Host Tanya Janca learns what it’s like to do Cybersecurity Product testing and reviews at Security Weekly Labs with guest Adrian Sanabria!
Thank you to our sponsor Checkmarx! https://www.checkmarx.com/
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security
Don’t forget to check out We Hack Purple Academy’s NEW courses,
Join our Cyber Security community: https://community.wehackpurple.com/ A safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
Find us on Apple Podcast, Overcast + Pod
Host Tanya Janca learns what it’s like to do Cybersecurity Product testing and reviews at Security Weekly Labs with guest Adrian Sanabria!
Thank you to our sponsor Checkmarx! https://www.checkmarx.com/
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security
Don’t forget to check out We Hack Purple Academy’s NEW courses,
Join our Cyber Security community: https://community.wehackpurple.com/ A safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
Find us on Apple Podcast, Overcast + Pod
[Music] so welcome to the we hack purple podcast where each week we meet a new and very interesting member of the information security industry this week is the last episode of season one when is season two coming only tanya knows she has a big project to get out and then she's gonna start again our guest this week is adrian sinabria and he is going to talk to us about what it's like to be basically a cyber security product tester and reviewer and what's that like he has a very interesting job and has basically seen all the products ever um this week our podcast is episode by this week our podcast is sponsored by check marks they make a sast tool and so much more i will tell you about it during the middle when we thank them again but let's not keep waiting let's meet adrian and let's talk what it's like to do his job hi adrian hey there yeah good to be here thanks for inviting me on thank you so much for saying yes i am happy to have you here so i think you have the most interesting of the titles or most unusual of the jobs of everyone that we've had on this show can you kind of tell us what you're because you do a lot of things but i guess you could tell us the main gig or sure yeah so you know i guess maybe the longer you stay in any given career the weirder your job title can get right you can get more and more specialized you know and eventually you know you're just the old person like cranky person criticizing everything talking about how it used to be i'm not quite there yet though um so yeah you know um you know it's interesting another thing i've noticed that happens is as you get older you know a lot of the other folks i know in the industry you know you as well you know you've got your job you've got the podcast like like we we start stacking up all these different uh things we do we do community stuff um and it's it's very rewarding but it can get very stressful too and um yeah especially if you're you know if you're running some of your own your own stuff if you're running your own business um yeah you wear a lot of hats without the extracurricular stuff but uh true but yeah so so right now what i'm doing is is a mix of different things so i work for a company cyber risk alliance that has consolidated a bunch of media and events companies and um so security weekly that whole group of podcasts sc media which is scmagazine.com you can see there um uh infosec world which is a big annual event that happens down in orlando every year it's been around for a long time and a few cso event and roundtable companies have all been kind of smushed together so on any given day you know i i might be uh helping to host an essie media uh podcast i might i might get pulled in because the you know the regular host can't do it i'm a regular host on business security weekly and on enterprise security weekly so i'm in front of a camera a lot uh interviewing people and and talking about the news and current events and things like that and um and yeah then then the actual products i'm building which is security weekly labs or sw labs you can see there we've got two things we're building and one are the product reviews and some of those are already out and you can you can read them there uh the category we covered was uh first was attack surface management which is kind of like um you know beyond just doing external vulnerability scanning and website you know desk scanning that type of thing and saying well how much stuff do you have hanging out on aws you know there's always this extra stuff that people forget about you know developers stand something up leaves the company nobody else is thinking about that it just gets abandoned and hacker finds it one day and it has some connection into the corporate network or database or something like that and it's a very bad day so it's a really interesting category and so you can you can go check those out and the other thing that i'm building is a vendor and product database which is not out yet uh we've completed the first version of the database doesn't go super deep into products and companies yet you know but i'm hoping it'll get to the point where if you're shopping for a product and you're like well i need a sas product you know but it's gotta be able to do.net you can just do that query in this tool and it'll give you a list of all the companies that make something like that how do companies get into that database um so a multitude of different ways so the podcasts like we've already got different ways that we gather all this information one of the things we do on enterprise security weekly is we talk about all the new companies coming out of stealth anybody who's raised any money anybody who's been acquired so all the the vendor you know business events that occur you know anything that would result in a record on crunch base for example uh you know kind of shows up on that show so um so yeah there's there's a bunch of different sources but then there's you know the company i worked for previously thinks was bootstrap they're not gonna show up on crunch base or or through any kind of vc funding feed or anything like that you know so it's a good question and and you know the the method isn't perfect yet so it's probably get we're going to have to automate some things but keeping it up to date is going to be a challenge definitely we are bootstrapped so yeah we wouldn't show up and i mean we don't create a product per se it's more like intellectual property like training and stuff like that but yeah i know a lot of companies where they might not show up there but like and we do include services and training companies yeah oh really well hello there adrian it's it's it's funny because i yeah i've got a list of just uh companies that i need to add to the database because every time you add one you get to go the website you get a look at what they do you know because the the tough thing is you know i noticed there are kind of some databases out there but they either get categorization like hilariously wrong and they'll tell you crowdstrike and aws are direct competitors or something like that and you're like wow how did you even get there um or so that or they just don't keep it up to date you know and you're looking at it and you're like that company was acquired that company was acquired and they just haven't caught up oh yeah um so yeah yeah it's it's uh that's the challenge and um yeah because you got to go through the website for each one and uh you know for each product man you you go to computer associates or you know some of these larger bigger companies you know they've got dozens of products and there's a row for each one of those there's an entry for each one of those in the database yeah oh yeah so what would a day like or a day in the life of your job be like because i have a feeling it's very different than the average person's job yeah so you know this week is interesting because it's black hat and we're doing these we call them micro interviews these short 15 to 20 minute interviews with folks who are presenting at black hat or you know some somebody who's doing something at black hat and um you know some so much like any interviewer would do you know i go out and i've researched the person i'm interviewing i try and come up with some good questions you know usually like you know maybe a few personal questions in there um you know a few non-sequiturs you know and then you know the the core of it but with 15 minutes you got to move pretty quick and going into it you don't so you have to have like multiple strategies you don't know if they're going to be a talker you know i don't know if you've ever been on a panel and the moderator the panel makes the the horrible newbie mistake of allowing the panel members to introduce themselves and you get you get i don't want to say the one guy but it oftentimes is a guy you know that that uses 20 minutes of the 45 minute panel to introduce himself um so yeah you're going to have different strategies going into it and uh so i i probably do uh i i'm very pedantic too so i i do a lot of prep for anything like that uh you know i prepare for different outcomes and stuff like that and and uh kind of stress and obsess over just making sure it goes smoothly and uh yeah i mean for me it pays off but it's very time consuming and for me you know being in front of the camera you know like i get to take a breather afterwards you know it doesn't charge me up like an extrovert does it it wears me down but i love it so i i'm you know i don't know if they've come up with a word for that yet but i've heard people say uh extroverted introvert yeah i've heard that too i've heard that too i like i am an extroverted extrovert i you know on the myers-brigg i got 100 on the e however i still find being on camera tiring because you know you're concentrating really hard you're trying to make sure uh like not only that you sound good but you're also trying to make sure like in my case as a host and since you host things you know this you're trying to make sure the other person is comfortable that you know like you're asking questions in in a way that's positive for them and like that you know you can suss out the information you're trying to get or you know try to like lead them down the path to wherever the next conversation points supposed to go etc like yeah i feel like it's not like a regular conversation where you know i have to check the chat i have to check this i have to check that you know if we're just having this conversation the two of us i it would give me more energy if that makes sense yeah yeah definitely so it and it's tough because my day day-to-day job kind of switches between these different modes of things that are on my calendar that have to get done before that thing comes up like doing a podcast or interviewing somebody makes it really easy to get that work done uh you know i've got adhd and i respond very well to that you know the the stress of oh you know this has got to get done like so easy for me to focus on that it's the stuff where i'm doing a product review or i've got to write an article or something like that and the only push there's nothing on the calendar the only push is me like i've got a self-motivate that that's yeah that's the stuff where i struggle and i've got to have different uh strategies that i think a lot of people with adhd would would recognize you know the kind of strategies you come up with to push yourself to get that that kind of stuff done i am a strangely extraordinarily self-motivated individual for some reason like if it's a thing that i like like when i was writing the book i was very motivated to write the book because i love finishing a task yeah but if it's a thing it's great i've got a copy in the other room thank you but you know if there's that task where you have to wait on this person and wait on that person and then wait on this and that can't do i get it kills you yeah it's really i'm just like oh my gosh just throw it in the garbage yeah i get really uh fussed about things like that which did as a coder was hard because i was a coder a really long time i'm just like i'll just program his prayer i don't care i'm not waiting yeah which makes you the best or worst teammate ever but anyway i digress what types of personality traits do you think someone would need or maybe like aptitudes to be good at the stuff you do because you have to be on camera you have to write up reviews you have to try a zillion products like what type of this is the most natural job for me ever because i have to try everything out like i i see the latest gadget coming out i'm watching the apple keynote like i want one of everything i want to know how that works i want to know what it feels like to use it you know i want to know how it compares to this other thing i want to know if it's better or if it's worse um absolutely love seeing new technologies and stuff coming out like we've got these folding phones now like like it's just you know uh christmas every day for me when when uh tech watching tech news and stuff like that on the security side you know it's a little bit different because you know consumer products have to be good or they they get thrown into trash they get returned nobody nobody's gonna use them like there is there is no patience for a crappy product you know especially in a saturated smartphone market uh or headphone market earbud market something like that but in in security we're more than happy to have just an entire industry full of stinkers you know that you get the product doesn't work you know it's it's um you know and it kind of goes category by category like like we do have categories where you know if we're not getting the results we're going to move on you know like our sponsor today is a great example like like if you've got a dashed or sass product or vulnerability scanning product um you know people are it's it's a stable uh saturated market there are other companies you can go to you know and people won't think twice to go try out another one sometimes people use two just to make they feel like they're covering more ground you know uh you know maybe one vendor is really good at finding sql injection and another one isn't or something like that um but um but the problem is if i want to buy an app for a dollar i can you know there's 50 000 people that have reviewed that app but if i want to spend a million dollars on a sim like a cyber security product there's nothing there's nothing out there there's the companies spend a bunch on marketing but there's nobody reviewing this stuff or if there is like gartner has their their peer insights but it's all crowdsourced and nobody's vetting that stuff and just to test that i i'm that kind of person where i'm like you know can this be abused let's go see and i went and left an anonymous review on something that i'd never used before and nobody questioned me on it nobody took it down and okay that so so that answers that question um for a talk i did once with with haroon mir i actually created a fake company um fake domain fake website created fake people that work at the company uh had my fake chief marketing officer and we won all kinds of infosec awards uh just to see if you could you know just to see what the due diligence is like there and i i don't have it within reach it's on my my kind of uh uh you know tchotchke shelf uh over there but uh i've got some physical awards that i got sent all i had to do is whip out a credit card and buy some infosec awards yes yes i actually um got offered to win two different uh women in business awards this week for just a thousand dollars it's pretty awesome and i was like oh i actually like to just get awards because i'm good so i'll just keep those yeah maybe just remove me from the mailing list please yeah merit-based is a thing but um and that's the problem is there are good awards out there uh but because of these bad ones par part of what i did for this talk is i did a uh and this is also it's not really part of my job you know but this is part of that self marketing that you get into like when you've been in your career for a while and i live for it you know i love doing this kind of research like there's no money in doing this kind of research but people need to know so somebody needs to do it right somebody needs to talk about it and it was i think well past time for somebody to say you know hey some of these awards just aren't aren't legit like you go these these product websites i can't find a review anywhere where but golly they get a lot of awards you know they got they get award a month like how do they do this and um yeah the problem is there's no way to tell the good ones from the bad ones not easily without doing a whole bunch of research like i did and i actually surveyed folks and something like 45 of people that see a company with a page full of awards like that uh it it kind of puts them off you know because they're aware that some of those are not legit and uh they would rather see a company with no awards posted than one with like some companies have pages just dedicated dedicated to awards so you can go to company.com forward slash awards really wow so it's i just want to put them back there and hope that people are like she seems legit well i mean yeah those individual ones i think are less suspect than the ones that the whole company wins you know but there are a lot of those like cso of the year you know female ciso of the year like like they try and make it as flattering as possible uh oh yeah to get you to spend money on it yeah so yeah it's weird though right um yeah i feel like it that maybe that should be illegal or something because it's it's intentionally misleading do you know what i mean yeah i i don't know you know the the legal side well enough to know if there's if there's anything you can do there but um but yes certainly i mean i think it's one of those in between things where it's like a better business bureau thing you know where it's it's not the law isn't going to handle it you know but there needs to be some kind of private institution that does so the challenge yeah oh sorry we have we have a comment from the chat um i imagine there's a lot of tact involved in navigating publicly just gonna or critiquing claims made by businesses yeah so that's what drove me to put together this because i i've created this whole product like down to how do we handle it if somebody threatens to sue how do we handle it if they don't like the review um you know i've just got like i said i'm pedantic i i document everything so i've just got all these scenarios like mapped out like here's how we're going to handle this here's how we're going to handle that and uh and yeah you do have to be tactful like i i don't think you know i don't think it would go over well if i just created a site that just listed actually ranked awards like like legit awards and not legit awards you know i'm not sure i'd want to see the fallout from that honestly most of those that that are just drop in a credit card and we'll send you a trophy it's a single person running those uh in most cases so i don't know if they'd go after you but uh i don't really want to find out either like i've got enough stuff going on i don't i don't have time for that um but making sure people can tell the difference is part of what drives me to do this um yeah you know part of it's that part of it's you know people need to know uh what products are good and and what aren't without having to try a hundred of them um but the other the other part is i just wanna i gotta touch them all i gotta play with them all i get it you know i wanna jump in the uh you know like for me it's like going to toys r us when you're a kid going to the toy store and just running up and down the aisles like some of those toys you know they'd have like the lego table out you know some of them would be out where you could you could try them out and um and yeah yeah so that that's that's what kind of drives that for me but um but yeah you gotta have a release valve on it so there's a company called uh nss labs that uh is is not around anymore but they got sued a couple times and part of that is they tried to pressure companies into staying into like a competitive test and if somebody doesn't like your methodology because one of the things you have to do when testing these products is figure out how you're going to test it and it's usually good if you share that with the vendors because the vendors are going to want you know some idea like they need a comfort level with it like yeah they're generally kind of nervous about and any especially in this industry where there's not a whole lot of product testing going on outside of antivirus like like there's 40 antivirus test companies and then the rest of the products there's you know just about nothing and uh so you've got to set them at ease you've got to give them some comfort level that you're going to be fair you know and more than you would think are fine with criticisms as long as they're fair like it doesn't have to be everybody gets five stars it doesn't have to be a participation trophy uh they're fine you know with some uh critical feedback on their stuff and one of the sections of my reports is i'll take their their marketing claims and uh and test it test them out and uh sure yeah and so i've got a little paragraph where i say they claim this they claim this and and i'll say whether or not uh you know what they're claiming is fair or maybe maybe overblown you know yes oh my gosh we um so we hack purple has an online community which is free by the way at community.wehackpurple.com um good job tanya yes marketing um but we actually like we started on this platform called podia which was nice but it was mostly just me talking at the audience and they couldn't meet each other and of course i wanted them to meet each other and then we switched to something called tribe so and they made a ton of promises and none of them came true it was if you're listening tribe you're awful um and i fought so hard to get out of our one-year contract tanya it's on the roadmap you just have to be patient oh no what they told me was it does do that you just have to buy this third-party product and then integrate them yourself and then it does it so we had to buy four other products and it still wasn't doing half the stuff they said and like no tanya it doesn't i'm like no your product doesn't do that i can purchase 20 products on my own so then we ended up after five months switching to mighty networks which so far does every single thing that they said and it's actually beautiful but oh my gosh you could have saved me hundreds and hundreds and hundreds of hours and that's the whole reviews too and the reviews said it was great and all of those are yeah because yeah who's your way yeah there's a reason that there are several websites that exist for no other reason than for you to copy and paste an amazon url in there to see what percentage of the reviews are fake for an amazon product yeah yeah there are entire websites just dedicated to that where they've put together these algorithms to determine like like if someone's got 5000 reviews you can't comb through that so their software actually goes through and categorizes reviews as as fake or not oh wow this is a surprise to me i am learning a lot about what you said like we did a proof of concept and it did like some of the things and we just didn't realize how many things it didn't do or how many limitations there were and yeah it became very expensive to buy all these other products so you hit on you hit on something important there that i i do call out it's one of the things i do in a reviews is i consider the labor cost of using the product one of my pet peeves are companies where you ask them well does it do x they're like we've got an api you can do anything you know and the dot dot there is if you've got five python programmers sitting on their hands with nothing else to do which nobody has you know because yeah i i mean so yeah i've often joked with vendors not really joking you know that like a video game you know you look at the requirements on the box to see if you've got a good enough graphics card to run it or you know enough ram to run it like these companies need to you know put the requirements on the box like for sims especially sims are the big one when they first came out people were buying uh you know these huge these products that would pull in all your all your logs and they had these huge promises that all will find all the needles in the haystacks and as it turns out yeah if you throw a ton of labor at it like you need one person just to keep the disk from filling up you know another person just to figure out why logs aren't coming in anymore from all the linux servers because they they rebuilt them and and they blew away the syslog.conf or whatever so it's it's um they need to put that on the box like this is a three to five fte product you're gonna have to hire three to five people to use this product effectively so that is part of my reviews is i'll go through there and i'll say this is what you need to exp this is what you can expect not only how many hours to get the product up and running and to maintain it but whether you can do it with a junior person or if you need a senior person so i actually break out the different salaries and the the different roles that you need to effectively use this product and i try and calculate a total cost uh both the cost of the product plus the cost of the labor of the employees you need to run it that's totally amazing i just realized i have to thank our sponsor our sponsor this week and last week was check marks check marks makes a bunch of products but my favorite one is the static application security testing tool it is well basically it finds lots of things that are wrong and helps you make better code they didn't tell me what to say so i was like i'm just gonna say what i know that it does and it does that and a lot of my lots my clients have it and they like it thank you checkmarks for sponsoring our podcast i appreciate it more news our azure security course from wehack purple is coming out on monday i was gonna rush to have it done friday and then i decided that i should learn to be a bit more patient in life seriously that's what my team told me they're like tried and patient why don't you just wait until monday nothing's gonna happen this weekend that was i'm like but what about securing the azure so anyway it is coming and i make all sorts of jokes like how azure defender is the cyber cloud mom that you never knew you needed to nag you but the point is is that that's coming out monday i hope you'll check it out and saturday alice and bob learn uh that's right there um we are gonna do a live stream with a bunch of really smart people to talk about chapter six and i'll tell you that at the end but i want to ask adrian like 27 more questions um so adrian i really liked so i feel like your personality is definitely a part of what makes you good at your job and i'm just going to switch myself back so i can see both of us i want to see both of there we are thank you um the fact that you like to try all the things is awesome i as a person that does not like do that i'm grateful for people like you but does someone need a bunch of technical experience to be able to do a job like yours like it sounds like you must be a jack of all trades no yeah so so you have to be the aptitude you need is the ability to learn stuff just in time to learn stuff very quickly you know and as a developer you can appreciate this right you know like like you know somebody in the company decides oh we're going to use this framework like literally nobody nobody's used that framework before they're not going to hire i'll fire all the developers hiring new ones with five years of experience with it so everybody's just going to learn it on the fly and uh and for me it's incredibly rewarding i i love learning stuff uh for the first time so that that's really how i kind of made my career is being willing to jump into new things and and learn them um like like if if you know you tell me in 24 hours i'm gonna have to interview somebody in a topic i've never heard of i feel pretty comfortable you know unless it's it's just super deep within a topic you know like like super deep in mathematics or you know uh yeah you know medicine or something like that um generally i feel pretty confident that that i can i can study up on it and uh and be able to ask good questions and and stuff like that and give a good interview the the next day um so that that's impressive that's just natural to me like i i love doing that you know like i i love just picking up a book full of things i have no clue about i've never heard of before and and just learning them and uh and having having two teenagers uh makes it a lot of fun too because i'm constantly learning new things from them uh because this current generation is just is giving us lots to learn holy crap there yeah seriously i my um so i have two students that work at we have purple and they're teaching me stuff all the time like i know theoretically i'm supposed to be teaching most the things but stuff like instagram maybe you should use it or something tanya did you know there's people on there i'm like oh i don't know instagram not not tick-tock you just keep it instagram just go straight to tick tock i just it's just too much i feel like the security stuff with tick-tock concerns me and privacy and like they made a facebook account for me and i always tell people if you want to speak to my intern who's very nice you can definitely contact me on facebook but like i feel i feel like um there's some patience required that you must have because or or i i don't know but like so like you're reviewing these things and you're making these products but then you have to get the word out for people to come and hear about it right is that part of your job or is that like the whole group works on it yeah i mean it's there's plenty of opportunities for that though because i'm on podcasts every week you know i'm i'm on twitter all the time and twitter's been kind of the the core of my career you know in the last decade i think uh i've twittered to thank for at least connecting me with every job i've had in the last decade um and uh people i wouldn't have known otherwise uh if if not uh you know being being on twitter you know so some of it's effortless because i'm talking to people anyway so you know i can just casually bring it up or something like that but you're right yeah i mean we do have to there there's a large part of self marketing i need to do there like one of the things i need to get up is i've got a uh well it's really probably enough for six blog posts but if you do a lot of well i don't know if you're like how you write but generally when i write i throw away at least half of what i write you know i edit down wow quite a bit so i write way more than i need and it's it's tough for me to get a blog post out because i have to go through many many revisions so that's that's one of the self-promotion things i need to get out is is uh well kind of what i'm doing on this podcast is explaining you know why product reviews and how are these product reviews different you know what what makes them useful um you know so i i probably should have had that that post out a while ago but uh um but yeah yeah no it's it's um i've been doing pretty much everything for it you know from concept to figuring out what the format of the of the thing is going to be uh you know to actually building the lab doing all the testing uh and all the writing that's amazing that's really awesome so your patience you mentioned patience that's definitely you know if you ask me what my virtues are like that's probably the easiest answer for me is patience and perseverance it sounds like too like not giving up just like continuing to do the thing like i i feel like the difference between someone that's a success and someone that is not success is quite often the fact that they come back every day and they try again right and i've seen people where they're like oh i tried to start company but it was hard and so i just didn't and it's like oh like after three weeks did they did you still need to do lots of hard work oh it must have been awful um i i give up in my head all the time but you know i think you know talking about having adhd and having to learn strategies you know one of those is you know i've learned how to pet talk myself back out of those ruts you know and uh and sometimes i can't pep talk myself out of it and i i chat with my kids and they pet talk me out of it or i chat with uh with a friend or a colleague or something like that so for me you know big personal growth was learning when when to talk to somebody and that that it's okay to talk to somebody you know when when you're in one of those ruts well that's excellent advice that's that's really good yeah i am yeah i have some people that i will talk to about things and then i have people that i know i should not talk to about things till after the decision is made like uh i love my mom she's the best ever but she's extremely fearful of risk she's so fearful of risk my mom is sustained away i'm gonna start business she's just like no you're the financially secure daughter you're like mom like i'm not i'm not starting a magic bean company are you like there's like a demand for this right exactly but like every time i'm like i'm gonna start a new company or i'm good like like she's very proud of me she's very supportive but she'll always just like kind of like chip away i think because she is at risk at first and i respect that and i am glad people like her exist but without people like you or i that want to like try to make our like our forge our own path if that makes sense and like do a thing no one else is doing so it gets done right like and i feel like what you're doing to be quite frank like as a business owner if i could have avoided certain products there's so much money we could have saved so much time and uh kellen in the comments is saying sometimes you just gotta bet on yourself and yes i agree yeah and and that's um that's probably a whole different episode but yeah deciding when to do that you know and and how to go about striking out on your own and doing that because i almost started the product reviews um once before about three and a half years ago when me and a good friend of mine started a a company but we ended up getting acquired and that didn't go well and and uh yeah it it ended up a whole mess like i don't regret any of it and like shortly after that he you know he talked to me he was like when are we going to start another one so that made me feel good that you know at least me and him me and him were good you know that's good the acquisition didn't didn't go so good but um i i had just started to to do this at that company too and um and definitely the mistakes we made there is is uh i think we quit the day job uh too early and uh it was just basic business 101 like like it was going to take another 18 months to really get the cash flow where it needed to be for us to live off and uh yep maybe not 18 months maybe six months but you know i i hit the wall hard and you know we had this acquisition offer and i was like well i want to keep eating so yeah yeah i feel like that's a thing that startup founders don't talk about a lot they're like just get like a year's runway i'm like how do you just save up a whole ton of money like that's not in the cards for every person and i i have seen people like quit their job because they're like oh i'm gonna write a book and it's like you know that you can write a book and have a job like that's a thing that can happen right and i've seen that or where they have what i would consider a lavish lifestyle like i remember someone who was a startup founder telling me that his monthly burn was 10k and he's like and if i can't have 10k a month then no and i was like well you might want to turn that and he's like i could just barely get by on 6k a month and and you didn't live in like san francisco or something like this was in canada like i'm just like what are you doing and maybe you're not in a place where you want to start a company do you know what i mean yeah yeah yeah and it's it's um you know certainly if you study rich people and successful people but like a lot of it's like driving that camry till the wheel falls the wheels fall off it you know and and not everybody wants to do that and i i kind of think that's okay if you want to burn 10 grand a month that's fine but it limits your options like there's certain things like you know emotionally if you get tied to that you know you can't uh you know button all that up and and do like really uh dramatic things in a short amount of time you can't you can't uh you know not without taking out loans or raising money you know getting investors stuff like that yeah exactly and i'm like good luck finding investors where they want to pay the founders like 120 each to just to start for r d with like no proof of concept or anything ready i'm like that's a hard sell like there is a lot of money out there like yeah we cover that we cover the funding uh every at least every week there's like a 30 to 50 million dollar series a and i remember eight years ago that was just unheard of like the average uh series a was like eight to 10k and now that's seed now that's seed funding and and this is that's the fir you're going to raise again in 18 months after that and just imagining setting all that money on fire in that amount of time is just mind-blowing but that that's where we are right now that's where the cyber security industry is in terms of uh investment and they're getting the money out of them you know even even if they're selling stinkers[Laughter] yeah that's just it like the whole thing was selling stinkers too i'm just like really it's if your marketing is good you'll have customers if you have customers and revenue then then you can sell it yeah i think a thing that we have covered quite a bit on this podcast so um ben who is watching it has already brought up cheese so we called the cheese question um but basically like i had told a story in the first episode and then now it has gone into every episode of like when i as a software developer realizing like oh i make good money now was when i real i went to the grocery store and i realized i could buy two types of cheese i didn't have to choose and like i was definitely going to be able to afford my groceries and like previously each week i'd like very painfully decide like you're allowed one extravagant purchase tanya and obviously it's gonna be cheese and yeah um and so and a thing that has come up time and time again is when you're starting your own business that you might have to be a bit lean on the cheese like that so doing product reviews or like starting your own business um i feel like i'm answering for you but it's not as superbly it's not high paying at the beginning it's not all 50 million dollar seed rounds yeah or i'm assuming that it's not in your case but we usually ask we like we usually ask like does your type of job pay well but because you're the only one doing your job i feel that's a bit personal yeah no it it does so i mean i it's something i've always been bad at in my career i'm very good at at um at mentoring people about you know how how to get the salary the you know you deserve and you know there's a lot of good resources for that in fact our local community we have a collection of uh we have a spreadsheet where something like 150 people have shared their their titles and their resumes it's uh or their their uh their their uh their salaries um and their and their titles you know so you can see who's getting paid and for doing what and then how much experience they have in the industry and it's all over the map and it's all negotiation and i've never been really great at that um i've always been fine like as long as it's enough i'm i'm fine you know i'm not going to haggle a whole lot over salary i've turned down uh jobs for 250 300k for for just awful audit work like pci qsa uh 100 travel 80 travel no i mean the money's no good if if i if i just hate life you know and and uh don't see my family anymore and i'm on a plane every week or two or three yeah it's just it depends on what what it's worth it uh what it's worth for you but yes certainly um you do need to be aware of what you should be getting paid and i think you know for me there's this thing of like like i worry about the like i don't want to ask for too much you know and you kind of have to take yourself out of that mindset like i'm not sure the company can can afford my you know my my salary requirements or something like that and uh no i think somebody said it you know sometimes you get a bet on you you know you get a yes you gotta ask for what what you're worth you know and there's some research you need to do to find out what you're worth um yes i actually have a friend where um she you know resigned her job to go to a startup because she wanted to have that experience and it was gonna you know be a step down and pay and even though where she worked she'd been trying to negotiate for higher pay and they had turned her down a bunch of times they offered her i kid you not a 200 like 100 raise like a doubling of her salary to stay and she's like i don't know what to do tanya because i really want this other job and it's not that like where i work is awful or anything but i really i and now i feel like i'm a dummy if i quit and like and it was a long discussion about trying to figure out like what she what will make her the happiest what is the right decision because sometimes the right decision is i'm gonna stay and keep the money because i need it for blah right and sometimes the decision is i want this job experience more and i know that it interests me because of this and it will open my career in that and well do you know what i mean and i feel like being able to work sorry you no so you you hit on something it just reminded me of something where the job i have right now i actually turned down the first time it was offered to me so i mentioned i went to go work for for things and stuff well i didn't go to south africa but they're based out of south africa um so they actually before security weekly was acquired they offered me this exact job to start security weekly labs and do product reviews and and all this stuff um but at that point the salary would have been much lower and like part of it would be you know i i'd be earning commission like i'd have to actually try and sell sponsorships and things like that because that's how we monetize the product reviews is we do the reviews on all the products and we hope you know some of the companies that we reviewed would want to do some some advertising with us because now you've got adrian he's used all the products in your space he's used your product you know it'd be great to do a webinar with him because he actually knows the space he can speak intelligently about it yeah but a big chunk of my salary would have to come from from selling those and the place i was in at the time i was like yeah that's just not going to work for me i the base has to be at least this and uh just it it turned out perfect timing you know when i was leaving uh thanks i went back to him i said so i saw you get acquired by cyber risk alliance you know how are things going and they're like well that job's still open you know that we couldn't find anybody else that could do this you know so that you know just to your point that uh there's not many people that have you know sailed their career directly in this direction like i have um you know it it was just uh i turned it i turned down that job i wanted to do so bad but it was still there when i when i needed it a year and a half later oh that's awesome i love this story what makes you feel the most pride in the in your job like what is your favorite part that makes you feel good uh for me i mean for me it's it's just always been able being able to to help somebody like if somebody says you know i read your review and it helped me decide on on what to choose you know or you know i pointed out something that they hadn't noticed before it's just if somebody says something i said or wrote was useful you know i mean like i'm sure you get that all the time from your book having having that type of book particularly you know a teaching uh style of book uh you know especially for people who are probably just getting into the industry right like it's it's designed for um you know to help mentor people and and i do some mentoring you know because that that's what uh you know that that's what drives me that that's what uh refills my tank is uh you know helping somebody else figure out something that to me at one point was magic like i remember at one point like three pedals and a stick shift in a car was just magic to me it was like how do you use that to drive a car and uh and my now my ex-wife my wife at the time taught me how to drive a stick shift and nice like that was a huge milestone for me in my life i don't know why but it was just it was something i had to learn to do like and uh a lot of things in security like held that same um you know just just had that same like seemed impossibly out of reach until you read about it and learned about it and all of a sudden you could do it so if i can give that to anybody else you know if i can help anybody else with that because a lot of things are hard to explain in the industry you know so that's un unlocking you know that uh aha moment that light bulb moment for people uh i like that challenge of of how can i explain this is it a metaphor you know is it um you know just showing them how to do it like doing a demonstration you know i i love trying to discover the right way to do that teaching my kids to drive stick now and i've come up like i've actually found a really good method for teaching that you know because when i learned it was just kind of like indiana jones grabbing the golden idol and trying to swap it with the sand like that's what i try and do with the the clutch and the gas which is a i mean it works but it's a very violent way of starting a car um so yeah yeah i love that helping people figure things out i think is has got to be it for me that is seriously the best answer ever and we are at time so i am supposed to wrap up now if people want to know more about you how do they do that where can they find more so i am i actually just bought the domain uh this morning uh for setting up my personal website it's not there yet that would be my answer uh you know maybe why don't you tell us what it is if for people listening later it's just my myfullname.com is is what it's gonna be so let's spell it yeah a-d-r-i-a-n-s-a-n-a-b-r-i-a-dot-com because some people just listen they don't watch that's that's right i always forget about that because our podcast is the same way um but yeah for now i'm zoaba on on twitter so s-a-w-a-b-a is me on twitter just six letters pretty easy to find me uh and you can find me at securityweekly.com uh doing some of the podcasts there and we shared the link to the where the reviews are yeah so yes so securityweekly.com and or scmagazine.com sw dash labs with a b like a labrador not something else it sounds weird but it's hard when people are listening and i want them to actually be able to go visit your site thank you adrian this was really good and actually now i really need to check out your site specifically so that i can recommend it to various clients yes the big challenge is there's so many products out there and there's just one of me so i'm hoping to grow and build a team uh like i'd like to do consumer products even at some point you know that have some kind of security or privacy relevance like i've been wanting to do a piece on all those vpns that they advertise on youtubers that sponsor youtube uh videos and stuff like that because they're not securing you yeah i think that that would be really good and like explain um kind of explain like what they actually do versus what i i have people all the time say blah blah vpn i'm like you mean a proxy that's totally different that's not the same service like do you want a virtual private tunnel and they're like what's that i'm like yeah yeah and you have to understand the different ways you can be attacked and and what can protect you from those and what can't and same thing with with ads like advertisers like like using a vpn is not anonymizing you it takes a lot more than that um yeah yeah sorry we could go on and on no but i look forward to your article on this so that i can read it and slash point a whole bunch of people to it adrian sanabria thank you so much for being on the show did i say you're writing you did say it right that was perfect thank you adrian for being on the we hack purple podcast this is the last episode of season one we want to thank all of you especially kellen and ben who came to so many shows for tuning in live thank you if you are listening or watching later this episode was sponsored by check marks thank you so very much for sponsoring our podcast and for sponsoring us i am going to be appearing at a checkmarks event in october and i am looking forward to that we are going to be nerds together and it will be great on monday the azure security course is coming out from wehack purple and it is on sale for 99 for the first week and then it goes up to 199. please buy it for everyone buy one for your mom buy one for your grandma all your friends that's how you show people you love them you buy them courses from we have purple note i might be biased i hope to see some of you on sunday sorry saturday at noon pacific time uh on youtube on the she hacks purple youtube to talk about alice and bob chapter six and um i will see you in the we hack purple community if you want to join us for free go to community.wehackpurple.com and until the next season i will see you there bye[Music] foreign