We Hack Purple Podcast

We Hack Purple BONUS PODCAST - AppSec Job Advice

April 05, 2021 Tanya Janca Season 1
We Hack Purple Podcast
We Hack Purple BONUS PODCAST - AppSec Job Advice
Chapters
We Hack Purple Podcast
We Hack Purple BONUS PODCAST - AppSec Job Advice
Apr 05, 2021 Season 1
Tanya Janca

Host Tanya Janca  has had over 30 AppSec & #infosec professionals on the We Hack Purple podcast so far. In this episode, she tries to boil down all of the great advice that has been given by our brilliant and successful guests.

Thank you to our sponsor Thread Fix!

Buy Tanya's new book on #ApplicationSecurity: Alice and Bob learn Application Security.

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: [email protected]

#TanyaJanca #SheHacksPurple #DevOps #CyberTraining

Find us on Apple Podcast, Overcast + Pod 

Show Notes Transcript

Host Tanya Janca  has had over 30 AppSec & #infosec professionals on the We Hack Purple podcast so far. In this episode, she tries to boil down all of the great advice that has been given by our brilliant and successful guests.

Thank you to our sponsor Thread Fix!

Buy Tanya's new book on #ApplicationSecurity: Alice and Bob learn Application Security.

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: [email protected]

#TanyaJanca #SheHacksPurple #DevOps #CyberTraining

Find us on Apple Podcast, Overcast + Pod 

Welcome to We hack purple podcast, where each week we meet a new member of the information security industry and learn what it's like to do their very interesting job. So I sort of have bad news this week is a Odell had something ridiculously important come up and is unable to make the show, but we are going to record the show with her another day, just not live, unfortunately, because obviously it would be awesome to have her wife, but we can't always get everything we want, so I am your host, Tony Jaa, and we thought about paying another guest on, and then after the... We had purple team actually, we talked about it internally, we thought it would just be a lot better to instead talk about what this podcast is about, which is about trying to get new people into the information security industry and all the different jobs. So I'm Tanya Jana. I am your host. This week, we are sponsored by thread fix powered by denim group, and Basically... So we had Purple, so on tannadice, and I'm the founder of... We had purple, and I started this company specifically because I do love teaching things, and I do love just being a giant nerd and learning cool security things and helping people fix stuff, but really starting a company and trying to make it scale is that lots and lots of new people could come into our industry and specifically work in the niche, that is my favorite part, which is How do care software, but There's all sorts of parts, not just my part, there's Like analyzing risk and helping your entire org as a whole try to have less risk and manage and mitigate, mitigate what you can manage the rest sort of thing, there's People that make sure all of the communications we have are secure, there's those people that do cryptography who make sure that things are encrypted or hashed or everything else, the way they should be. Oh my gosh, we have met so many different people on this podcast, and this is just season one, season two, I'm thinking we're gonna switch into something more application security related because that's my favorite topic. But the point is, is that there are a lot of different types of jobs in our field, and so I was thinking we could take this opportunity instead of me calling around and finding other guests that could come on, I was like, What if we summarize a lot of things that we've learned so far and try to be a bit more concise about it, and then we can have a de come in in the next few days when she's ready and we can record it and release that, and it's kind of like a double win 'cause we get this nice summary here, for those of you that turned, who tuned in live and who are of a disappointed she's not here, I know it would be twice as good if she was here, but anyway, I digress. So I wanted to talk about a few things. So first of all, some of the trends that I've noticed on the show, but no matter what jobs we've looked at, it turns out there's a lot more jobs and a lot more full time jobs on the blue team instead of the red team... Red team is bug hunting penetration testing, offensive style security, and by offensive style security, I mean security that is attack focused, that tests your defenses, that pushes your limits to make sure that your defenses are actually working, and it's quite important. I briefly was a pen tester for maybe like, I don't know, two years before I discovered that instead I could be sort of on the other side or part of that equation where I got to do application security, so I would still do some security testing, but I would also do things like code review, were helping the dads find a better architectural solution to the thing they are doing, so that our security needs were met, but also their app is super cool and functional and efficient. And so each team or a person we spoke to every week, basically said, there's way more jobs and blue team than red team, but yet can I go to conferences and I look at the talks or when I see... For instance, we've had two bug hunters on the show, and the show numbers were out of this world compared to other episodes, and so many people tuned in because everyone wants to learn red, team red is on TV shows, it's in movies like, Oh, I'm making a lockers and I'm gonna hack them back or... I broke into the NSA with one line of code. Yeah, that's not true. But we clamor Ze, this red team side, but it turns out that there's not that many full time drops in it compared to blue team, and so that... That was something interesting. So I've thought this for a very, very long time, but lots of other people that I talk to, they're like, I'm gonna be a penetration tester, and that's what I thought too, I was like, I'm gonna be a penetration tester, because that's what my first mentor did, and that's what he trained me to do as his apprentice, and I was like, Yeah, this looks cool, because I only knew about the risk MLS people, the people that seemed to operate our firewall and who said no to me a lot, and then the cool pen tester guy, they had a snake tattoo on her arm. I'm like, Yeah. And so I was like, Well, which one of those people do I wanna be? And I'm like, Oh, that seems like the one that would be the most fun for me, especially because I'm like a hands on keyboard sort of person, but there's tons and tons of jobs. So I'm gonna try hard to think of all the different types of jobs that saw... So we had a couple of different people on who talked about how to respond to security incidents. That's very cool. And when you do application security, you end up being dragged along on it sometimes, but not every time, which I think is nice because you kind of get to have a little bit of it once in a while, but it's not your full time job. So I think that's great because I find incident response really, really, really, really exciting, but really stressful, so it's like when I get to do it, I'm like, yes, there's an instant happening and I get to respond to it and help save the day with my team. But I couldn't handle doing it every day, like we had this really amazing person named Shelly Keren, and I know I said her name wrong, I'm so sorry Shelly. But her name's nerdy on Twitter and she has a website and all the stuff, but her explaining how to get to the bottom of things, how to be super cool when there's an emergency happening, and we had Veronica Schmid on... Was it last week? I think it was the week before, and she was talking about digital forensics and specifically how to investigate when a security incident happens, and she specializes in medical devices and... Gosh, darn. That is just super cool. She was talking about... We have someone in the seanad, the comments saying, instant response isn't stressful if you plan for it, and then they corrected it with, or it's easier if you plan for it, and I agree, if you have planned for it and you are executing your plan like a hot knife through warm butter, it is pleasurable, but it's still like, Oh, so I'm gonna tack my organization like this is my team, this is the place I work, this is my livelihood, or if you work for the government, for instance, or some sort of non profit organization, it's like, you're attacking our citizens. You're attacking our security. But yes, I agree that when you can respond really quickly and efficiently, it feels really good. We also had a gentleman named douche, and he was really interesting 'cause he talked a bit... So he is a big institute forensics, but also how to build that type of program, like how to build an instant response program in a digital forensics program, and also how to get metrics on that, and if you know me at all, I really like data and metrics and that's why I was so excited to have a Down On because so she... And just super brilliant, but anyway, not mean girling, all of us that we had for... For really looking forward to her. I've been a fan for a while, but stopped talking about how much... I think she's awesome. Okay, so we've had those types of jobs on around incidents, investing in stains, how to manage it, how to prepare for it, like create awesome plans. We have not had enough data or risk analysts on yet, in my opinion, so I have some coming up... We have had a lot of people that run small security consultancies on, which has been really cool. So we had thrown Wilson. That guy is amazing. If you were gonna just to one episode, I don't know. This episode, it was just absolutely incredible. And he runs a security training company, just like we have purple, except for he focuses on offensive network security, and he talked a lot about what it's like to hire, what it's like to make sure you're doing a good job for your students. What it's like now to have all these people working for you that are depending on you, and he's running this business for quite a while, and that's really awesome. I feel like I wanna summarize every single episode, and I'm not sure if that's a great idea... Yeah, someone just shared his episode in the chat, Tirana, a really amazing guests. But I have a couple of other things I wanted to go through. So we had a melon, and then we also had Saharan BOM on and a whole bunch of other people that all also agreed that soft skills or social skills are actually really, really important if you ever wanna excel in tech. And... So I've been saying this for a long time, that their basic life skills... And you're not going to get anywhere. If you don't communicate well and you don't listen well, you don't pay attention and you don't treat people with respect, if you go into meetings and you stare at the floor and act like you're not listening, people aren't like, you know, I want on my team. That weird person that doesn't ever make eye contact, that doesn't respond when you talk directly to them, that's always rude, or that snap set everyone... That's not the person that people are like, I want that person on my team, and so when I talked with Ali Mellon specifically, and then sashes, Bob, I think she was the week right after, and she just added so much more to it, where if you don't have... People call them soft skills. But basically, if you don't have social skills, you just can't go very far in your career, you could be this brilliant, amazing genius, but you're gonna have to have all these handlers that work around you so that you're usable, if that makes sense. Like if you're in a project and you never give updates to anyone, no one's gonna... It's just like you'll become really hard to work with and you won't go as far as you could, and there's this thing in our industry that I've seen for quite a while, and that I've had other people comment on to me about technical skills, and I've had people make disparaging comments. She's not technical enough. It's often used specifically to talk about women, how women aren't very technical. I remember having a boss, there was a promotion, and so I was like their top tech for software development at the time, there are three tech leads and I was one of them for software development and the other two were dudes, and They had decided to create an even higher position for a technical role, and he's like, Oh, if I were you, I wouldn't bother applying. I don't want you to waste your time, and I was like, Excuse me. And he's like, Yeah, I don't really see you as technical, and I'm like, I run all your custom apps with the F, do you see me as... And so I've seen so many times people say like, Oh, you're not technical enough, as though it's like the word is a weapon, but it turns out that you can go and learn more technical skills, but it's actually a lot harder to work on your social skills and it turns out you can't reach that highest level usually without them, and I found that... I found that really interesting. Another trend that we saw. So I'm putting on my... I am very biased that... So I run a training school, and part of the reason why I run a training school is because universities are graduating people with absolutely no cyber security knowledge or very little, so right now, computer science, people are being graduated and they might know something about identity and access management, which is good, I really want them to know it, but they won't know anything about secure coding. They won't know anything about how to be PCI compliant, so they're out there making applications that handle credit card data, and they don't know how to do it, so that they don't get sued. They're having people make all these amazing applications and just not teaching them the bare minimum of secure coding so that these applications can be safe to use and put on the Internet and put actual important information into them, and know that information will stay safe. And So, if you've heard me in a podcast ever where I'm the person being interviewed, I often beat up on universities and colleges, 'cause I don't think it's acceptable if you're gonna charge someone 50, 10, 20, 30000 to go to school somewhere. If they teach you how to do something, they should teach you how to do it safely, and in my opinion, that means security, and So when it comes to the types of training that exists, like if you go to university in college, you can learn how to build really cool applications, but it's unlikely, unfortunately, you're gonna learn how to ensure those applications are secure and safe, and that's really frustrating. So there are lots of companies, and I'm not gonna try to tell you that we're the best company on the whole planet, I mean, I'm biased, I know my mom thinks we are 'cause she loves me, but there are a lot of companies out there that gives a care training, there is this Foundation, The Haas Foundation, ow, ASP dot org, and OS is a community and an international non profit called The Foundation, as well as all these super cool open source projects, and I'm a part of it, probably, if you're listening at least half of your two. I love a lost... I'm a here change fan. I've been involved for years and years, and they are part of how I learned a lot of things, if you're trying to get into our industry, a lot of people will say, start there, and that's how I started. They don't have a... Sometimes when you open up a new product, you just bought, there'll be a thing and it'll say start here. I really wish I had that because it is so overwhelming when we were warming up for this show, I was saying to the sound tech, if I started trying to consume every single bit of as content starting now and just didn't stop, I bet I would die before I would consuming all the content 'cause they have so much amazing content and so it can be really overwhelming. So I would say if you're gonna start with is... I would start with the cheat sheets project, so the next time you're trying to do something technical and you're like, I wanna know how to do this securely, look up as cheat sheet, and then whatever the thing is you're doing, there's something like... I think 1002 CHE sheets, maybe it's the late 90s or over into the 100, I can't remember if they've reached triple digits yet, but they have an impressive number of things... Oh, thank you for putting down the screen... Yeah, the cheat sheet series is absolutely incredible. I would also suggest watching the OSP develop show, so I used to be a part of that project and all the people that are a part of it, or all of my friends, and I think they're great and Basically develop like sloppy DevOps. It was a bunch of us trying to figure out how do we as security professionals operate in DevOps environments, and so we'll get a bunch of their... Either shows their coming up or shows that they've already done, and see if any of the titles to come to you is like, Oh, that looks cool. That's a thing I wanna learn. They have a whole community built around this one project, it's very inclusive and very beginner friendly, and that's another place to start. Okay, so there's... Yes. A step, so you can follow them on Twitter and you can follow them on YouTube. And I bet there's a bunch of other ways that you can follow them, but if you just look up that term, you will find them... They're great. Oh, when they have a meet up, so then you can get invited to older events, so... Awesome. More things. So someone was asking me what the best paying fields are within information security, and I'm going to tell you that being a bug hunter, like working on Big Ben ties, it has been revealed from our guests, you really generally don't make any money. So I know that all the big bug hunter places want you to think that you can... And there are a few people that are amazing, that are absolutely amazing, that just rule the industry and they make lots of money and they do well, but on average, most begun ers make very, very little money, and it's more like a hobby. And if you wanna have a super cool hobby, it's very interesting to do security testing, getting into bug bounty hunting is cool, but if you feel that you want a full time job, it's more likely you should become a penetration tester. Either at first as an employee somewhere, and then eventually, perhaps independently as a consultant, you have the ability to make more money when you work for yourself, depending upon how much you want to manage your small business or not. Another thing we found out where you don't make very much money is journalism and cyber, there are a few exceptions of some journalists, they are quite famous that do really well, or they own the place that distributes all the news, but on average, we found out from our guest, Kim Colley, and from other communications within the industry, that journalism in general has unfortunately been hit really hard by industry disruption of people like me writing blogs or people like me hosting this podcast like, this isn't legit news, this is Tony's opinion based on conducting 34 interviews on her show, and then talking to lots of people in the industry. So I was very interested to find out that doesn't pay well, another thing that doesn't pay well, so they're small business and then they're a startup. So if you run your own small business and it's a consultancy, so for instance, let's say you give training, so you go to places and you give them training in person or virtually right now. So you have a one to one, so if you wanna get paid more, you have to work more, and so that's generally considered a small business or a medium or big business, if it gets bigger and bigger, while a start up is a company started with the specific purpose of having exponential growth, and So with we had purple us making online courses in the online community so that people can take courses while I'm sleeping, that is our efforts towards having potentially exponential growth, which is pretty much super exciting or... The previous start up, I was a part of, we're making a product and it didn't work out, but the idea was, is that because it's an electronic or digital product, as many people as want to can buy it, and we are planning to run it as a SaaS or as an on prem installation, and that means basically like the ability to have exponential growth just really goes, it goes... I'm talking to start up owners, yeah, you don't make a lot of money at first, so a small business owner will make some money and pay their bills at first, but it takes a while before they become quite profitable, but start up owners specifically tend to actually just be putting their own money in a lot at first, and then they have to do fund raising or bootstrapping depending... And you continue to continue to continue. And so I know a lot of people have told me, Yeah, third up founders, they just roll around with millions of dollars and stuff, and I'm like, Yeah, I'm not out there, but hopefully I will be one day. But right now it's like, Oh, should we buy the new career, should we wait another week or like... Do you know what I mean? Like we have a small budget and we operate within it, and then you grow and grow or you get investment, and So I think a lot of people were interested to find out that you don't make that much money in those jobs versus other jobs where, for instance, we had security architects on and they do well... Security architects can do very well. Entente can do pretty well. Doing app SEC, you can do very, very well. You don't walk into an app SEC role that's Intermediate at less than six figures and even introductory roles at six figures depending upon which city that you're in it, and if you have some experience like or an apprenticeship under your belt, etcetera. And so it was very interesting to see which things paid more, in which things paid less, and I had suspected some of them, but I didn't actually know, and I remember one of our guests is married Galloway, she's like, You want off my job pace... Well, I've got a pool boy and I was just like, Oh my gosh, you're so Awesome. I wanna pull a lot. I don't even have it pull... And She was explaining, you have to work your butt off and all these different things so that she could be basically not only understanding architecture, but how to secure the architecture in a way where you still get the thing done. So I have seen people where they're like, I'm a security architect, I'm like, No, you just hobbled that app so it doesn't work anymore, which she does is she figures out so the app can still be awesome, but also be way more secure. And that was really interesting to hear about. And there's also... We had two people on. So we had Mary Mae and then we had Barbara. What was Barbara's last name? It's a German name, and I know I'm gonna say it wrong here... I'm really sorry if I said that wrong, Barbara, but both of them... Not only... So Barbara is architecture as well, but both of them would do a lot of table top exercises, which is where you run through like fake security incidents and you plan out... So you run through these fake security incidents and then you learn if your processes work or not, and then you fix them and you prep your team more, and you prep your architecture more, and you prop... Your defense is better. And you do all of these things based on sort of like table top exercises are sort of really super fun games. Sometimes called Security exercises, and so Mary Moe, she also talked to us about IoT security infrastructure or... Sorry, IoT, the Internet of Things. So smart things, interconnected devices that aren't a laptop or a phone, and she talked about medical devices just like for an Akash, and so both of them have pacemakers, and they talked about on the show, and Marie Moe talked about how she actually proceed her own pacemaker while it was in her body and could interact with it and basically had her own heart, and she presented research papers on it, and it was just absolutely amazing to hear her talk about that. So a lot of people on the show as also shared, really cool, but it turns out that running security exercises, being a security architect, doing apse, doing blue team rules as a full time job is one extremely secure. I think that if any one of those guests on the show said, Hey, I'm looking for work and I put a tweet or post on Twitter or LinkedIn, that the Internet would melt because so many people would want them to work for them, and so the job security of blue team was really, really interesting for me because at first, when I had very little experience, even though I've been a software developer forever. It took me a while to get security experience, and then once I got some... It's effortless to find a job, but getting that first job is really, really hard. So I wanna talk about that now. So the easiest way that I have seen most people get a job insecurity is specifically to become a stock analyst, So SOC stands for a security operation center, and a SOC analyst, in my opinion, is the most patient person on the entire planet, so they tend to work in the security operation center, and they spend a lot of time working with the same... So the security information and event management system. And what is some does, is it takes all the alerts and all the logs and matches it all into a place and tells you, I think this might be a problem, I think that might be a problem, and then you go chase them down and figure out if everything's okay. And that's a lot of patients, because I didn't come from a networking background, that wasn't an option for me, so if you wanna do a job like that, you need to have some networking experience, you need to have patients, you need to like solving problems, and if you have some help desk experience, you could definitely rule yourself into that type of job, but coming from a software development background, I was always like, That's ops problem, I'm a dev, that was not a role that was specifically open to me, but apparently they are always hiring for SOC analysts. And so this is definitely an easy place to get your foot in the door, do that for a year, or to learn about threat hunting, so that means going beyond waiting for the alerts from the Sam and actually looking for patterns yourself to try to find threads and then you can move on to being a security network engineer, security architect for networks and systems. There's a lot of places where you can go up from there. You can also become a penetration tester, a lot of people who become penetration testers, I would say maybe 7%, 80% used to be system administrators, so if you're assisted men going into... So you might call it a work around... Well, a penetration tester will call it an exploit, so you probably have 70% of the skills you need as assisted man to walk into a network focused penetration testing role, like running vulnerability assessment scans, instructing people how to patch things have hurt and things how to lock the mill down, it's different for a web app penetration testers, so you may be the person who helps them lock everything down about their network and maybe even their cloud, and then you might just run basic scans on web apps and be like, Here's what my basic scanner said, then there tends to be the opposite side where you're a dev... So this is the track that I took, so I was a dad for a really long time, and I was like... Being a deb rules, why would I do anything else? And then I met a pen tester and he kept telling me it's so cool, you'd be so good at this, blah, blah, blah. So I tried it and it turns out smashing things is really fun, and because I look at things and in my head, I see the code that's behind them, I can think of the logic, I'm like, I had this... It's probably doing this 'cause of that, and so then I could also, when my tools would find things, I could figure out if it's a real thing or false positive, and then I could go talk to the dad and say, Hey, I found this... Maybe you should check it out and fix it. That said, I think moving from a Dev role into an application security role might be easier because you can start with code review, secure code review, and then learning SaaS tools, and there's always someone that needs code reviewed. There is always a place for you if you are going to find all the vulnerabilities and code and then help them fix it. So I would say the easiest job or the most common path that I see are those, so specifically someone that knows either help desk or networking, moving into a SOC analyst rule, someone who's assisted man, especially helped us then cascade stepping into a network penetration testing role and then a dev kind of becoming the super security focus dev, and then joining the APAC team where they work, and then moving their way up there because you already know this huge percentage of what you need to know to do your job, you have this huge step forward I would also say a lot of the ways that people get into these jobs is a lot of networking, a lot of telling the people where you work that that's the job you want, a lot of participating in community events, getting to know people and explaining... Yeah, I've been volunteering as part of this open source project and review an older code and I found 23 security bugs so far, and I've been doing this and I did this little self training and I did that, and I'd really like a chance to come work somewhere as a junior... And those are often the ways people get in, unfortunately, so I can't help with this, but unfortunately a lot of the places that I have seen the post job descriptions post, almost oxy morons as opposed to requirements, they'll say something like, It's an introductory role is entry level role, you need five years experience, but by definition, entry level does not mean that... Or they'll say It's a junior role and they want five years experience, or they'll ask you for a bunch of certifications that will cost you 25000 to get, and it's like, Well, if I had 25000, I didn't need... Then I would not be a junior, consumers don't get paid enough that you have that much extra money, and so a lot of the people that I see get jobs via introductions, and those introductions often come from either... So within, we have purple, we have a community, and people introduce people, people talk to people, we introduce our grads to recruiters, who should talk to people you know, people within the industry and ask for introductions, tell people that you're looking and what you're interested in, if you keep it a secret. It will remain a secret, and then you will not find a draw very easily, and So the more people that you can talk to and explain what you're interested in and try to get involved in those things, the better that you will do. Okay, so I have this big list of all the things we could talk about, but I've been talking about... For 35 minutes, and I'm wondering if there are any questions. Because I have so many more things that I want to talk about. So while I wait to see if anyone has questions that they want to, someone in the chat says You should apply anyways, even if the requirements are way above your level... And I 100% agree with that. I have applied to a lot of jobs before where I don't have the requirements, and I've gotten a lot of them. So right now, I wanna thank our sponsor, threat fix. So speaking of startups. So thread fix makes the most stupendous vulnerability management system, this side of the Galaxy, for starters. But also when I started my startup, Dan Cornell, one of the of thread fix reached out and was like, How can I help this dude and me so much helpful advice. When you work in the security industry and you get to meet amazing individuals like Dean, he'll just go so out of his way to help me say much... Share it in, and all the other people who work there. Just they're like, How can we help you more just like, Oh, and there are so many amazing people in the industry, they are like the people that traffic... And by the way, they're hiring. But there's lots of different groups, and when you join communities, not just that we have purple community, the OAS community, the dev slab community There, like Katie packs and fear, she was on our podcast and she was talking about but counting, and she... Congratulations to her, just joined a crowd this week, and that's amazing, and she has her own community called inside her PhD, 'cause she did her PhD on insider threats, so I entered that cleverness. But she is really awesome, and she has this really super friendly online community where everyone talks about Buchanan and everyone's just really nice to each other and they kinda learn stuff and play with things and teach each other, and so if you really wanna get into bug hunting, you need to check her in her community out, if you wanna learn about APAC, you should consider being a part of obeying a part of... We had purple watching the dev soft show. So if you can find the area that you're interested in, so that seems to be a big problem. It's people in our industry trying to figure out which part of the industry that's best for them, that's why we started this podcast, so we could ask what it's like what is it like to be a security analyst? And Ali Malan told us all about it. Being able to figure out what... We also had two people on that talked about doing technical sales and how that worked, so one of them does more like developer relations, Nassar bam, and then we had Stephanie black on and she was talking about... She did do security work, like hands on keyboard sorts of stuff, and they said, You know, you have the personality where you would be so good at sales, and sales is selling things, but Stephanie explained to us, it's way more than selling things, it's about helping her customers solve the problem, even if it doesn't mean by their product and building trust, and just helping them find solutions and actually reach to the next level, the next level, the next level for their security posture in their program. And I remember when I was younger, I thought sales was about pressuring people to buy your thing whether you wanted to or not, and she's like, Yeah, that's the person that is not gonna last a week. That's not what you need to do. You need to actually help them, and sometimes helping them means not selling them your thing and telling them about something else that your company doesn't even make, but that can help them with the thing that they need, and your honesty and you being willing to share it means that I might come back to you a year later and says, I know you do sell this thing and I think we need it, can we talk... And her explaining this in a new way to look at things, maybe feel a lot different about sales... Yes. Someone shared the link to Stephanie blacks episode. That was really cool. So I feel like I kind of wanna start to wrap up, so I'm gonna tell you a few more things that might help you. So one, I wrote a book, Allison Bob, learn applications, carry one sec. And I am doing book streams, so last month we did chapter or this... Yeah, it's April 1st. So last month in March, weed Chapter One, we're gonna do chapters 2 through to 11, once every four weeks until right before Christmas, and basically, we are going to discuss what's in the book, me and a bunch of guests, and we're gonna talk about risk analysis, we're gonna talk about security requirements this month, and basically how we can basically take security in from the very first step of a project, which is really cool. But basically we're doing free university lectures because the universities... I tried to get them to pick up my book and a whole bunch of them said no, and so I was like, Well, I'm gonna teach it for free on the internet, so there... So that is a free resource. So if you go to Alice and Bob Learn dot com, you can sign up and we will basically invite you and remind you to come to each stream and all of it's free. You don't have to buy the book to understand, but obviously I would prefer if you did, because you know I wrote a book, but so that's one free resource for you. Another thing that is not free. So we had, purple my company, we have a new course coming out called secure coding basics, and in it, we are going to cover, so the 17 commandments that are in my book, and code review and how to do them, like how to code them, but also how to review code, to see if they're missing, so that you can add them in, we're gonna talk about what a secure system development life cycle means to a dev and what you do your responsibilities. We're gonna talk about payment card industry, and if you're handling credit cards, the things you as a Dev need to know, and then we're gonna cover a whole bunch of common vulnerabilities, including the OS top 10, because I told if that was an... In my course, that that would be the end of the world because everyone always covers it. So I covered it. And so if you go to newsletter, we hack purple dot com, secure coding course with a dash in between. So secure a coding course, you can sign up and we will give you some early bird discount pricing, but I'm really excited for that to come out mostly so that it exists, because when I look at a lot of the other secure coding courses, it doesn't cover the exact way that I would... And I'm hoping to offer a fresh new perspective and also just... I want it at the end of the course, when you look at code and there's no input validation that it's like in your head, you just start hearing it, you just can't not see the problems anymore. That is my goal. And so then lastly, I wanna thank all of you for coming along with me on this journey. So we had... Purple wasn't even called, we had purple when we started, just over a year ago, we just had our one year anniversary, and at... We started with this little online community where I would just write blogs and I charge 700 a month, and a whole bunch of you over 100 signed up and joined me basically on this adventure, and then I created a minimal viable product of an online course, and then over a hundred of you bought it, and that was amazing, and then I studied how to make courses and then redid it and added a zillion things to it and made it way, way, way better, and then more people bought that, and then we hired... We have a certification and then I wrote my book, Alison Bob, learn application security, and then a whole bunch of you bought that, and then we moved our community to a much, much better platform. And so now we have chat rooms and articles and people can message each other and become friends, and we have events and we have this knowledge base and we have drip content, and it's just so, so much better now and people are joining, and that's amazing. And having you follow me and now my team, 'cause there are six of us that work on this all together. Having you go on this journey with us has meant a lot to me, this constant support from our industry and our community has been so ridiculously touching Our sponsored thread fix, continuing to sponsor us and just supporting us, and even just telling us, find more sponsors, we don't wanna hug all of your sponsors base, they're just so supportive and wonderful. We have so many partners, we have so many things planned and store for you, and I know a Odell cancelled tonight, but I have to say summarizing all of this for you. I really hope that this has been helpful. I would Love to hear feedback, I would love to hear what you think season two should be about. Because we make this for you. I mean, I'm gonna be honest, I do pick the guest based on, Oh my God, she's so cool, I can't wait to have her on the show, but we made this topic specifically because we want more people joining our industry and because we want to move our industry forward, and I would love to hear from all of you what you want season two to be about. And so with that, I'm gonna sign off. So I am Tony janko from we had purple. You have been listening to the we had purple podcast, where each week we meet a different person who works within our industry, and we learn about their jobs and how they got to where they are today, so that all of us can secure all the things. Thank you.