Host Tanya Janca Learns what it's like to be a Penetration Tester, with Gabrielle Botbol! Gabrielle is a pentester, cybersecurity blogger and podcaster!
https://twitter.com/Gabrielle_BGB
https://gabrielleb.fr/blog/
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter here:
https://newsletter.wehackpurple.com/
For corporate virtual training contact info@wehackpurple.com
Host Tanya Janca Learns what it's like to be a Penetration Tester, with Gabrielle Botbol! Gabrielle is a pentester, cybersecurity blogger and podcaster!
https://twitter.com/Gabrielle_BGB
https://gabrielleb.fr/blog/
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter here:
https://newsletter.wehackpurple.com/
For corporate virtual training contact info@wehackpurple.com
welcome to the we hack purple podcast
where each week
we meet with a different guest from
the information security industry we
want to learn what it's like to do their
job
what is a day like in the life of a pen
tester or an incident responder or an
application security professional we
want to know what kind of training they
need to do to get there because we want
you
to be able to find the job of your
dreams
hopefully in infosec i am tanya janca
your host from
we hack purple we are an academy
podcast and online community
that wants to help everyone create more
secure software
this episode is sponsored by threadfix
powered by denim group they're our
wonderful sponsor of many weeks now and
we really appreciate their support and
our guest this week is grabber
is gabrielle and i know what you're
thinking tanya stop talking we want to
see gabrielle i know i know
it's okay here she is and
oops of course i press the button twice
because i'm
impatient so here is gabrielle welcome
thank you thank you tanya for this great
introduction
thank you so much for being on the show
it is
uh i am honored to have another member
of wosec
women of security uh on the show
i'm wondering if you could introduce
yourself briefly
and then maybe uh i'm gonna ask you to
tell everyone what wosack is
sure so well my name is gabriel botbol
as you said
and i am at gabriel_bgb on
i am a pentester in canada and so as
you mentioned
women of security is a community for
women and the people who are
underrepresented
in the security field and we
are doing uh events and we
join we are trying to make people
who are underrepresented more visible so
that
they can work in cyber security and be
and we can be more and more women there
and and so
i am uh i started a chapter in paris
and i moved to canada so now i'm i just
joined forces with the montreal chapter
and so you are responsible for the
chapter in victoria now so
yes um so that's how we met
and i was really excited that she said
yes to being on the show
um because there are not that well for a
hundred reasons but
there are not that many women pen
testers and also i wanted
because you've been in france and now
you've been in canada
so i feel like you have a whole bunch of
different experiences that you can share
and for the people who are hearing a
small accent
yes she speaks french parisian french
and i know i speak french and some of
you are probably thinking why is this
episode not in french
and it is because it's sponsored in
english
and and the whole show's always in
english and if we have an episode in
french
it will be very confusing for our
listeners
but maybe one day we'll have another
thing in french
so what
could you describe what it's like like
what your
what your job's like like what do you do
so i'm a pen tester and pen testing is
like
the process of attempting to break into
a system to check
how safe it is so it aims to find
vulnerabilities
so that they can be patched and so
there are different phases in the pen
test you know we
always sleep and tester as always
attacking and everything but
we do not go straight to the attack
phase we need to plan it with the
customer
so we define the scope because there are
a lot of legal matters for this
and then we so this is the planning
phase and then we
need to gather information about the
target like how does it works
understand a little the technologies and
everything so this
is called the discovery phase and
after we attack and we make nuts in the
process and we gather proof
and so this is the attack base and
finally
we are going to produce a report with
explanations
on how to reproduce the flow and how to
correct it
and we will give resources and
everything so that
uh people who read the report can be
able to
uh like the the ideal thing would be
that they would be able to reproduce it
on their
on their own so that they can see for
themselves and
and have a better idea on how to work it
and how to correct it and everything
so this is what pen testing is cool
i feel like um i feel like we should
we should expand pen testing to explain
its penetration
testing um just in case someone doesn't
know that term
yeah exactly would you say that
[Music]
that pen testing is
possibly the most well-known of the
information security types of activities
or jobs
yes you you're probably right because
uh well people uh people
i i feel like people in the industry uh
are very you know there are there is the
red
team part and the blue team part and
they're always excited about the red
team part but we
tend to forget that we have blue team
also which is very important because
they are the one
responsible for um
protecting us and protecting uh industry
citizen and everything and we tend to
forget this but
i really think that blue teamers and red
teamers
should work together because uh this is
this is how um the
this is how it should work i mean we we
are all people we are all different but
together we can make a difference and we
can maybe bring cyber peace one day
let's hope for this
i've never heard it called that before
cyberpeace
i love it
so um yeah i agree with you completely
that sometimes red team seems to get
kind of like more uh
attention and and without
blue team i mean we would all have very
bad days
every day on the internet
um can you tell me what a day
in the life is like of a pentester
yeah sure so i do what
maybe everybody do i open my
mailbox and i'm sending
an email to the customer because i i
need to
announce when i will test their
infrastructure
it's important because in case it's
visible for them
they need to know it's you but it it
really happens that
people notice you but because we are
very stealthy people
we try to be but uh yeah so
we um also tell them when it's done at
the end of the day but
we we have to be careful with emails
because we get a lot of those obviously
so
we don't spend a lot of time on this we
have
we take we take time to read those at
specific hours
sometimes we have calls with customers
to prepare
new projects and
in my company once every two week we
have meeting
with the team to talk about our projects
how we can be more efficient
in our work and everything and so most
of the time
uh the the core of the of the job is to
uh work and attack and write reports and
everything
so you you learn something every day
because you see different technologies i
mean i'm always amazed at the
quantity of technologies and different
different
systems you you you see in the in the
field it's
it's pretty impressive and so this is
the cool part because you get to learn
a lot of things uh every day i mean i
there's not a day when i don't learn the
things so
this is very nice
okay so that's awesome that
okay so now i have to ask the
contentious question
so how how often do you get noticed
when you're doing your job
uh what will happen sometimes is that we
are going to launch
uh automatic scanners because it help us
to
uh have an overview of the
thing we might find we do a lot of
manual testings but
the first part will be to make automatic
scanners and sometimes
there are some features in the
system we are testing that with send an
email and so
it happens sometimes that the customer
will tell us i received
like 2 000 emails could you please
do something like because
it's like uh very invasive so and so we
we stopped the scanner thing right away
and we continue everything manually
but yeah it's very rare and it's it's
so and we we can also um
make our automatic scan to be careful
with these kind of things so we can set
them up so that they don't
uh get too intrusive as well so
cool cool oh my gosh i've had that email
situation before and they're like oh no
um do you ever have to go into
a data center and how cold is it
[Music]
uh well when we do sometimes we do
um uh physical pen tests so
like you know physical intrusion so this
is going definitely going to be one of
our target
to see if we can get into the data
center so
that's very cool and it's yeah it's cool
and cold at the same time
because when we get there yeah we get
cold
but it's it's a yeah it's an exciting
part of the
of the job do you ever have to
um like when when i was a pen tester
i would actually have to go physically
into the data center and work
from the data center sometimes do you
have to do that
uh i never have the opportunity to do
this uh
when i go to yes
it's so cold after eight hours you're
like i hate myself
yeah so you bring like your scarf and
your
hoodie and everything and you're like
this i wear a hat
and then i have mitts where it cuts off
the fingertips
and then i type like that because i get
so
cold
because some customers they're like oh
we don't want to let you through our
firewalls you have to go
in and i would plug into the server
directly it's really weird
and old okay so i never done that before
but i
i'm really curious about this
it was it was not ideal and
also i was surprised how easy it was to
get let in after the first date they
just kept letting me in
they're like oh yeah the the pen tester
ladies here
i if another woman had walked in like if
you walked in they'd probably be like
brown hair she can go in
like it was like the first day was
really strict and then after that
they're like
[Music]
okay your job sounds cool so far
um what types of personality do you
think
someone like
could have or should have to be a good
pentester
like if they're shy or they're
extroverted or they're
you know all those things
um i'd say that you have to be very
curious
because you need you really need to
question everything like if you see
something
like even if you have just a feeling you
need to
to go see what it is and so you really
have this
curiosity thing that is i think it's one
of the most important
thing to have uh you need to be creative
because sometimes you are going to try
things that will not work so you have to
find
a creative way to make it work and
you need to love learning and sharing
and uh because you learn something new
every day but you
you will always have new people in your
team and everything who are new to the
industry so you will have also to share
and everything
so share your knowledge with people ask
them
what they are good at because you also
like gain a lot from
asking questions and everything so yeah
that those would be
the things you i would say for the
personality okay
i like it um a lot of the pentesters
that
i ended up meeting i would say
like no i wouldn't say like all of them
by any means but
a noticeable amount um that i
unfortunately met i would say like maybe
10 or 20 percent
were very arrogant have you
have you met cause like you're not
arrogant i know you
and so uh but have you ended up meeting
other ones where you have noticed that
uh i i would say i don't know if it's a
pentester traits i would say you
always have arrogant people everywhere
unfortunately
but uh yeah it can happen and so
it's not always easy to handle
to handle it but yeah i try not to
to take it personally and i try to
like you know just do my work and
so yeah it can happen but and
sometimes you will have people who think
they know better than you
and i don't know yeah as a woman
sometimes it's even
uh i think it's it amplifies this
because
yeah uh you're just a woman so why are
you talking you know so
just let me explain to you things you
know so
but yeah i mean we are here today and we
are
getting stronger and stronger so
hopefully
we are going to be all over the place
very soon
yes i agree i look forward to the day
where
women make up around
half of the security industry because
then we can finally fill
all those jobs that are they keep
talking about how there's all these jobs
unfulfilled i'm like well we just need
the women to show up we'll be all set
it'll be great yeah i make it sound very
simple don't i
so now i have to talk about my book
because that is a thing that i'm
supposed
to do so i am going to put up on the
screen
a thing about my book so i wrote a book
called alice and bob
learn application security i'm just
going to hide myself from the screen
there
um and basically it is a book all about
apsec it is not
a book about pen testing if you want to
be a pen tester
like some of the stuff covered would be
helpful but you should buy
a different book if that's what you
really want like the one by georgia
weidman
called penetration testing um i own it
it's a good book but if you want to
learn how to create secure software
alice and bob learn absec is the book
for you
okay advertising over all right
i have way more questions for you
gabrielle
um so what types so this is probably the
the question that is
hard to answer but what types of
technical skills
does someone need to be a pen tester
because it feels like there probably
is a lot yeah so
it can be hard to tackle at first but
i would say knowledge in programming is
not mandatory
but it helps a lot because you need to
be able to
understand god injection and to
develop your own exploit if you if you
want to go really far in the practice
i mean it's you you will have to
to get into programming let's face it
it's very important
it's not mandatory to start but i think
it's
good to get it along the way uh
knowledge law because you get to
test networks and everything
uh you have to be comfortable when you
use virtualbox and vmware
you have to be able to know how to
install a virtual machine
uh this is something i i mean i cannot
uh work without a virtual machine no
it's
it's like it's very
important for me
you have you need to have a good
understanding of linux because
uh i think the the best tools are in
linux
for pen testing and
if you have a good comprehension of
operating system it's definitely a plus
like when you are going to
uh do some what we call internal pen
test where you have to take over
a network like if you have a network on
windows you have to understand
everything about windows like so
yeah so those i would say those are the
main technical skills but
you i mean you don't have to be an
expert on all of them for the
for the beginning you just you can get
to know things along the way
i don't mean to make you jealous with
all the nice food i'm eating
i prepared a snack of fresh vegetables
and berries
and cheese yes when we work from home we
can
make the best snack ever
yeah that's a really good that's a
really good list though gabrielle
and i you said it in a really concise
way i really i like the way you
explained it because sometimes people
will say
you need to be an expert at everything
and i'm like no one's an expert at
everything
it just doesn't work out that way and
i agree with you too that like if you
know some coding
it really helps but i see lots of people
get by without it
kind of yeah okay
i'm just like nodding and agreeing so if
people they're listening tanya's like
nodding a lot well gabrielle talks just
so you know
so let's say someone is like
pen testing sounds very interesting to
me
is there training that someone could
take to become a pen tester
or like a book you feel they should read
or
like what kinds of ways could they try
to um
to train themselves or or
if there's a course or whatever
so um i think it's important if people
are not comfortable with
writing skills to to learn about
uh how to make good report and
everything because it's
a big part of the job you need to
be able to make
technical concept very easy to
understand for people who are not
technical and for technical people as
well because
in fact a pen testing report is cut in
two parts you have an executive part so
you where you will have non-technicals
who will read them
and you have the technical parts just
after with
a very detailed things and technical
things so
writing skills is very important
and also a training a specific training
i i would recommend platforms like
try hack me which is very good for
beginners
and because they explain like they even
explain how to use
their platform so it's like they're even
a box to
they will explain to you how to set up
your vpn how to connect to the box and
everything so
it's very nice and when you get used to
try hack me
they have also more advanced box and
everything
so they have all levels but it's i
really like it because it's very good
for beginners and
then you can go to hack the box which is
for more advanced user because you have
to like hack the invite code to be able
to get in
and to register there which is very cool
and also you can practice with bug
bounties
and you mentioned earlier the book of
georgia
weidman which is awesome and
uh even though it was written a little
while ago it's still up to date and it's
still definitely
a good one to read so those are the
the things i would and also there are a
lot of platforms
uh like um you learn security
like also
you have a lot of on udemy
the the classes are not that expensive
so if you don't have
a lot of money for the moment and you
just want to
to learn and everything it's it's a good
it's a good step
and if you want more information on
resources and everything
i happen to have a blog with our in
which i put
a list of resources and also
there's an article on how to get started
with spend testing that could be
of interest so feel free to
to go there yes and gabrielle could you
say your blog address out loud for the
people
who are listening and can't see me
flashing it on the screen underneath you
so my blog is gabrielle b dot
fr slash blog and
so from there you will you will have
many different tabs and you will have
one
with a podcast where you will have dania
drankia on a podcast
yes the tables have turned so rece well
previously
i was on gabrielle's um podcast
and so she was the host and i was the
guest and so
it's very fun to switch positions or
spots or whatever you want to call it
so for our listeners um her
her website address is spelled
in a french way so gabrielle is g a
b r i e l l e
b dot f r slash blog so
there's the l e on the end of gabrielle
because it's french and that's feminine
and when you hear it as an anglophone
they might not realize
that there's it's e-l-l-e at the end
because
[Music]
because she she is she is female
and then that is how we spell it i just
want to make sure everyone can get to
your blog
because i've been to her blog there's so
many good things on there
and so i'm gonna flash it again later
don't worry
but um i have more questions as you
might have guessed so
let's say someone is a student in
university or college
or they're switching into i.t from
another
area of tech and they're thinking oh i
saw the hackers movie with angelina
jolie and she's so cool
and i saw swordfish and clearly it's
effortless to be a hacker
and which obviously is not true
and they're like i want to become an
ethical hacker i think this is
an awesome job for me so what types of
work experience
would you suggest they get or can they
just go can they go right out of school
or rate from another field to be a pen
tester or should they try to get other
jobs first what do you think
okay so i love this question because
i always say that there is no linear
or unique path to success in pen testing
personally after high school i studied
dramatic hearts to become an actress and
to finance this training i was also a
receptionist in the
luxury hotel industry in paris
so this is completely different but
in my spare time i programmed websites
about theater
and art in general so this was the
technical touch of this part of my life
and after traveling meeting people
getting to know myself better i just
like
i i decided to reorient myself and
i 26 years old
i decided to train in application
development and i
i got a bachelor degree in computer
science
and immediately after this i worked for
a large international company as a
developer
but you know then again i went there and
i was like
uh what is what is the security of the
things i
deliver like you know i wish they were
all thinking that
oh continue and we we did not have we
hack purple at the time so we could not
study about this so
[Music]
like and and i've always had like
justice at heart so
the and the field of cyber security
actually addresses this value because
it's
it's about protecting business it's
about protecting
data of individuals and society and
everything so
so yeah so in a way you know a
non-technical experience can lead to
cyber security
due to the meaning you want to give to
your life so
oh i like that a lot
i like yeah i like that a lot
so now is the part of the broadcast
where i
ask people that are listening to click
the thumbs up button if they're watching
the video
and if you're listening consider giving
us a podcast review
because if you give us a podcast review
and they show us
a screenshot of it you send it to our
twitter account which is at
we hack purple we will
send you stickers in the mail yes that's
right bribery from wehack purple
also if you do a review of my book alice
and bob learn
application security there's also
sticker bribery
there for you if you want it um but more
importantly i want to thank our sponsor
threadfix fix is the most
stupendous vulnerability management
system
this side of the galaxy
and a wonderful supporter of we hack
purple and i really appreciate dan and
sheridan and all the people there
and all the things they have done to
support me and my career
and our company so yes
um i still have more questions for you
though like
you're i hope you weren't thinking like
oh we're done now no
no okay so let's say
someone so we have um more people
watching us than normal
which is awesome so thank you to
everyone that is watching us live
and i think it's because they might want
to become pen testers
and that's awesome what what type of
learning
path do you think someone could set up
for themselves so let's say
they're like in the next like year i'm
hoping to move into this
like what types of like if we could
create some sort of like little mini
plan for them
like what would you suggest like do the
try hack me
and then the hack in the box or read
books or
what what do you think so
um there are no specific paths because
it's a
cyber security is a young field so
there's not
a diploma or certification to get into
pen testing
so i would say that you need two
essential skills
which are adapting to the environment
all the time because
technologies are constantly changing and
you need to know how to transfer skills
that you previously acquired
into cyber security skills so those are
two important things
and also
try hack me is good you you can make
your
own uh like
you should you can try to define your
learning profile like
how do you learn best do you learn by
watching videos do you learn by reading
do you learn by talking with people
and if it's all of that just mix it up
and and you can
adapt your learning to your your style
of the way you learn and everything so
that's what i did and i was so
so to i i had like more of um
i'm someone who who needs to practice so
this is why i always try
talk about try hack me and everything
but also
i like to read things i like to listen
to
watch videos and everything so uh there
are
a lot of amazing youtube channels out
there that
you can learn from um definitely
and also you have a lot of nice moocs
and everything and
just don't stay on the technical side of
things
you can it's always good to have
a holistic view of cyber security you
know this is not only
uh knowing how to get into a system it's
also knowing that
uh you have uh a lot of things like
legal matters like geopolitic
and everything so i went to conferences
about
geopolitic and cyber security so
you have a lot of uh it really depends
on
how you learn like do you like to
practice and everything and
make something according to your
learning style
i love that you mentioned the types of
learning would you say that it's really
important
specifically as a pen tester to make
sure you know the laws
in the country that you are working
revolving around cyber crime
so you don't accidentally commit one
yeah i think it's it's good to be aware
of those things
like uh because well
most of the time the company you work
for will help you with this so
this is something really uh like
important and so we have like most of
the times you will have to sign
a non-disclosure agreement and things
like this
but it's always good to to know for
yourself
and to to do some research
on the country you're in uh how is the
law
and how does it work and everything
because yeah you definitely need to know
those things i would say
um i want to caution our listeners
so gabrielle is a professional
and she works at a company and she knows
what she's doing
and so do not ever
attack a real website that you don't
have written permission
to do so she's a professional she knows
what she's doing and she has contracts
and she signs all the things and dots
all her eyes
and crosses all of her t's and that's
why she's a professional
do you want to tell people that are
learning about things they should not do
yeah like exactly this don't like use
uh you can use they are on van hub they
are
a virtual machine that you can hack
it's made for this you have lots of uh
different things and places to learn
online like uh so
don't don't hack don't if you see a
website that is
that you feel like it's uh not
that safe don't don't hack it just uh
it you have to have the permission
before so
you can do bug bounties where you you
have
uh this is real context if you want
something like more
than hack the box which is not a real
pen testing in a way
this is just uh boxes so which are very
good to practice
but if you want more real context you
have bug bounties so if you want to
practice in real context just go to back
bounties but don't
decide that you are going to hack i
don't know like the pentagon or the fbi
or anything
just don't do this and and
you you really need to have something
written to
to say that you have the right and you
are authorized to do so
because this is a job you you were
monday twice yes and it has to be your
name not your boss's name
my first professional mentor had me do
things
uh and totally told me it was okay
because he had the contract but now
that i know a lot more i'm like gosh he
was he taught me a lot of very bad
lessons of how to do things like giving
me credentials to things that i should
not have had etc this is why i never
named my first professional mentor
in cyber security because i was like oh
my gosh
that is so not cool um
and i think it's really important that
people know like if you have a
professional mentor
and they're like be make sure that what
they're showing
you what to do is legal make sure that
your
name is on any contract or any agreement
in order to attack things because i want
everyone to have a good experience okay
so
up next the super tough question does
your job and your type of job does it
pay well
in your opinion
so um when you start you will get
a decent average salary but
when you get more experience the salary
becomes very attractive so
in my opinion yes but don't expect
something big
right at the beginning you have to learn
it's normal so you will get something
but it's pretty decent it's average but
decent so
yeah oh yeah yeah so some of the jobs
when we've been interviewing people
and we asked that question they're like
no the pay is awful
i have to have another job like it
depends on
and i think it's really important that
people understand if something pays well
or not because if they're like looking
really hard to go do a thing like for
instance
um we've had some bug bounty hunters on
the show
and they have explained that there are a
few people that are
that are famous bug bounty hunters and
they'll make like
half a million dollars in a year but
almost all bug bounty hunters
it's because it's fun and it's a passion
they don't get paid well it's not even a
part-time job
for a lot of them like it's a hobby and
so
pen testing pays
this is good this is good i know
the audience is probably expecting me to
talk about cheese
because in one of the episodes we talked
about like i was trying to ask them
if it pays well or not and
i knew that i had made it as a software
developer when i was able to buy
multiple types of cheese at the grocery
store i was like looking at two
and trying to decide i'm like i can
totally afford both yeah
and when i became a pen tester i was
like i can have three types of cheese
i can have all anything i want in the
grocery store
yeah it's good it's good it's good pay
you're not gonna
you're not you're not going to roll
around in piles of hundred dollar bills
on your bed or anything
like unless you're a weirdo like
it's not gonna be like in the movies um
and
also this assumes you don't break the
law and you don't end up
yeah yeah it's um okay i'm gonna stop
are there many opportunities to get a
job that's similar to yours
yes uh there are plenty of opportunities
but i have to say unfortunately
companies ask
a lot of experience even for beginners
so
it's very useful like
apply to a lot of job offers whatever
the level of experience is required
just apply you you need i mean you are
going to be able to see
from the inside the expectations of the
employers so this is
always a good experience and like for
instance this is what i did
and i was able to show my skills by
doing a ctf during my trip interview so
don't be discouraged thanks
and if the interview is not conclusive
because you know
it's okay i mean each interview will
allow you to
be better prepared for the next one so
think of it as an exercise not as a
failure
and also something that was really
helpful for me
when i was looking for an opportunity is
my blog
like this is a real portfolio of who i
am
and what i do and now so
employers like to to see this this and a
blog is perfect for this
you it's not mandatory of course you you
have like you can write articles on
linkedin about things you do
like share ctf write-ups explain a
concept that you're passionate about
like it can take many different forms
but try to
find a way to show what you do what you
know what you love
it's it's always helpful and
also meet people go in the wild meet
people
from the community get involved in the
community go to conferences
talk to speakers talk to attendees and
create an association with your friends
like it doesn't have to be tanya but you
can create
like join a uh some sort of warsek or
something and
and do do it that is such good advice
all of that is totally awesome advice i
would like to just
note that i agree 1000 with everything
she said those are all
and then i put underneath you fantastic
advice
because i was like i don't know what to
say other than just like nod my head
really hard
so if if someone um
[Music]
it what is your what is your favorite
thing
like what do you like the best about
your job
uh learning like learning from my peers
discovering new technologies trying new
things
this is yes this is like i never get
tired of this
so this is my favorite thing that's
awesome
because you definitely have to continue
to learn if you want to be totally
awesome at pen testing
that's good so then what do you like the
least
about your job um
i think i really love everything about
my job but
however what i like least in the field
more globally is the lack of women and
minorities in cyber security
like i mean in order to pacify and make
technology accessible and adapt it to
the
greatest number of people like it is
really urgent that women be present
at all levels in all technical fields
because
yes this way the the future will be
written by
all the ends in this in that society
is society is not only men it's woman
it's lgbtq plus
it's all the people who are
underrepresented so
and and it's exactly also like i said
about before about blue team and red
team
they need to work more together because
they will
make people and organizations stronger
so that would be the things i would
change
you know i could i agree
so much it hurts i really
really really strongly agree i would
like to personally encourage every
single person from
every underrepresented group in tech to
apply to join us to join groups that
support
you so for instance we made wosek a
whole bunch of us
because we wanted to make lots of other
friends that were like
us and we use the the most wide
definition of women
we want every type of woman tall or
short
gay bisexual straight trans cis all of
the types of women
all of them and non-binary folk as well
like yeah if they're if you are in some
other
underrepresented group like joining a
group
just so that you can vent about crap
that happens at work that's not
cool like just being able to go have
brunch with a whole bunch of women and
be like
this happened do you think this might be
sexism and having them all say
yes and like agree with you because if
you ask
a bunch of men that you work with they
will 100 of the time
well not 100. 94 of the time they'll be
like no
i don't i don't see and it's like but
it's just like it's you want i don't
know to have people that have had the
same experiences
as you and can relate to you and
it's so valuable
[Music]
it's important it's important to be able
also to like
see what other people are doing to deal
with problems they're having
and also wosec has resulted in a lot of
people
finding jobs it's like oh you're not
happy where you are we're hiring
because it's hard to hire a skilled
security professional
and i am not above stealing them from
other organizations
and like yeah oh
i feel like you definitely um pressed a
hot topic for me
um what makes you feel the most
pride or the most proud in the work that
you do
so my work is to protect
digital data of all forms and
uh of entities from from companies to
local authorities so
apart from the technical aspect i would
say that
the title of pentesters for me is to
pacify the cyberspace
like to allow the greatest number of
people to surf the net in a
safe and secure way so it is this value
of freedom trust and security that
motivates the meaning of my life and
so you know
like the task is long it's complex
because
of the power struggle of the great
authorities as we see
every day like every minute i would say
in this like geological battle and the
emergence of
cyber criminal groups that are becoming
more and more numerous
every day it's crazy and it's obvious
that
individual liberties democracy
economic stability sovereignty are in
danger
so these challenges they really require
that the population
the population to be informed you know
about the issues of cyber security in
our societies so
yeah what makes me proud in my work is
to
participate in leading society towards
cyber peace this is
i love it i love it i i often tell
people that working in cyber security
that it's a noble
profession because it's literally our
job to protect others but you're the
first person that i've talked to that i
feel has said it
even better i really like it thanks
yeah that's good and i love the idea of
cyber peace
like i'll say i want my mom to be able
to use the internet safely
like a super smart person but who's not
an
expert at cyber security i don't want
you to have to be an expert to be able
to go on the internet and buy some shoes
you should just be able to do that
safely
[Music]
yeah thank you what advice
would you give to someone who wants to
try to get into a similar role
as you maybe something actionable
if you can
so it can be scary when you arrive at
first in the industry
but i would say that splitting a big
goal
in small steps and setting up deadlines
would make it easier so
and most of the people in the field they
are willing to share
your knowledge so ask questions whenever
you feel lost
uh what helped me a lot was going to
conferences
going to summer school participating in
workshops
and talking to as many people as i could
and also
social media is a great resource like
follow
influencers in the field dm people to
ask questions or advice
or just make contact so yeah it's not
simple
to break the barrier at first but
getting involved in the cyber community
is really helpful so 100
yes i agree
a lot as usual i agree with gabrielle
just feed that cow
um so uh so we're nearing the end
so i have a more personal question and
you can totally deflect it if you don't
want to answer but are there
other things you do outside of
information security that you want to
share
sure so so the so uh we talked about the
fact that i
uh on mosaic uh i'm also
a vp communication at northside
conference
it's a conference about cyber security
and they host
an amazing ctf every year uh
and i give talk and workshops about pen
testing
and i love to work on ctf platform and
do peer-to-peer learning with my friends
like we
often meet and and practice together
it's
really motivating that's awesome i would
like to know
i love north sec oh my gosh i love
montreal and the north sac organizers
are so awesome oh my gosh i had
so much fun at that conference and like
yeah montreal is just the culture is so
wonderful
and yeah i love that conference
uh one of the organizers reached out to
me and she's like i heard that you were
saying really good stuff about us
thanks and i was like oh yeah i
had so i loved it and the and the
speaker's gift
was amazing it was whiskey maple syrup
so it was like maple syrup but like or
bourbon
sorry and it was like so delicious and
so french canadian
i am i love french canadians i was
living in quebec before i moved to
british columbia so
um yeah i love northside i'm so happy to
hear you're part of the organizing
committee
they're awesome um okay i'm gonna stop
fangirling okay so last question
um but first of all everyone please
subscribe to the wehack purple podcast
if you are not already subscribed either
on youtube
or on your favorite podcast app or both
both is good too i'll take both okay
but back to you if someone wants to know
more
about gabrielle but bull where should
they find more about you
do you have a website are there events
or links i can share
so there's my blog as we mentioned it
before which is
gabrielle b dot fr slash blog
and there's there you will find a
podcast
which is called the walter podcast in
which you you can only participate
it and i am on twitter at gabrielle
underscore bgb and on linkedin
it's easy you just type gabriel and you
will
very certainly find me because i think
i'm the only female gabrielle named butt
bomb so
that's pretty easy and i
regularly post events i participate in
so on on those platforms and
you can find also videos of my previous
talk on my blog
on the category talks and also
follow nurse tech conference on twitter
because we are going
to organize a lot of online activities
before the conference
and they will be fun to participate in
so just follow them
and participate to those events you will
love
you will love it awesome awesome
thank you so much for being on the
podcast this has been so great and i
feel like you shared
such good advice like really really good
actionable helpful realistic advice
this has been wonderful thank you so
much gabriele
thank you tanya for having me and thank
you to we hack purple academy and the
sponsor and
please buy uh tanya's book because it's
amazing and she is amazing so
thank you thanks a lot thank you bye
bye and with that
i am going to close up this episode of
the wehack purple podcast i want to
thank
everyone who has been doing um
giving us reviews i want to thank our
guests i want to thank
especially our sponsor
threadfix powered by denim group
gabrielle bottebol she was amazing
i want to tell you just about some of
the people that are going to be
up next month because we have well
as you might imagine a whole bunch more
guests planned
so next week we have
an amazing surprise for you well it's
not a surprise we have
shelly gesbridge also known
so you've probably heard of her as
nerdocity and so i've been following her
on
a line for a long time and she actually
said yes to be on the show and i'm super
excited and she's going to talk about
instant response and
she is a fellow canadian yeah that's
right
after that we're going to have mahidina
afrin and she's going to talk about
being a bug bounty hunter
and then next year because we're taking
a two-week break over the christmas
holidays
so we're going to come back on january
7th with
najla lindsay and she's going to talk
about being a forensic
investigator which is something i
actually don't know as much about so i'm
really excited
and after that we're going to have brian
anderson
sasha rosenbaum we're going to have
talash
super sam i'm sorry telash for not
saying your name
correctly then we're gonna have ally
melon and
stephanie black and so many others and i
want to thank you personally so again
i'm your host tanya janka
also known as she hacks purple thank you
so much for tuning in
we really really appreciate you as our
listeners i love it when people talk to
us i love it when people give us
feedback
and we really appreciate you
participating in the we hack purple
movement have a great week and i'll see
you next week