber peace 

 like i'll say i want my mom to be able 

 to use the internet safely 

 like a super smart person but who's not 

 an 

 expert at cyber security i don't want 

 you to have to be an expert to be able 

 to go on the internet and buy some shoes 

 you should just be able to do that 

 safely 

 [Music] 

 yeah thank you what advice 

 would you give to someone who wants to 

 try to get into a similar role 

 as you maybe something actionable 

 if you can 

 so it can be scary when you arrive at 

 first in the industry 

 but i would say that splitting a big 

 goal 

 in small steps and setting up deadlines 

 would make it easier so 

 and most of the people in the field they 

 are willing to share 

 your knowledge so ask questions whenever 

 you feel lost 

 uh what helped me a lot was going to 

 conferences 

 going to summer school participating in 

 workshops 

 and talking to as many people as i could 

 and also 

 social media is a great resource like 

 follow 

 influencers in the field dm people to 

 ask questions or advice 

 or just make contact so yeah it's not 

 simple 

 to break the barrier at first but 

 getting involved in the cyber community 

 is really helpful so 100 

 yes i agree 

 a lot as usual i agree with gabrielle 

 just feed that cow 

 um so uh so we're nearing the end 

 so i have a more personal question and 

 you can totally deflect it if you don't 

 want to answer but are there 

 other things you do outside of 

 information security that you want to 

 share 

 sure so so the so uh we talked about the 

 fact that i 

 uh on mosaic uh i'm also 

 a vp communication at northside 

 conference 

 it's a conference about cyber security 

 and they host 

 an amazing ctf every year uh 

 and i give talk and workshops about pen 

 testing 

 and i love to work on ctf platform and 

 do peer-to-peer learning with my friends 

 like we 

 often meet and and practice together 

 it's 

 really motivating that's awesome i would 

 like to know 

 i love north sec oh my gosh i love 

 montreal and the north sac organizers 

 are so awesome oh my gosh i had 

 so much fun at that conference and like 

 yeah montreal is just the culture is so 

 wonderful 

 and yeah i love that conference 

 uh one of the organizers reached out to 

 me and she's like i heard that you were 

 saying really good stuff about us 

 thanks and i was like oh yeah i 

 had so i loved it and the and the 

 speaker's gift 

 was amazing it was whiskey maple syrup 

 so it was like maple syrup but like or 

 bourbon 

 sorry and it was like so delicious and 

 so french canadian 

 i am i love french canadians i was 

 living in quebec before i moved to 

 british columbia so 

 um yeah i love northside i'm so happy to 

 hear you're part of the organizing 

 committee 

 they're awesome um okay i'm gonna stop 

 fangirling okay so last question 

 um but first of all everyone please 

 subscribe to the wehack purple podcast 

 if you are not already subscribed either 

 on youtube 

 or on your favorite podcast app or both 

 both is good too i'll take both okay 

 but back to you if someone wants to know 

 more 

 about gabrielle but bull where should 

 they find more about you 

 do you have a website are there events 

 or links i can share 

 so there's my blog as we mentioned it 

 before which is 

 gabrielle b dot fr slash blog 

 and there's there you will find a 

 podcast 

 which is called the walter podcast in 

 which you you can only participate 

 it and i am on twitter at gabrielle 

 underscore bgb and on linkedin 

 it's easy you just type gabriel and you 

 will 

 very certainly find me because i think 

 i'm the only female gabrielle named butt 

 bomb so 

 that's pretty easy and i 

 regularly post events i participate in 

 so on on those platforms and 

 you can find also videos of my previous 

 talk on my blog 

 on the category talks and also 

 follow nurse tech conference on twitter 

 because we are going 

 to organize a lot of online activities 

 before the conference 

 and they will be fun to participate in 

 so just follow them 

 and participate to those events you will 

 love 

 you will love it awesome awesome 

 thank you so much for being on the 

 podcast this has been so great and i 

 feel like you shared 

 such good advice like really really good 

 actionable helpful realistic advice 

 this has been wonderful thank you so 

 much gabriele 

 thank you tanya for having me and thank 

 you to we hack purple academy and the 

 sponsor and 

 please buy uh tanya's book because it's 

 amazing and she is amazing so 

 thank you thanks a lot thank you bye 

 bye and with that 

 i am going to close up this episode of 

 the wehack purple podcast i want to 

 thank 

 everyone who has been doing um 

 giving us reviews i want to thank our 

 guests i want to thank 

 especially our sponsor 

 threadfix powered by denim group 

 gabrielle bottebol she was amazing 

 i want to tell you just about some of 

 the people that are going to be 

 up next month because we have well 

 as you might imagine a whole bunch more 

 guests planned 

 so next week we have 

 an amazing surprise for you well it's 

 not a surprise we have 

 shelly gesbridge also known 

 so you've probably heard of her as 

 nerdocity and so i've been following her 

 on 

 a line for a long time and she actually 

 said yes to be on the show and i'm super 

 excited and she's going to talk about 

 instant response and 

 she is a fellow canadian yeah that's 

 right 

 after that we're going to have mahidina 

 afrin and she's going to talk about 

 being a bug bounty hunter 

 and then next year because we're taking 

 a two-week break over the christmas 

 holidays 

 so we're going to come back on january 

 7th with 

 najla lindsay and she's going to talk 

 about being a forensic 

 investigator which is something i 

 actually don't know as much about so i'm 

 really excited 

 and after that we're going to have brian 

 anderson 

 sasha rosenbaum we're going to have 

 talash 

 super sam i'm sorry telash for not 

 saying your name 

 correctly then we're gonna have ally 

 melon and 

 stephanie black and so many others and i 

 want to thank you personally so again 

 i'm your host tanya janka 

 also known as she hacks purple thank you 

 so much for tuning in 

 we really really appreciate you as our 

 listeners i love it when people talk to 

 us i love it when people give us 

 feedback 

 and we really appreciate you 

 participating in the we hack purple 

 movement have a great week and i'll see 

 you next week