We Hack Purple Podcast

We Hack Purple Podcast Episode 44 with Maril Vernon

July 02, 2021 Maril Vernon Season 1 Episode 44
We Hack Purple Podcast
We Hack Purple Podcast Episode 44 with Maril Vernon
Show Notes Transcript

Host Tanya Janca  learns what it’s like to be an offensive Engineer at @zoom, as well as a PluralSight author & mentor. Maril Vernon is always helping peeps break into cybersecurity. https://twitter.com/shewhohacks

Thank you to our sponsor 10Security

NEW Secure coding Course here!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.

Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com

Find us on Apple Podcast, Overcast + Pod 

[Music][Music] welcome to the we hack purple podcast where each week we meet a new member of the information security industry to learn basically all about them and how they got that really cool job they have there are so many different areas of information security and i have to say me tanya janka your host that i got pretty darn confused when i joined at first i thought i wanted to be a pen tester then i thought i wanted to do a bsc so briefly an instant responder and then i found my true love which is apsack and so i'm really excited to talk to our guest meryl vernon who's gonna talk to us about red teaming and like what pen testing and red teaming is like and how they're not the same i want to thank this week's sponsor 10 security yes that's right they're back and they're going to sponsor a few more weeks and i'm really really grateful but you don't oh wait i have an announcement um we hack purple released our secure coding course finally yesterday if you want to go check it out it's at academy.wehackpurple.com and then i'll be like right there it's really obvious we really hope you check it out but you're not here for marketing you're here for merrell so let's bring her out hi you're coding sounds excellent i think i'd be into that i need to get better at it so nice thank you so much for coming on the show i i follow you on twitter it was since almost day one so i was like really excited i finally get my we have purple episode yes so could you tell us that like just introduce yourself and be like hi i'm meryl vernon and here are some stuff absolutely so hello there i'm meryl vernon also known as shehu hacks and currently i am an offensive security engineer at zoom video communications um previously i've been a pen tester and then previous to pen testing and being an infosec which i've been in for about a year and a half now i know it's kind of crazy but it's true um i was in social media marketing management so um i've had kind of a very crazy journey in a very short amount of time but i mean i'm one of those people who if you're looking to break into this industry if you're unsure where you can go if you're unsure how to learn it or where to learn it or who to go to i've literally just done all of that so i know all of the strategies and all of the things that you can intelligently do to kind of hack your way into getting into this industry a lot sooner than people tell you it'll take that is awesome information because that's literally why we started this podcast because we wanted more people joining our industry so we hack purple kind of focuses on you might imagine the purple teeny stuff so like appsec um dev zach obscure coding sorts of things but there's a huge huge umbrella of so many things in information security and quite frankly i'm i want to know all the things and so when you have a podcast this is a secret merrell you get to invite cool people on and then ask them questions and get to learn for free like i'm really gonna ask you something that i want to know and if everyone else wants to know too then awesome because there are so many things you can do you can dab you can architect you can pen test you could not pen test you could grc you could risk you could privacy you could see so you could like there are there are a thousand jobs probably in this field a thousand yes there are a lot but we want to hear about yours could you tell us so not like specifics for your company but like what is it like to be an offensive engineer like what does that mean because it's funny because i people in my life that aren't part of the industry i'm like yeah she just swears at people all the time she's an offensive engineer they're like tanya that's not what happens no it kind of is i do kind of cuss at people sometimes it depends on how the readout's going to imagine yeah that's our defensive engineer they're always making excuses and like sorry about that no i'm not moving on um no offensive testing is um all the jazzy wonderful things that you think it is everyone's like wow that sounds so fun and so sexy and so cool and i'm like it it really is it's so fun doing my job um i mean you get paid to break all the rules you get paid to make things do things they shouldn't you get paid to find all the problems i mean you could literally kind of break everything leave a giant smoking mess say thanks for the good time and you know you'd be the red teamer that i hate but i mean you could do that if you want um but really what offensive i know those people don't be one of those people um really what offensive testing is all about is it's trying to keep in mind how you provide value back to security and back to the business so at the end of the day even us offensive engineers um and pen testers are trying to secure the org that's still our goal so from the red team comes or from the blue team comes the red team no one is out here just breaking stuff for fun or trying to tell you did a horrible job spinning up that firewall or maintaining that system it's like i know we're gonna have some uncomfortable conversations around why it's in the state that it's in but let's just fix it let's just fix it let's remove risk let's reduce you know our likelihood of being breached and let's move on um so what that entails is a lot of you know really you you say we're going to stand up defense we're worried about these things happening so we stand up a defense and as an offensive engineer i go cool if you think that defense is ready i'm going to test it i'm going to literally launch z missiles at the thing just like the enemy would and from there i'm gonna say this is where you messed up this is where you did well this is where this could be better this is where you're missing a detection i was able to do this and you're gonna fix all those things so that i should not be able to hack you the same way twice if i've done my job well that's really the day what my job is i remember i did a pen test once and i wasn't a pen tester very long and i was supposed to test the laugh and i remember asking them is it on i didn't mean to be rude i was just have you had a moment like that where you're like is this thing on i had one time and actually luckily this wasn't for the company i work for now one time i was doing a firewall assessment for someone else and um they or i was i was doing a security assessment i think it was on a uh oh that's what it was i was um testing the base image of their max like the max that they had and it was not people who were used to having max maxwerd like the anomaly to the normal windows environment and they gave me one and it was super vulnerable i was coming out this thing everything was working it was like taking candy from a baby and i was like this is horrible i have like 15 15 criticals it's been like two hours and then later they come back oh we didn't put any of the endpoint protections on there we forgot that that was just kind of out of the box and i'm like i hope so they literally said it was missing all all of the enterprise level endpoint things it was supposed to have and i'm like okay okay okay all right well let me know when you're ready but um when people really try i mean there are some some things again that you'll find some low-hanging fruit but like it's like 50 versus like all the things it's like i shouldn't find open telnet i shouldn't find plain text protocols enables i shouldn't find a password policy that's only eight characters and lets you repeat passwords all you want that's stuff that i should not find if you tried at all it should be a little harder than that and if it's not then you're not ready for a pen test this is premature you're not getting any value i'm finding all the things that a gap or a vulnerability scan should have found to be honest i have i have had so many companies where they're like we're thinking of hiring a pen tester and i was like you have done literally zero if nothing so if you like i mean it they'll give you a big long list of things to fix like or you could just do like the bare bones basic like you could spend that 25 000 and like you could just squash a ton of bugs you know about or like maybe attempt any security but um i digress what is a day like in in the life of a person that does offensive security do you have meetings all day do you have to make presentations a lot you you can um it really depends on the flavor of offensive security that you are so you can be a pen tester you can be a niche pen tester like my only pen test web apps you could be the one woman show like i was at my old org who was doing the firewalls and the aws and the apis and the web apps and the pivot and the c2 and like everything like you're doing everything so it just depends but typically you'll be um you know you'll be running some tools because you always want to run tools tools help you validate um first validate things that you find and second of all find things that you might have missed um they're a good place to start for manual validation if you're new um so you'll generally be taking outputs from a bunch of your tools seeing if scans fail making sure all the like the typical vulnerability management things are running the way they should you'll be pulling some vulnerabilities and some findings being like what did that work on what's the host what's the rule what's the problem you'll be isolating it and you'll see if you can actually try it like it's like oh you can rdp to the admin console for your palo alto with anonymous credentials you're like okay anonymous non-miss oh that worked yeah that's horrible um you know so you're just you're trying stuff out and you don't see that it's not saying you won't but hopefully um you're doing a lot of documenting you're documenting everything you do lots of screenshots lots of syntax lots of you know i went over here i clicked this this gave me this nugget i took this over here and tried this screenshot that then i clicked enter screenshot that so you're doing a lot of at the end of the day when you're reporting you have a lot of screenshots to go through and they need to write a report and then that report you have to explain why you did the test was there an objective is it a compliance thing is it to find um to resolve a certain vulnerability like you're really hyper concerned with rce or xss or something um and you're also saying like this is a description of the vulnerability this was how i achieved it this is why it's bad the impact and this is how you fix it so you don't just want to give people a hey i broke all your stuff really well this is all the things that i did your baby is this ugly thanks bye you want to say this is how you fix it that's what we call it we call it i have to tell someone their baby's ugly later it's like someone's gonna be mad at you because you know everyone's work is their baby and no one wants to hear that they were bad at their job and as an offensive person you have to know that like not everyone's going to be happy to see you walk in the room and you love your job and you love breaking the things and finding the holes so you can help plug them but no one's happy to have that conversation like no one's happy to like look at the thing and see all the problems with it which is generally why you when you come in you're like did you qa this at all did you scan this at all they're like no we don't want to know how bad it is is it bad is it bad okay it's bad it's bad so it just depends but i mean it's something different every day you get a new product to test every day um if you're a red teamer like me my cadence is different now i'm not pen testing so much i'm not running automated tools we are um using cti um cyber threat intel we are trying to decide who's coming at our industry who's coming out our company why would they target our data what tactics do they use we try to emulate those tactics very closely and then we report on our success um but it's going to be more of a people and processes thing than like a product has x cve in it thing so just sorry no that's that's no no this is fantastic because like a lot of people don't realize like what a day is like we have awesome questions coming in in the chat so dwayne mid-ranch i'm so sorry what do we have what do we have no no it's great so duane says have you performed a pen test uh on an org or or a red teaming exercises and then for you know return for a follow-up and find no or a few changes were made based on the findings from your tests hurts off hey dwayne and second of all um yes i literally had a report that was so the same two quarters later two quarters they had six months and all i did was change the dates oh and i validated each and every single one and i'm like this this [ __ ] is the same this is the same as it was six months ago you fixed none of these things and you know what just hammer that point home i added a special appendix with a special table that said uh findings from last assessment persisting findings to this assessment they're all the same oh wow it's horrible yeah so you find that all the time because like what you might have found you don't find everything as a pen tester if you're focused on finding everything like you'll never find all the things once you have enough you kind of want to ask the customer like what is your goal like do you want us to just keep finding all the crits or i mean do you have do you want us to take this like do you want us to get out of here and test something else um we've definitely proved we can get past your firewall would you like us to test group policies or your antivirus solution or something else because um they can only remediate so much and they have to prioritize and they might do it to a totally different system than you do and you're like i think this is a critical like well they think that's a low and you're like well i disagree but you're it's your work at the end of the day you're the one who might suffer the breach if you don't listen to me and you're the one who over security insurance will say did you have a pen test done did they say to fix this did you not fix it that's negligence yes i was just talking to a client this week about their cyber insurance and i'm like so are you compliant with the requirements so that you actually could get cyber insurance and they were like there's requirements and it's like okay so our next need needs to be only about this but i digress okay so we have another awesome question from dwayne how do you help folks that push back when you walk in to relax and that you're there to help so there's people that are tense yes so people again who are not happy to see you um and you're about to tell them essentially all your work is horrible which is not what you're saying but that's all that they hear uh perception is everything um so first off when you work in offensive it's really key for you to reach out to people ahead of time and have really good rapport with the other departments i have rapport with all the teams i came in and i was like hi we're the red team we're new and i was building rapport with like everybody so if i have to work with you one day you already know me and you know that i'm coming from a place of collaboration and not a place of like we've never met and i had to do a really like i had to work over your product i'm so sorry um but the thing the other thing you can do is you can start off with positive findings you're like so before we get into the findings i just want to say some things that were done well we had to get really creative to do this this didn't work initially we had to pivot from here um so while we did have some success like a lot of things were being done well also so giving them some positive findings making them feel good um also telling them how common something is you know we see this in a lot of these environments it's very easy to miss it's a small config item it's something you didn't toggle it's something you didn't go in and change or this is very unique because you have a very complex setup in the way that you've implemented this you might not have caught this in a tip like if it had been a typical implementation so there are things you can say to kind of soften the blow um yeah but really it's you want to stand your ground when they're like this is a false positive or you cheated or this isn't real or i don't really believe they were able to do that like that's when you have to well we did it yeah so there are more questions in the chat everyone has great questions um so if someone is someone i i'm not sure how to pronounce his name so please please forgive me if i say it wrong yayo um is asking is it better to forward a written report or like kind of tell them on the side before doing a presentation about it to like kind of ease them into the results it depends um if you're gonna do that i would say definitely circulate it amongst your teams that you your team and your manager are all on the same page and in agreement before you do that because the second you forward a document like that out there's going to be questions well what does this mean well how about is this well what does you mean on page seven you're like we haven't had the meeting yet i was just doing this as a courtesy so including it as a read ahead can be good because they can familiarize themselves with the info ahead of time and it can be more reverse classroom if you have a very mature uh sock with a very mature approach to offensive security but if everyone's just gonna leap on you like a pile of hyenas then i would not recommend doing that so you're gonna have to feel it out oh that's such a good answer that's such a good answer when i was a pen tester i i would tell the devs in like while i was doing the test i'd be like i found this thing and it looks like this like do you want and i would even sometimes let them fix it and i would retest it and then write the report and i was like you're like oh my god we found this this is so bad and you're telling people this is so bad and they're like oh my god could someone zero a day ask me like okay let's take that in context it's really it's a high it's really not that bad we just got really excited so like we have a quality who like freaked people out and we're like okay that's real it's you know it's not good but it's not it's not full stop roping like wake up people in the middle of the night it's okay but it's okay yeah yeah don't scare the pants don't scare the pants that's gonna pants on people you can you can in your job very easily we pound we pun prod done people are like like are we all fired how screwed are we so you gotta you gotta really be careful because your job can be a lot of fun and again you love your job more than everyone else loves your job yes oh my gosh that's so smart we have another great question from dwayne so do you teach the tech folks and the org how to use the tools that you all use so that they can learn to perform continuous testing of their systems or check to see if the vulnerability found is mitigated or not we do and um that is always something i've offered at all the orgs that i've worked out i've been like if you want this is open source this is easy this is something you should be doing on the front end like i should run this and find nothing or find very minimal things i'm always willing to teach the blue side how to do the automated stuff we do they won't be able to do a lot of the more manual like higher elevations of things that we do which is why we get paid the big bucks but um i'm always willing to give them that extra edge because just as much as it behooves me to learn the blue side of things like when i wanted to learn how to f up aws really well i learned aws from the administrator standpoint i'm like how do you add them in the environment what are all the little things that you can miss how do you protect it how do i protect my data and that taught me how to get at someone's data really really well so i'm all about helping the blue get a little better at their job because they understand from my perspective how i would come at their data um but there's very little interest usually they're they don't really care they're like that probably doesn't work and your tools full of crap anyway and i'm like well if my tool wasn't full of crap and you want to learn how to use it um we're always happy to do that but um we we take it a step further i like to i like to get red team ops into a continuous feedback loop with purple team ops so i like to take the red team up identify the ttps that were successful um you know identify the shield ttps that are opposite to those identify legit hardcore detections or mitigations you can use and then say let's repeat this again let's do it again over and over and over and over until you fine-tune your stuff until you see us where you where you didn't yes before and until this is no longer going to work because then i don't have to teach them how to use my tool they don't necessarily have to understand the why to know how to fix the what and then you can feed that into red and then purple and the red and purple keeps going oh that's awesome so we have we have more amazing questions in the chat so so so so i have been told it's pronounced johnny so how so the questions for both of us but i mostly want to hear what you say how someone how can someone get to work for you um what should they learn what experience would you expect from them if someone's gonna eventually be hired on to an offensive security team so um i want meryl to answer well i can tell you that i've always done it by satisfying a need on that team that no one else had um when i came to this team they were really jazzed about the fact that i knew cloud really well which is something a lot of people avoid like the play because it's abstract and weird and complex and most people don't want to learn it and i was like i can't avoid that beast forever so i'm just gonna do do what i said if it makes you uncomfortable make it your [ __ ] so that's what i did and uh they were really jazzed because they're like great now when we find keys or if we find something that we don't know what to do with you know what to do with those things and that's a contribution i can make provide value and it's a niche you can satisfy because you know i'm by all means very new to this field i'm new to my team but i am filling a gap that these seasoned guys just don't have because you'll just it's hard to know it all no one will ever know at all that's impossible um another thing that i brought to the table was um the purple team methodology experience no one else really had experience running purple team engagements so um what behooves you if you want to get into like working for these teams is to well round your background and your education and your experience and be able to bring something else to the table like you can throw a rock and hit 10 pen testers but can you throw a rock and hit 10 pen testers who understand business risk and can communicate risk to business managers and can talk to it people and also talk to senior leadership that's very rare so i expect people to know the basics but honestly i can teach you anything technical you don't know you've never used bash fine never use powershell can't believe that but fine you've never used a certain tool fine we will teach you how to use those things there's a thousand and one tutorials on how to physically do what i do but when you can bring something extra when you can bring something else that no one else on the team has um that really is really really your golden ticket in so i would say if you want to work for zoom's red team target zoom target the people who work on the team talk to us be like what are your you know what are your challenges what are you guys working on what do you find you know and be like okay uh you guys want to start mobile testing in two years i'm gonna make it my business to be the expert the go-to expert in mobile testing in two years bam you're guaranteed an audience at least so that's that's how i've done it that's how i that's how i move so quickly through those ranks nice we have more questions dwayne is just like powering through the questions it's awesome so he says have you ever not compromised an org which i think could mean like also like a product or a system that you're asked to test oh as in like i couldn't smoke them they did they best yeah like no i'm under thinking i think the hair flick is the best thing ever could you imagine when you you're like so here's the pen test report yeah wouldn't that be glorious your findings but um i've had someone peacock me in a meeting they've been like are you sure you have the experience and i'm like cool buddy i just chopped my head don't go there um but yeah i'm sure i'm sure the day is coming when someone's gonna have a decent defense and um but here's the deal when that happens when i can tell all the straightforward stuff isn't gonna work i just get creative immediately i'm not gonna take 20 000 hits at the firewall i'm like all right all right you got a good firewall i'm just going to sneak around here and i'm just going to work my way and then inject over there or i'm going to wish somebody that's my solution so um i haven't met anyone that i can't beat yet but i'm sure the day is coming especially now that i put that challenge out there into the universe but wouldn't it be fantastic though like you work somewhere and you're like yeah that team is just so totally awesome i can only get some lows in and i couldn't really get that far if i had all lows and informationals or nothing at all i'd be like you guys i'm so ashamed to admit defeat but i'm so proud of you you are you are the mvps you guys ever so actually in in an op i won't say for who but in an opt for someone um i designed this beautiful fish and i spent a lot of time making it look perfect like not one of these ones with all these typos and spelling errors and english syntax questionable things it was beautiful and immediately all the targets we sent it to reported it and i'm like who's got the super woke users you do they they weren't buying that for two seconds like it lasted like two hours before and i was just like they all they all reported me well that's good that's good i used to work somewhere and we sent fish and we would let people catch the fish so you would report it to us and then we would send them a cute picture of us holding fishing rods be like you caught us but people actually reported a lot of serious things that we found out that were going on in our org and that was cool yeah we have more questions very upset we we have more questions however i want to take a brief second to thank our sponsor 10 security 10 security if you want to hire the guys that created defect dojo to implement defect dojo you hire 10 security and that's all there is they didn't give me a sentence to say they said i could say whatever i want and so just like greg and matt rule the end and so now i want to ask some questions so first of all dwayne was saying in the chat he's had people tell him not to ask questions but i love your questions twin let's just oh also i'm supposed to tell you about our secure coding course i remember now that's why my face is still on here okay so we released a secure coding course from we have purple yesterday and it covers the 17 secure coding commandments as per um alice and bob learn application security and it covers like code review not um how to do a complete engagement of code review but basically you learn a thing and then you review some code and you're like hey something's missing or that looks wrong we also cover pci dss so like how to be pci compliant and it's actually not as hard as you think we covered the oauth's top 10 because otherwise i would be strung up by my toes because you have to cover that but i also cover um a whole bunch of other vulnerabilities and then also what is application security in a secure system development life cycle and there's silly animations and jokes and checklists and quizzes and code review and anyway i hope you all like it and it's it's 199 until july 5th and so i have done all the marketing i feel like i can do so let's go back to merrell and let's go back to dwayne so he was like he was asking like what percentage of your engagement is technical versus writing reports versus communicating with your customers or clients that's a great question it's a great question that's again going to depend if you're internal to your company like i have been or if you are working for a consulting firm and you have many external customers if you have internal customers you're doing a lot of meetings and a lot of explaining a lot of writing because people want to know what you're doing why you're doing it how dangerous is it when will you stop will you stop when you're supposed to stop are you going to dos prod are you going to take a screenshot of the ceo's desktop like these are all questions i've been asked so they're really scared so you write a test plan you defend your test plan you execute your test plan then you write your report defend your report outbrief your report technical outbreak report executive outbreak your report so um as a pen tester you end up doing a lot of writing sometimes if you work for a consulting firm where you're pin testing a lot of different people all the time then generally you will be um you'll be getting roped in on the roe meeting so that you know like kind of if you if you triple wire you're not supposed to if you do something you're not supposed to who do you tell immediately and like how do you operate safely for that company but then you'll basically be gathering your screenshots and doing your testing because you only get like a week usually to test that company and give them your all and really make sure they get some value out of it so you want to spend all of your time doing the hands-on keyboard coming at the system um and then you will generally pass a lot of that off to someone else who will like gather all your findings and write it up and you'll double check it and then they'll send it on um and then you only have to really attend the meeting if the customer has questions on how a specific thing was done so um it just depends on your world it depends and if you're not comfortable generally you can like brief your manager and be like this is what we found this is how it worked this is why it worked and they will take that rain for you and you're just kind of on the call to fly on the wall and really answer any super tough question that they can't answer for you but if you write a good enough report you won't have to speak nice yes yes um writing a report is it's almost like an art to writing a good one that you don't get questions from definitely we have we have another question um so this is from al do you find that you're so busy learning new tools vulnerabilities and threats then you don't care about certs anymore or do you try to attain certs that align with your future goals or your current goals i mean that implies that you cared about certs from the beginning yeah i'm kind of not the cert person to speak to uh still the only real cert that i have is my sec plus i've gotten pretty far leveraging that um i did just complete my master's like two weeks ago so i'll have that shortly but yeah that's amazing i started my shopper and i just wrapped it up last month so six months um so now i have another one but i'm not really someone who felt the need to go out like i asked people in the beginning what value did you get out of that why did you get that sir well i wanted to work in the dod and they said to have a ceh so i got one okay why did you get the oscp why did you get this and i started learning about like the the core curriculum behind them and ostp wasn't going to serve me because i don't do a ton of network pivot i do a lot of web apps and api that's like in cloud that's where the future is so um i was like i don't need that i don't need that that's not going to help me it helps me more to identify the things that will provide value to my organization what is my org concerned with where are we going are we doing a mass cloud migration and deployment are we developing our own applications are we going mobile soon like wherever it is that your org is going those are the people sending your paychecks you want to serve them so it might not be getting the jazzy sans cert that you want but it might be doing that vulnerability research and that cti and getting that experience being like listen i don't have an oscp but i know who our top 10 threat actors are i know when they'll come at us and why they'll come at us and how they'll come at us and i have a plan for that that's way more bad yeah i would much prefer that definitely i actually have no certifications except for the one that i made for we hack purple i was like i guess i'm going to give it to myself since i made all the courses you have to take to get it so i might as well so that's like my only cert um but yeah i i feel like some people uh assert can really help you get in the door and some people it's you don't necessarily need it um or if you want a specific job sometimes you need it and it's an industry right certifications in industry you have to pay to take the certification you have to pay to take it again you have to like i don't know if you only you have to pay for the cpes to maintain it like yeah yeah the fact that you can't get cpes from reading the fact that you can't get cbes from basically like i i was explaining to this to my significant other who is not a security person and the response was just wait a minute so you have to pay them again to keep it and you have to pay them for training you have to pay and he's like could people take your courses and then they could i'm like i don't think that we're able to give cpes and it was just ah this is totally not fair yeah it's an expensive industry to be in and um yeah i'm seeing uh so we're not supposed to talk about our competitors but i'm seeing really cool things that cyber mentors doing i feel like it's okay to talk about them super positively right um expertise definitely for sure you guys if i want to learn yeah the the the target consumer will go to your courses or his courses for very different reasons yeah exactly exactly but i mean his courses like if you want to smash all the things yeah they're excellent they'll take you from no nothing to hero just like me like i was high new here don't know what an ip address is and now i'm over here red teaming things so i mean it just depends it just depends but i would just say to figure out what you should learn target the job that you want if you want a job with like a top like a fortune 50 company a big ass company a tiny company a pen testing firm those are all going to be different and say listen i might not have the ceh but i took the ceh curriculum i read the book i did the thing i've done some labs this is what i have to make up for that instead that's probably fine or say you know i see you're looking for a mobile pen tester i don't have any of these certs but none of these cert speak to that skill anyway however i have done a ton of these things which is practically relevant to this job that's what i would say yeah oh i like it so we have we have a question so i i don't always do well with the you're euro woman isn't that hard type of question so we can pass if you don't want to but but honestly asked and a nicely asked question so infosec is a hard field for women in general we have that ridiculous hashtag infosec bikini going on to prove it but you crash those gates can you talk about it some more it's it is very much a uh still a good old boys club and i don't want to stereotype the good old boys either because i've met tons of gentlemen in this field who are super nice and super approachable and very supportive and very collaborative but there are a lot of people in this field who still need their mind change and i did encounter a lot of that in my first infosec position ever i encountered emails that they never thought would get to me which is stupid because i was admitting the dlp tool but anyway i saw where they called me the boppy millennial chicken security in emails like they're just referring to me like that in emails but but in the elevator like if they never met me in person they were like yeah we're going to go meet up with that that new guy in security later in merrell and i'm like oh meryl they're like yeah i'm like that's me apparently my work ethic seemed like to the caliber they would expect of their peers but once they learned i was a woman i just became oh i'm whiny oh i'm emotional oh i'm you know i just want i i don't have the experience i just got here like can i explain why i deserve to do any of these things so it was my newness it was my gender it's that i'm a millennial like all these things work against me so i'm pretty used to it but um sadly that stigma really is still out there uh my my sister works in tech 2 as a bi and she had a gentleman that she mentored because he interned under her and then when they finally had the same job title she'd been working there longer she had he had been her intern and he was making 30 more than her simply because he's a guy and gender gender salary differences are a thing so it's something that we see all the time a lot of us are kind of we kind of just shrug it off but it's annoying and it's there and it sucks there's no nice way to say that it sucks but all i can say is be the change you want to see if you hear something say something if your co-workers are being dicks tell them they're being dicks yep yeah i like to make people feel really sorry uh if they do something sexist i like to just like call it out so it's so ridiculous that they feel bad um yes but i'm gonna try really hard to shut up before i say too much especially about infosec bikini i just i don't get it i did post a photo of a picture of my bikini just sitting on the floor um and i still had to block several men for saying super perverted things to me and i'm just like are you kidding it's just a picture of a bikini yeah the fact that you took it like you're inviting that attention you want us to think of you like that clearly this is something you want and i'm like oh my god i won't get on that soapbox but i will say i love how the infosec community came together immediately it like it wasn't a topic that divided us and some of us were like well that's really not professional well that's it's not like she did on linkedin it's not like it was like out of context for that platform it's twitter and we all came together and there were bikinis mankinis logo kinis like dog teenies like we're on everything and it was amazing and i think that just goes to show like the generation you see interacting with us regularly like you see so much bestiness going on in twitter you're like there can't be that much dissent and like discord happening in our community and it's like well the people causing are not the people who are our friends out there on socials are they um that's much more a different demographic working in our industry but i think it really goes to show how we're going to change all that once our percentage takes over their percentage because we all got with each other immediately and supported each other and just unabashedly were there for each other so we rock also there are some damn sexy people working in infosec oh wow right yeah yeah one of my friends sent me a picture of someone and i was like anyway okay time to get back on track you can do this awesome okay stop fantasizing about me twitter movement ever is in bikini forever we have a really good we have a really good um another good question from dwayne i know no one's surprised great questions coming from dwayne so when you look at best practice docs like the cis critical security controls so i like this this is benchmarks a lot where they'll tell you like you gotta do these things if you want your things to be secure so if you look at those best practices and orgs that actually put them in place and then monitor the controls do you feel that those controls would actually block the majority of your attacks or is more needed than that yes yes i do and i'm not just saying this because i author benchmarks in my spare time why are you saying though my name is on the uws one soon to be azure he'll sing either um yes i'm telling you guys security is doing the basics well if you were every time you installed a palo alto device or a cisco device or a f5 or a meraki or whatever it is you've got if you whipped out the benchmark and did their literal syntax steps that we painstakingly spell out for you like 60 of my initial access [ __ ] would not get off the ground i'd be like what are we gonna do now we have to fish somebody we have to fish or fish somebody or we are dead in the water we are screwed that's all there is to it there is no pivot if there is no initial access so if you can cut it like mitigating your defenses around a kill chain that i would execute is not defending against all the things it's can you remove enough pieces that this is a really inconvenient or be impossibly harder see i'd have to know how to engineer my own malware just for you and now it's not that worth it anymore that's all you're doing that's all you're doing and if you literally did what was in the cis benchmarks and you regularly monitored and you did some das testing and you ran regular vulnerability scans you would know all these things before i knew them i have people ask me a lot like should we spend our money on like pen testing all these things or run an apsec program and i'm like well i'm ridiculously biased because i switched from pen testing to appsec but like you could get you could be building such nice software defense the best defense is a good defense like eventually you can't build your walls any higher eventually it's time to see how well you stand up but so many people are not doing the basics if you can't pass a compliance audit if you can't get a sock too if you can't get an iso certification if you can't if if you're reporting in your vulnerability management tool like multiple criticals you're not ready for a pen test you don't need it but you need to do those basics oh merrill that's all i'm gonna say last year one of my clients um bought another company and they're like hey could you just take like a little look at this and we ran a sass tool on it and found 43 000 vulnerabilities in one app and i was like i'm sure they're all false positive something's wrong here and then we went through the first hundred and they were all legit and i was like yeah so feelings and thoughts yeah yeah by the way security is 10 10 times more expensive to go back and put in after the fact than it is to bacon from the beginning and by the way devs maybe don't loop us in two weeks before go live and say pen test this thing so we can publish it maybe have us do two or three passes at it during your q8 phase we're happy to do it we'll find more stuff that way you'll secure more stuff that way and then the things we find at the end are like teeny tiny nuancey things and then you don't have to go back and do 10 000 lines of code edits you're like oh i'll fix this while i'm writing it yes yes that would be my dress oh my gosh i have i have so many dreams of this merrell yeah okay envision i have some i have a question i'm gonna stop asking the people in the chats question for just a second if you were gonna give someone advice that wants to get into a role like yours what type of actionable things could they do if you want to get into a role like mine um so i do again a very niche function in offensive testing um i kind of am at like the golden level of like we're not pen testing anymore we're doing like the really elaborate sophisticated long life cycle stuff and it's so much fun um if you want to be good at this then you need to know you need to know how red team operations are conducted you need to know the difference between a red team op and a pen test you need to know um how to stand up infrastructure we do a lot of that in the cloud now if you don't know anything about the cloud if you've still never heard of terraform you need to know these things because again all the guys on your team will be able to do this in their sleep but if you can come in and say listen i know i'm junior i don't have a ton of experience but on the first stop that we do i'll spin up the infrastructure i will get all the rfa keys done i will get all this going i will take care of this i'll get all the servers up and running make sure i'll be talking to each other and all you literally have to do is payload development and then i'll deploy the agent i mean that's music to their ears that shows them that you know what you're doing you know the foundations you could be inserted very easily they don't have to teach you how to walk before they can teach you how to run we can all focus on your running form now and getting your time down um and it just tells them that you cared enough about the difference and the nuance of their operations to learn about it yourself um being able to offer something extra again so something most red teamers won't know something cloud or mobile or api or risk um one of the first contributions i ever made was that i have a custom risk matrix that i use that i really love um it's not dread it's not stride it's not pasta it's not any of those things it's like it's the erm and i really love that because it provides organizational context to things that are otherwise kind of arbitrarily graded by severity so i immediately did that for all the findings for an op that i wasn't even a part of and i was like look i gave you kind of this extra level of being able to explain this to them in a way that's impactful and they're like great can you speak about that in the meeting because we don't understand but it looks great so i mean there are tons of ways you can provide value but really your best way is to treat it like a hacker would treat it find the people do the ocean ask them the challenges read the articles they're putting out if they're putting out articles on google they're probably have a lack in google because that means they're researching it and publishing about it and asking about it so track the things that their operators are asking about in forums and searching about and researching and developing on and like track their conversations and say hey if you ever have a question on this i happen to know a thing or two about a thing or two and then they'll become your buddy and then when you apply they already know you so like don't just take your chances applying to a red team do the ocean on that red team and make sure you can provide value nice that that's really good advice i feel like for a lot of jobs i will do the toil i will do the crappiest work please let me on your team so smart i called up putting back the dresses when i was a wedding planner um i took all the dresses from everyone else's appointments and i would go put them back in the racks and i got to memorize where all the dresses were and someone was like where's the vera weighing where's the beer when i know where the very wing is i could go snag it for my client it's right over there so it's like doing that weeds work knowing knowing stuff like knowing this inside and out that's what's really going to help you that's really that's awesome so i feel like i only have question for one or two more i only have time for one or two more questions so i'm going to smash two questions together so what do you like the most and what do you like the least about your job or like about this this type of job what i like the most about it is that the cadence is very different we spend a lot of time planning and a lot of time formulating and a lot of time getting very creative and making it very real i love making it as realistic as possible i want to mimic the wild as closely as possible um what i like the least i don't really find anything i don't enjoy what i didn't enjoy about pen testing was that like so many people didn't care about the output and like thanks for this report shredder you're gonna remediate right so it just kind of felt you know it felt like oh well did a tool validate that because if you're told and validated we don't trust her work and it's just like it was just kind of disheartening um you're going to get a lot of that if you want to be a pen tester you have to have a very thick skin i haven't really found that with red taming i found that people are we do such higher echelons and like sophisticated functions that when it works that might be a thing sometimes we put a lot of work into something a lot of work like weeks worth of planning and it doesn't get off it's like baking a cake you put the in and it explodes you're like dang it dang it so this motivates you to come back better next time but um really everyone cares a lot because you're not just testing a product you're not just like looking for bugs you are testing the company as a whole how vulnerable is this company not how vulnerable is your product which is very very different and very very fun i we have so many comments in the chat about just people being like yes yes yes there's this so if someone wants to learn more about you i heard that you were speaking at some conferences i am um i did a first part of a multi-part series at wild west hack and fest way west last month i'll be speaking at um way west that are not way west hack fest deadwood as well not sure virtual or in person yet but it's definitely coming um currently i'm teaching all of you hackers how to be better at social media because marketing is a thing that you don't understand very well that i understand decently well um i am going to get in on that uh we will say we can drop a link and i will i will also have that in my bio and twitter um and also you can find me on discord um if anyone wants my discord handle i'll make sure that tanya gets it and is able to post it um i have my own discord server where really people can just hit me up with questions like hey i don't understand this thing in sec plus or i don't understand this or can you explain that it's really a great place to hit me up because my linkedin dms are insanely behind at this point um so my discord server is not i'm not putting content out there all the time but it's your closed audience opportunity to ask me all the stupid questions or the whatever you have a question on i'm happy to talk to you there um and then i'm emceeing for grim con with bryson bort and uh wade waiting through logs it's gonna be a lot of fun i'm gonna wear a unicorn that's awesome i feel like you should definitely invest in a superwoman costume at some point because like you're fairly super actually i now godo a lot and i'm like i don't want to say thanks but thanks so i think that has to be my halloween costume at this point yes i have multiple superman shirts because well superwoman because i'm wearing them so it's super woman when i wear it yeah it's just it's the best and then all day long when people ask hey how are you you can respond and be seriously and say it's super super right and that's the best so as a last question because i want to just keep asking you a hundred questions but what makes you feel the most pride about the work that you do it's when we actually get to harden things like when when i got something off the ground and my cake came out of the oven perfect and a ton of things worked and i feel really bad because socks generally feel very beaten up on at that point um but you get with them and you say let's fix this let's fix these things i will tell you how to find me and i'll make sure that the next person who tries this crap they won't get it past you yeah that's the oh no that's the wrong discord handle it's updated now it's she who hacks to 996 just so you're all aware if anyone's watching but um but that was the old one but uh yeah it's when we actually get to harden things when i actually see mitigations happen when i actually see detection spine tuned when i see rules appear when when emails that were delivered to inboxes are no longer getting delivered like that makes me excited because you get a little bit better and it forces me to get a little bit better and then you get a little bit better and it just keeps going like that until you're gonna look me in the eye one day and say hocus pocus you can't smoke us and i'm like i hope not i hope not oh my gosh that's awesome and for anyone that was listening her discord server is she who hacks yes number sign 2996. and it's kind of like linux you have to capitalize those things or it won't show up okay so is it capital s yeah should capitalize just like that but if they don't capital h on who yeah or capital w capital h oh my gosh oh yeah um so thank you so much for being on the show this was actually super stupendous because i wanted to use the word super um this has been wonderful yes thank you people they're gonna get worse no but it's wonderful thank you so much thank you to everyone in the chat who asked all the awesome questions who were so great i appreciate all of you and thank you meryl for being on the show seriously like you follow someone on twitter and then you invite them on the show and then some of them say yes and so thank you for saying yes okay like follow someone for a long time comment on her stuff and she's like you want to be in my podcast i'm like i do yay it's like i made it now yes dwayne's awesome kellen's awesome johnny's awesome all people in the chat thank you al all of you you guys have been working wicked engaging it's been awesome i agree i didn't even get to ask half my questions although they did ask a lot of them for me you're welcome okay so we are going to wrap up and this was the we hack purple podcast thank you so much for coming to the we hack purple podcast and thank you to our amazing guest meryl vernon she who hacks thank you to our sponsor 10 security we appreciate you so much and in case you did not get the memo of me seeing it 500 times in us flashing it on the screen we hack purple just released a secure coding course it is language agnostic there are not coding exercises but there's code review quizzes checklists pdf downloads and then a ton of videos and articles that teach you all about why you need to secure code securely how to code securely and then a whole bunch of code samples to try to make sure that you actually do after this course so please check it out at academy.wehackpurple.com and i feel that that is lots of stuff that i am supposed to say and thank you very much for listening to the weehack purple podcast i'm tanya jenker your host and apparently last episode i completely forgot to introduce myself or say my name so i did it thank you the end next