We Hack Purple Podcast

We Hack Purple Podcast 22 with Guest Talesh Seeparsan

January 29, 2021 We Hack Purple! Season 1 Episode 22
We Hack Purple Podcast
We Hack Purple Podcast 22 with Guest Talesh Seeparsan
Show Notes Transcript

In episode 22 of the We Hack Purple podcast host Tanya Janca learns what it's like to work in eCommerce security, with Talesh Seeparsan!

Follow Talesh on Twitter! His website is here.

Thank you to our sponsor Thread Fix!  They make an amazing vulnerability management system, and you should check it OUT!

*Please note that due to technical issues during the podcast, this has been editted to fix the mistakes and ensure continuity. All of what Talesh said is still in the podcast.

Buy Tanya's new book on Application Security: Alice and Bob Learn Application Security 

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter for free content and other goodness!

For live virtual corporate training contact info@wehackpurple.com 

during the recording of this episode i had some audio problems and i cut in and out for a bit in order to make this flow a lot better we've re-recorded a couple of the questions that i asked talash we didn't want to remove any of what telach said because he had lots of great stuff to say we hope you enjoy this episode welcome to the we hack purple podcast where each week we meet a new member of the information security industry and find out about their super interesting jobs as you know i am tanya janka your host also known as she hacks purple and i am from we hack purple a learning academy community podcast and way way more um this week we're going to talk to talash seaperson and we're going to talk about the security of e-commerce and i don't know about you but i really like buying stuff on the internet so i'm pretty excited to talk to talash but instead of me telling you about him actually first we are sponsored by thread fix and i want to say a big shout out and thank you to them because they just announced they want to sponsor us all the way until we've run out of guests so thank you very very much but with that let's talk to talash and let's learn about how we can secure our e-commerce so telash welcome thank you tanya thanks for having me oh thank you for coming on the show i follow you on twitter so i was excited when you said um it's my honor to be here awesome so what is could you briefly tell us basically like what e-commerce is and then kind of why we need to secure it[Laughter] i mean e-commerce now how could i explain this how do i explain the concept of shopping online um as you can imagine in the last you know 12 months e-commerce has probably taken off dramatically around the world oh yeah um and you know shopping online has become a fixture of our day-to-day lives and uh my personal history with it is that i've started working with e-commerce wow we're looking at approximately 15 years ago and you know like yourself i've started this this journey as a you know working in development and building stores building e-commerce stores and as a budding php developer back then um it was it was a great space to be in and i know i'm saying the word php just from the get-go and this is a security podcast but uh before anyone before anyone starts tuning away um php has grown up a lot php has grown up a significant amount since you know you've you've heard about the crazy php acts so there is there is a lot that's been done in the last decade or so for php and securing php stores and i i started 15 years ago as a php developer but i'd say around uh you know six seven years ago the attackers uh started paying a little bit closer attention to our e-commerce frameworks and the ability to get credit cards from e-commerce sites as opposed to skimming cards from say a gas station or an atm and the explosion in attacks against e-commerce sites has kind of made me realize that you know we need to start spending more time and effort building more secure e-commerce and that's basically what i've been focused on for the last six seven years helping developers build e-commerce stores a little bit taking taking security and building defensively from an early early on in the process and unlike most of the infosec industry there is one thing that attackers want when it comes to e-commerce is credit cards slight slight anecdote once we had attackers try to run once ransomware on our merchant's servers but they that lasted just a few weeks because they learned very quickly that merchants have excellent backups merchants do not want their sites to go down in any way shape or form so that was that was the only time i've i've dealt with attackers on ecommerce systems not hunting credit cards and credit cards is this this is the gold that everyone's after when they when we talk about securing e-commerce sites so it's it's a little bit different from you know protecting networks or protecting big enterprise systems where attackers may be searching for information or you know trying to steal identities and this sort of stuff um the goal is the credit cards so that's that kind of gives you like a big picture of how e-commerce security goes it's it's it's very focused so how did you get from being a php developer working so first of all i guess okay i want to know first how you got into e-commerce and then i would love to know how you got from being an e-commerce dev into being an e-commerce security person it's a two-part question okay um because you know and it kind of we might end up talking a little bit about security businesses later but when it comes to business i found that the clients for my you know contracting my you know solo development contracting business was uh uh was more happy to pay when the e-commerce clients and they wanted something built so i've realized that this field worked well for me i like money too i really like it when i do work and then they pay me turns out not everyone wants to do that so so so i mean like i wish i had something better just like it but you know it was just financially driven you know i had reliable clients that paid on time and um so so that that got me from php into e-commerce and luckily for me at the time when i started there was actually my plate's still here um there was a php e-commerce framework called magento and they they were just taking off when i made that transition um i used to be a flash developer also if you if you want all all the bad things oh my gosh have you also robbed banks and kicked puppies i've worked for an online casino also[Laughter] no you're getting all my secrets oh so so yeah i mean uh you know i i i went from you know the flash php thing in the early 2000s to just php e-commerce and luckily for me i got in very early into the magento world which is a php framework that just focuses on e-commerce luckily they were popular enough that you know they were at one point in time owned by adobe eventually owned by private equity firms and now they're part of adobe sorry they were owned by ebay then private equity and now they're part of adobe so technically i work with adobe ecommerce software okay and that's that's how i went from being a php developer to getting into a community of open source developers building great stuff and um after a few years i've realized that the interest i've had in security as a teenager we're not going to talk about my indiscretions as a teenager when it comes to security could be translated to securing e-commerce stores there is there is a and i saw a need for it i saw a problem that needed fixing and because i was part of a an online community an open source community um a very welcoming community i decided to to to make this jump and start sharing what i know because when it comes to open source there's a sense of giving back to your community and the biggest drive of me was i've learned so much from this community um when i i couldn't figure something out in php they'd help me and i've i've progressed significantly in my own career because of the help from others and i i kind of i saw this gap there that we we have attackers breaking into stores and we have not enough education around how to build defensively so i took it upon myself to share what i know and spend more time researching and you know people ask me how how did i learn all this stuff from the internet i just spend as much time on the internet reading learning you know following you know people in the infosec community like yourself and then distilling all those little parts of it into what applies to e-commerce and i think that's that's how i made that move from just being an e-commerce developer to someone who you know now does um more audits and you know that the security side of e-commerce um and you know it's it was very driven by giving back to my community because they they had a need and i had the skills to provide it so cool um so i i have to do a certain amount of marketing and so have you seen my book yet alice and bob learn application security i have seen it i have to get a copy of this you should get a copy of it i'm very biased but i think it's great also my mom said it was good all right that's important she just read yep sorry go ahead your mom might like it i think my mom might be looking at this live stream so hi delicious mom isn't that the best though like when your family supports your career it's awesome i know and they have been fairly disconnected from everything i do because i usually speak at conferences and i do you know i do work on site and nobody really knows what i do i think this is one of the few times i'm just like you know talking about it on youtube i i have a feeling that they think that you probably like wear a ninja suit and do backflips and stuff and maybe have like swords obviously there's like a hoodie at some point where you're this you're like it's like why does talash turn the lights off when he works and it's insist on wearing only black hoodies it's like no reason no reason no yeah we need to get a little bit more color in here right you know maybe maybe the the alice and bob book would fit right in with my color scheme in my bookshelf well i'm gonna have to get a copy that's so good we also okay so i know i'm wearing swag so i'm wearing black but it's because we didn't have this color or like this size because i'm a little because i'm a woman and not a man so i'm smaller size so then i could not get to basically it's only extra large unisex which means men's sizes they came in purple so i we now they'll have bright pink bright green and bite purple but in ladies sizes and so now the men are like hey i'm not an extra large size man i'm like a medium-sized man why don't i get a so i have to do something with our swag shop and so i apologize to everyone who's upset about the that's why talasha's wearing gray because he's like protesting the fact that he can't get purple i'm i'm wearing gray too so what you're saying is now you have uh men and women's swag yeah we do yeah so we had women's t-shirts and cute like girl we have little girl shirts and little boy shirts but now we have a lady shaped hoodie so it kind of goes in a bit kind of goes out a bit and it has way more bright colors and stereotypically femme colors but i totally know dudes that wear pink and they don't care i i almost wear pink shirts to this but thank you so much for having me and women's swag because here's the thing everyone talks about you know you should have women swag when you get women's swag the men's cut also fits better to men oh like unisex doesn't fit anyone so no unisex is like let's take the worst of both and then just mash it together so that no one is satisfied that's equality yeah no props props to you for having um you know quality swag thank you i am wearing a canadian ecommerce company shirt do you recognize this it's the shopify shirt get [ __ ] done this is the shopify shirt because i'm from ottawa where shopify started it's it's so funny because uh when shopify was beginning beginning its meteoric rise um there was a lot of people in in my community who saw it as a challenge and you know there was a little bit of like you know the other when it comes to talking about shopify um and it was it was it was a little bit funny because i was one of the few people in the community based out of back then i lived in toronto and i was one of the few canadians and there was this expectation that i'd be more involved in shopify but i mean because you're canadian you would just know them because there's only 10 of us that live here i mean mind you i now i have lots of good friends who work for shopify but yeah me too the thing is like you know shopify has shopify has this this this amazing advantage when it comes to securing e-commerce that i'm on record of being incredibly jealous of uh you know five six years ago before before you know https was a thing when everybody had you know um a public key certificate i i was trying my best to push all stores to just put the entire site under https and uh it it was it was a little bit of an uphill battle and in the midst of me trying to educate everyone of the advantage of this shopify just switched on https for their entire ecosystem and i was so jealous i was like it was so easy because there are software as a service they could just switch on security for everybody yeah and here am i just trying to convince individual stores to just switch on and they set a standard for the industry then too right because if shopify is offering that as a default and then other stores aren't it's like well maybe i'm not going to shop here yeah yeah so if you're getting a certificate for free and this is something that used to cost on you know on total amounts of money well okay not done at all but like i'm paying 90 a month for our cert through our even though they're free search from let's encrypt i'm just like the level of effort for me to go and do it and set up myself i'm just like i'll just pay yeah i don't want i don't want to rotate keys but when you think about it and when it boils down to everything you're basically paying for someone to do math you're just paying for some numbers yeah and yeah you know and this is why i call it untold money because you know if you're a suit you're just printing money because you're just making numbers up on a server and just like getting paid for it which is ridiculous it's a ridiculous ecosystem you mean a certificate authority like a company that issues cert oh yeah yeah oh yeah they just they just like do a little bit of calculations and get paid for it so and it's not like a significant amount of calculations that it's going to chew into your electricity bill so they are supposed to be assuring that they're not handing out certs to super shady places but a bunch of them have been doing that anyway and so now the security industry is fighting back and so with security headers um there's a new one called expect dash ct and so lots of places are going to start using it and what that means is they're going to check up on certificate authorities and they're going to say sorry you've issued too many crappy ones you're not a real authority anymore and we're not gonna allow asserts from you and so um yeah i think that the time is gonna catch that some certificate authorities are gonna have to keep working as hard as the ones like shopify and other more reputable ones are yeah yeah i mean we don't want to get into the stories of like diginoto and those guys who just got you know chord printing certificates for companies they shouldn't have um yeah but speaking speaking of like certificates and you know getting getting that like set up and the new the new advancements in um public key infrastructure to to to put a label around it um one thing i've found is working in e-commerce the difficult the difficulty is and i assume this is something that's that's across most infosec fields the difficulty is getting the clients on board um they just refuse to spend money on anything that doesn't increase their bottom line and having a more secure certificate or changing the way you handle certificates is just not something you could you can achieve easily um and and this is one of those things that i've i've struggled with and it's something i i've the more time i spend in the infosec community i've realized that everyone has this own their own version of this in each industry you know um and a couple of a couple of your podcasts i've looked at i'm like those are some really good tips i could use to get by and yeah i'm getting more secure getting more security part of our program at we hack purple we actually have like several lessons on getting buy-in um and then we have a lesson on advocacy like a whole module about like how to try to change your culture for the better and then we have another entire module about how to give really good presentations so you don't bore everyone to tears so people actually listen to you because i was like i'm really good at this stuff so let's just put everything in there and they could they could skip this one if they're like i'm already a perfect presenter it's fine but but don't don't you think don't you think that there is a lot of security there's a lot to security and just communicating that and just and being that person as opposed as opposed to the numbers and the tech like all the numbers in tech are very important yes don't get me wrong but there's a lot to being successful in the infosec community or not in industry and just being that person who would be able to say look i i'm gonna take a stand on this because you know it's not pci compliant let's just pull something from my industry it's not pci compliant and being able to communicate that well enough that they the the danger and the risk is actually grasped by you know executives who think you know we're spending money that doesn't affect our bottom line right yes um do you have a course on risk and evaluating risk um so we have a module about how to create an in-house risk score um for your applications and like what to base it on and which types of metrics you want to gather so that you know what types of first you're looking at but it's not like when i've worked with risk analysts and how they fill out a lot of paperwork and stuff like that it's more like you know i have 20 different tools and their ones high and low and one cve score this and the other ones you know apples and oranges and this and that so like how can you see them all like compare them um equally but also then what if your business has special needs and quite frankly most of them do like for instance my business we sell horses and train people and have a community none of our stuff's top secret like as long as people aren't getting the personal details of our customers or anyone's credit cards like we're good and so i just don't entrust myself to those and i make it their party so like i use stripe and i shopify and they do the heavy lifting for me and it's awesome right right and and it's amazing for that and a lot of times i get small businesses who want to get onto e-commerce and they want something secure i just direct them to stripe you know shopify there are other big there are players in the similar space like big commerce but they're getting into bigger e-commerce enterprise e-commerce where you're looking for strategies to increase you know increase sales by percent small percentage points and you know when you you don't have big wins um when it comes to strategy then my my my problem and where my work in the e-commerce industry comes in is then merchants start introducing added functionality a little bit of email marketing a little bit of you know advanced shipping stuff and you know all these bits and pieces they start putting it into the e-commerce framework ads complexity so whereas adobe slash magento will do an excellent job of building a secure framework once you start plugging bits and pieces into that framework you're introducing you know vectors of attack yeah and especially if you need something custom done so you know feels like you know um veterinary medicine where you know you're selling restricted um uh chemicals or drugs you need to build custom functionality right there's no third party saying hey you know what here's something that's specifically geared towards selling veterinary drugs all right yeah so now you have developers building custom functionality and you have third-party you know modules you're plugging into e-commerce you're just dramatically increasing your surface for attack and that's where the crux of the work i do is when i go to conferences and i speak to developers it's just getting them into a pattern of you know planning this better it's like how do you how do you approach adding functionality to e-commerce so it doesn't increase your risk it does increase your liability um and it's it's it's been it's been something i absolutely enjoyed because one i'm a little bit of an extrovert and i love speaking with people so you know thank you for this opportunity um uh but also i um i have you know i've spent so much time learning that i had to you know have i have this internal need to just share what i've known because i don't want to see my community fail at doing things that i know they could do better and the hard part is a lot of times is i need to tell people you need to be that person in your organization you need to be the one who's advocating security you know the actual tech the vpns that you need and the encryption and all that stuff that could be figured out you know you could you could work on the hard problems later but first you need to be the one security advocate within your company yeah before any change can happen yes so you're speaking my language um for people that are listening i was just furiously nodding along to him so so yeah i mean that's that's why you know when you say that you know you're an advocate for also like move i i you have such a great way of putting it shifting security left yeah earlier in the system development life cycle yeah we want to be there at the beginning me and telesh helping you secure your ass yeah and and the companies that i have seen do it they have done it well and they've they they're personal they're not that personal but their company's risk on the internet because they've belonged to industries that may be a little bit more targeted by attackers for credit cards um drove them to prioritize security when it comes to add-in functionality and it's paid off well for them they've they've gone from being the victims to being leaders in the space where sometimes now i turn to them asking um you know have you guys seen recently you know x or y happening um speaking of which like what i also do apart from like the education and advocacy of doing things more securely i also do security audits on e-commerce stores oh yeah so i've got a little bit of a two-two-sided approach to security and e-commerce so a lot of the audit the stores that i work audits on and you know i help them you know i helped build uh a better secure prac secure development practice within the organizations i try to maintain relationships with them because uh one important one important part of e-commerce security is threat detection and immersion threats coming up because most of the times we go from you know widespread attacks trying to attack as many stores as possible to some stores in some industries where i don't know how to put this where regulation may be a little bit lighter attackers seem to favor breaking into those stores and they see significantly higher you know levels of attacks significantly more complicated attacks and uh it's important to to have this sort of connection with other merchants so we could compare notes um maybe something if if you're in the infosec industry and you're you're deep in on unlike me um i've heard of something called an ice sac information sharing so there there's there's a infosec organization and i know there's a retailer's one and there's a hospitality one where within an industry they share threat information oh that's wise yeah and i know um it was something that was um advocated by the obama administration back you know that would be you know at least like six seven years ago and i'm trying to find more information of how these work and if it's possible for me to start advocating within e-commerce we have something set up so the hosts the merchants the big agencies who are building these stores we have some sort of framework for sharing information so when threats arise um we we as a community could respond faster because right now we have you know a new triathlonize like this morning i tweeted out something there was a new um mageguard attack so mage card is kind of what i deal with a lot um so there was a new mage card attacked detected by somebody at kaspersky if i was not like you know paying attention to twitter instead of doing my work yeah you could have missed it i could have missed it right i know this is something i want to reach out to my other contacts within hosting and other merchants that i work with to say hey have you seen anything like this in your logs but i i personally believe that's that's an unfeasible untenable way to approach it and i'm looking and maybe this is how i could get a little bit of help from your podcast i'm looking for help in forming some sort of organization and setting rules for not sharing you know um probably damaging information but sharing enough information so members could all benefit from a shared detection level across the industry because it's i think it's the next step we've done we've done a fairly good job in e-commerce of you know blocking attackers um and you know responding to threats quickly but we're not we're not taking that next step in going off the you know industry-wide sharing when you speak at conferences and share information and content with the community what do you talk about uh specifically i spend most of the because i'm a a small business owner and i'm my own boss and you know consultant specifically i'll speak about the security audit side of my business um the important part is you delive delivering value to the merchants so mostly i work with merchants who may have had a hack or may be concerned um or maybe you know part of a larger conglomerate and one part of their business has had a hack and they have some sort of concern so getting into this you need to understand that if you're working with merchants you're working with stores um the important thing is that you deliver them value as opposed to a lot of technical mumbo-jumbo and i'm sorry if i'm you know i'm sorry if i'm you know losing your viewers because i'm calling technical stuff technical mumbo jumbo but the thing is at the end of the day and it's my belief that if if your if your merchants don't have say something that's actionable then as as much advice as you give them it's never going to happen it's never going to it's never going to make a any sort of positive impact on your business so say i mean like it's it's it sounds simple but you know i've done audits where i say look you know what and this is when i first started i'm like look you know what you need to stop writing stop handwriting sql code you know there is there is ways to get data and put data into a database which is you know highly secure compared to just writing select stuff from blah blah blah and and this is where my background as a developer comes in handily because i could get right into the code that if they've probably introduced a vulnerability and and and coach them into better ways of doing so so um and and this is you know probably given me giving away part of my business secret but what i do is if i have a client that needs an audit i don't toss a pdf over the wall with all the vulnerabilities in the system and all the things that needs change i specifically request jira access i'm like i need you to make me account in your jira um system and make me yeah that's what i do i'm like i want a qa role in your jira and then i log in and i'm like you know make an epic and just the the last clients i had they made an epic and they call it telesh security fixes like okay that works and i i just i created all the stories and you know all the tasks that required to be done and i think that's the most important part of what i do is giving the developers a path to getting things done i don't always i don't only like you know like say this needs to be fixed i'm like here's a problem this is why it's a problem and this is how you could do it better and i think that's the most important thing if you want to get into the security audit space because word of mouth still makes a huge difference in this industry people will talk about the fact that you know hey look you know what i had an audit done and it introduced two weeks worth of work but we're way more confident in where we are now compared to you know not knowing beforehand um as opposed to you know just doing to be a minimum and just tossing a pdf across the wall nothing gets done and unfortunately i've seen this and and this is not you know me trying to berate any of your viewers it's just i find that a lot of people in the security industry don't go that extra mile towards being part of the development team if you're going to be doing an audit right um and i'm specifically speaking about code audits and you know the the actual infrastructure and applications i'm not talking about network audits and this sort of stuff as farsi con as far as it's concerned with e-commerce that's the responsibility of your host i'm not talking about pci compliance audits because that's a that's highly regulated and you know if we're talking about compliance that's a completely different story i'm not um i'm not qualified to be doing compliance audits at all uh i have my thoughts about pci compliance but um it's it's not something you need you need a security auditor to take you through like that should be a baseline pci compliance should be your baseline right how do you explain vulnerabilities and other security issues to the client it's hard sometimes to just explain the risk involved with there is money on the table here and not because our frameworks or our processes have done such a good job for you up to now means that something is not going to show up tomorrow and seriously affect your ability to make income uh so so yeah if if somebody has like you know the smallest thing in a pci compliance report that needs to be fixed i would recommend fixing it because as far as i'm concerned pci compliance is a baseline pci compliance does not guarantee you many things that you should be doing you should be doing going above and beyond pci could you please explain for the audience what pci compliance is so they can understand better and what payment card means so in case anyone doesn't know pci compliance is the the regulatory compliance by the credit card payment card so basically visa massacre american express you know dynasty club um you know they have a bunch of they have a compliance framework for if you're going to be taking payments online you need to be compliant at various levels it depends on how much money you're making online per year so um it's it's a it's a big industry and there's a lot of this there's a lot of rabbit holes to go down in it hence i i don't do pca compliance i'm i'm not very much of a box checker when it comes to security i'm much more hands-on which you could probably tell i'm like i want jira access and i want your depth i want to see your devs be mocking things as you know in progress i literally reached out to my client a week ago and said look you know what i see everything still start hasn't started like what's happening are we writing this code are we fixing the stuff or not so so yeah part of it part of it is being that person part of it is you know being that advocate and um when you are that person and you're unafraid to advocate for security there's a greater chance that you know things will get done um it's it's it's probably a flaw in human thinking if somebody seems really you know passionate about something you'll be like well maybe they're on to something they may not may not be onto something but you believe it because they're passionate about it when i was convincing e-commerce companies to to not focus on you know the the absolute nitty-gritty tech but first focus on their processes for securing stores um i was on stage and my my slide said if it's not documented your process doesn't exist and that's one of one of the big things i have it's like if it's not in confluence you don't have a process you know like if if somebody's supposed to look at you know your your logs every monday morning to make sure nothing suspicious has been happening over the weekend with your e-commerce store and it's not documented and it's not a recurring task for that lead dev it doesn't exist you don't you don't have it because it's going to be forgotten but there are tools that makes it simpler um makes it a little bit easier but the thing is what you what you're really looking for is like am i seeing anything strange or am i seeing you know referrers or am i seeing you know big dumps going out or you know people reaching out one problem we've had and this is a very old problem back in the earlier days of my framework is the attackers would inject some remote code into the the e-commerce store and that code would read credit cards and write it to a jpeg file it'll just be you know b34 the jpeg but it'll just be text which is you know json dumps of credit cards and all the information customers have filled in to today to the uh to the checkout form and the thing is the quickest way to find that would just be to open up the logs and search for b34 which is something i used to do on my audits but something like that you know having those patterns and knowing those patterns of where the attacks have come from one is is why you probably need somebody who knows what they're doing when it comes to audits but two it's why i want to form this sort of organization within e-commerce merchants that that you know um that have that have you know a framework for sharing information uh because it'll help us all um and and quick anecdote if you didn't think this entire e-commerce security thing was not serious a couple years ago uh people actually were put in jail for this for stealing credit cards online um there was yeah they were caught and they were put in jail for this i think it was i i'm not going to throw any country under the bus but it was not in north america let's just say that yeah yeah but the thing is like you know it's yeah but it's it's not it's not anonymous people doing this you know we we've we've evolved the tools to be able to track them out and catch them where did you learn to secure e-commerce i mean it's not like you can go to school for that where did you learn it well for me because i've worked mostly in the in the open source side of things it's it's very much i learned from communal knowledge getting becoming a part of the community and at least at least for me and hold on i'm forming my answers for you i want this to be i want us to be correct because apart a lot of what i believe in is new newcomers to an industry should have a good path to get in and i think okay so there is there is big enterprise e-commerce and there is open-source e-commerce which is also big enterprise but with open source you have an easier way to get in because you have access to a community open source brings a community there okay and then there's sas e-commerce which unfortunately there isn't too much to do there you know shopify does a great job and you know they take care of it you're just gonna like move to canada find a job with shopify you know yeah you're breaking um shoot me a message[Laughter] yep well technically maxson's not canadian i don't really have an accent i was born in the caribbean and i've lived you know i've been all around the world so yeah but in any case like definitely yeah so yeah i mean like you know if you want to get them to the south side of things um get a job at shopify shopify's on fire you know and they're always hiring they've got great people doing security in their teams i know a bunch of people there that do stuff and they've got the best team and there's a lot to learn from being part of a team and a team that does that at the very forefront of e-commerce um a big enterprise sales force and and whatnot i don't know too much about that industry but one thing i could advise anyone starting off if you're just a junior developer you just come out of school you you want to get your feet wet i would steer you to what's open call open source communities because the very nature of open source means that you're going to have people who are willing to help you learn but more importantly what you're going to have is an opportunity to contribute and building something small something tiny anything you can to contribute to that um community will open doors for you and it will get you um maybe access to more tools maybe access to people who who would be able to coach you um for me i mean i didn't even write anything fantastic one of the biggest things i did for this community was um you mentioned incidents response i realized that a lot of companies a lot of merchants who had had no idea what to do if they were hacked you know and they just they're just running around with you know like chickens with their heads cut off you know phoning me saying we need to get this fixed i'm like i can't i have like 200 clients i can't fix your store right now you know um so what i did was i just i i spent a couple weeks weekends on i absorbed all the information i could about incident response that was available online and i just put out a plan i'm like here's a github page um with all the steps in yeah so if you go to github.com talish slash response it's really easy um it'll it's just a plan it's a plan so you just follow it you you fill in you fill in the boxes you you you practice it and in a worse case scenario something happens you you have a breach you know credit cards have started being siphoned off your site you have something some sort of framework to work within and this is not something that's very difficult but it was something that i created for my community and it's been used by you know large corporations small companies startup e-commerce companies um so if if you want to get started and this is not only common security you know find find the community and be part of the community give back where you can and i believe open source communities will return in kind oh yeah oh yeah they do so i've put that up um that url beneath you on the screen but i want to say it again just for people that are listening so github.com slash talash so that's a l e s h slash response as in incident response awesome oh that's great we're giving away a mini course and my my student said to me today tanya we want to add some extra we want to add some extra links that aren't just things you made what should we add the universe has talked to me of what i'm going to include so thank you so very much that's brilliant i mean mind you this is this is very focused the e-commerce but the thing is um and in my opinion doing something like this being part of community contributing where you can um will open the doors will get you the experience will put you in touch with other people who who are smarter than you who have more experience than you because that's what happened when i created this and a couple of my other um you know stuff that i put onto github i had people who had way more experience than me um you know doing much more intense work than me come back to my repositories to contribute because they saw a community endeavor taking place and i was able to connect to them and learn from them oh that's awesome and so that's that's that's my that's my pitch like you find an open source community that you're involved in you know you know and just get involved in it like if you're if you're into networks you know um you know there's there's pf sense which i think is open source and you know there's various open source routers that you know you could be part of that community that's building stuff cool um it'll be amazing this is great advice listen to flash this is excellent i mean it's it's worked for me so i have one question left because that's all we have time for then i'm gonna wrap up and so it's very difficult questions what what is your favorite part about working in security for e-commerce um oh boy this is i told you that it was a hard question very difficult uh how about this um i'll try to answer succinctly as i can it's it's my belief that everyone who works in infosec and insecurity does so from an empathetic point of view where they want to use their skills to care for others yes it might be a lucrative industry to get into but you have to be driven to to have that protected nature and for me they the biggest the the best part of it is this e-commerce community which i've grown up with to be able to give back in that sense to them yes my rate's a little bit high but um that getting that sense that okay there is another store which is not vulnerable to the things that we've seen running around the internet um gives me a sense of you know satisfaction in what i do that's awesome i feel i feel the same way like and the fact that there's always a cool new problem with absec there's always a problem always like a new problem like you're you're never going to be like you know what i'm i'm just totally bored because my industry never changes that is not a thing that's going to happen to you definitely not tonight i'm going to have to go look at what that that new header you mentioned for regarding you know security um expect ct expect expect cpt yeah i'm just going to put it on the screen so it's expect ct it's in my book it's totally in the book if you read here i also um i also killed a security header with that book so the x dash xss protection header that's dead um i put some stuff on twitter about it but basically all the security experts agree that it causes more harm than good officially unfortunately it's really sad yeah it's a backwards compatibility thing um but anyway i will talk about security headers all day and i have to stop myself because i am not giving training right now so okay thank you thank you i have a question for you oh you have a question for me yeah if if this pandemic ever eases up and i take a ferrari across to the island will you sign a copy of your book for me if i put this one oh my gosh yes so he's on the mainland and i'm on the island for people that are wondering so he's in vancouver and i'm on vancouver island and it's actually like a hundred kilometers apart it's not like we're right next to each other you can't take a kayak i have had my family tell me not to try i crossed the ottawa river in my kayak and got like shipwrecked in ontario this one time and then they're just always worried about me but yeah absolutely that would be awesome and once covid is over it would be so amazing to have you speak at the o wasp chapter because we booted up an obama chapter here on the island but then when we're about to have our first meeting was right when coved happened so then now we're sort of winding we're just like chilling basically right now we mostly all attend the awesome vancouver oas chapter meetups because those guys are great but yes i would love to and then we could do all the other canadian things that's what so people will be like oh they're going to chase polar bears and they're going to eat pooties going to build an igloo and yeah we're going to do that stuff that would be amazing thank you thank you so much for coming on the show talash thank you been my honor thank you so much for having me thank you okay let's do the wave and then we are going to disappear bye bye thank you so much everyone for joining us for the we hack purple podcast today this was telesc person and we talked all about e-commerce we talked all about basically that it's very important that you actually action the results of your pci compliance audit our sponsor today was threadfix and they are powered by denim group they're absolutely excellent you should check them out we hack purple has an academy which we want you to check out but we want you to have a preview for free so please sign up for our newsletter so that you can take some of the free mini courses and to sign up you go to newsletter.wehackpurple.com i'm tanya janka your host and i hope to see you next week also please click the thumbs up and leave us a review bye