In this episode of Infosec’s Cyber Work Podcast series, host Chris Sienko speaks with John Wagnon, Senior Solution Developer at F5 Networks. They discuss skills-based education, in-demand job skills, learning programming on your own and, of course, the OWASP Top 10.
John is a senior solution developer for F5 Network’s DevCentral technical community and a course creator for Infosec Skills. As a solution developer, he helps analyze and solve complex problems for F5 users all over the world. He frequently writes articles and records videos that are featured on the DevCentral website.
Prior to his work at F5, John was a communications officer in the US Air Force where he specialized in ground and satellite networks. After leaving the Air Force, he worked for a technology consulting firm, analyzing cyber-attacks against U.S. Department of Defense computer systems and networks. John holds a Bachelor of Science in computer engineering and a Master of Science in computer networks.
Tell us where you first got interested in computers and tech. When did security enter the mix?
John’s interest in computers and technology started in college. Back then, he thought that computers were going to be around for a while so he should get involved with them. After college, John joined the Air Force, where he worked with computer networking; later, he carried on with it, whether it was consulting for the Air Force and the DoD or working with F5 Networks.
In terms of security, he really dug into it after he got out of the Air Force, with the last 12 years being very security-focused. As you get involved with security, you catch the fever — security is fascinating and fast-moving, and there is always something to learn. If you stop learning, the world leaves you behind. He jokes that the half-life is about 30 seconds!
In terms of Infosec Skills, what types of classes have you created?
John has created the OWASP Top Ten class. He has also written a blog that provides an overview of the Top Ten and why it’s important.
Give me an elevator pitch and walkthrough of what students can expect from the OWASP Top Ten class.
OWASP is a non-profit organization that works with computer security around the world. It is really a big group of people that want to see the internet stay safe.
The top ten list is created by a group that performs surveys and data collecting all around the world. They compile lists of the top ten security risks they see at that time for web applications in terms of criticality. Everyone uses web apps and they should be aware of their risks. In the class specifically, students go through every risk in depth, go through demonstrations, watch videos, illustrate things with stories and even hack into webcams.
For the benefit of those first considering cybersecurity for the first time or feeling stuck in their current position, what tips do you have for how to get involved in cybersecurity? Particularly if you do not have any experience.
There are certain certifications that you may want to pursue, such as Security+ and Certified Ethical Hacking (CEH), just to name a few.
A lot of what we are seeing today is a move to automation and to the cloud. Knowing that is the way the world has been moving for a while, someone trying to get their foot in the door should find out what automation is being done and learn about it. Code developers are in huge demand as well.
A solid tip for those interested in specific companies is to check out their careers page. At F5 Networks, there are massive amounts of job openings for developers. This means that if you learn a language, you will be in demand. You can freelance this definitely and one of the cool things about the internet today is you can find great resources that have all kinds of different learning opportunities. Start there and play around with a couple different languages, take it to a job interview and tell them some things you have done with them.
At the end of the day, an organization is going to compensate you for a skill that they have a need for. You may need a four-year degree, a master’s degree or no degree at all to land the job.
What are the cybersecurity skills most in demand right now, and which will most accelerate your career?
Web developing and coding is absolutely in demand currently. In terms of security, pentesting is also in demand. Companies need to know if the bad guys are going to get in and with pentesting, you can be the virtual bad guy.
To the extent you can, get hands-on experience with actual products. Maybe walk down the hall of your workplace and ask to shadow someone to learn a little bit and grow from that experience.
How long have you been an educator and how much has the cybersecurity landscape changed?
The nature of what John does is that he creates a lot of content for DevCentral — he writes articles, makes videos and speaks at conferences. The change seen lately is that while back in the day you had to get a degree, today that is not the case.
John adds that he is not anti-degree. He works with a lot of people that do not have a degree, who learned a skill that they bring to a company. That is what companies are most interested in: the skills you can bring to the table.
What are some of the benefits of skills-based training?
John thinks skills-based training is really important. At the end of the day, you need to have a skill that is desirable to an employer to get the job.
Regardless of your motivation, though, you are trying to gain a skill. Skills-based training gives you a focused approach, unlike a four-year degree that will not be as focused on that one skill you are trying to learn. Boot camps have their place as well alongside skills-based training.
Without a professor assigning you weekly tasks, staying on task can be a challenge. Do you have tips for lifelong learners to stay on task?
At the risk of being philosophical, John opines that it is you as an individual that has to stay focused. With anything in life, you need to have a disciplined lifestyle and a goal you set, such as learning a skill. Establish a path of what it is supposed to look like and chart your path. At the end of the day, it’s your life and your experience and you need to have a goal. After you set this goal, do something every day towards this goal even if it is just a small thing.
Having an accountability partner helps too. Life can be busy but there is no excuse. Get disciplined and stay focused — it will take work, but you will love it in the end.
What should listeners be looking for when they are shopping around for skills-based training?
John thinks you should find a skills-based training program that has the content you are looking for. You should also dig around in there a little bit and find an instructor that resonates with you. Some instructors just read slides and for him, personally, this does not work. It may even be a certain style that works well with you.
Tell me about the most recent updates to the OWASP Top Ten and what we should be watching out for
The OWASP Top Ten is updated about every three years, with 2017 being the last update. This means we are due for another at some point soon. It is a rank-ordered list, with #1 being the most serious and #10 being the least serious. These rankings may shift around, and you may see some drop from the list altogether or risks combine to become a new risk ranking.
One critical thing is that just because the OWASP Top Ten list has rankings presented in a certain order does not mean it will rank like that for your organization. For example, insufficient logging and monitoring was at number 10 in the last list, but for your organization it may be the most critical risk.
OWASP also offers the Application Security Verification Standard (ASVS), which is a framework that provides a basis for testing your web applications and looking at technical security controls and gives developers guidelines for how to develop secure code.
What are some of the most practical pieces of information your class provides?
You will learn about the Top Ten risks are, about the OWASP organization, what methodology they use to rank risks and then about each risk on the list.
As you dig into these risks, you’ll learn more about them. Take injection, for example, which has been number one on the list for years. You will see that there are a lot of different types of injection and the theory behind them. You will see how SQL injections are used, LDAP injections and more.
After this, you will understand what each number on the list is and how they can be used by an attacker. Then we take a look at whether you are vulnerable, what some of the telltale signs are and how to protect yourself. By the end of the class, you will have a better fundamental understanding of security in the cyber world.
Where is cybersecurity education going in the years to come?
Cybersecurity education is growing, and understandably so. Millions of people will be joining the internet in the next five years, and it is by no means slowing down. Some things that you can do as a learner is go out on the internet and learn some new skills and learn how to secure this thing you are working with.
John encourages all to start this process of learning. Take that first step, do something simple to start and check it off your list, and over time you will grow. It is your life and you need to take the responsibility to educate yourself. You can either learn or you can stand still and watch it pass you by.
Where can listeners go online to see you?
Listeners can find John on LinkedIn and DevCentral (an F5 Networks technical community), where he posts a lot of information packed content.
This episode of Infosec’s Cyber Work podcast featured a conversation between Chris Sienko and John Wagnon that many trying to break into security or find out about the OWASP Top Ten will find particularly enlightening. Stay tuned to the Cyber Work podcast for more insightful conversations with cyber industry leaders.
To hear John’s full answers and learn more about this topic, go to the video episode on our YouTube channel.