Last time, I spoke with Sharka. She’s a pentester who knows how to hack a glucose meter. She also taught me a few things about physical security.
Now I get to talk with Pam Armstrong. Web development eventually led her to healthcare security.
Kim Crawley: Please tell me about what you do.
Pam Armstrong: I work for a large healthcare system on the threat and vulnerability team. I work on their projects side, which means I help stand up and administrate tools for the SecOps side of our team. I also still do some SecOps and work on overall security hygiene. I just started on a team as well to help test mobile apps.
KC: Do OWASP guidelines influence your mobile app testing?
PA: I just started in it but I’m positive those guidelines will definitely come into play.
KC: How did you get into cybersecurity in the first place?
PA: I started working for a police department in 2001, doing web design and development. Their previous site had been hacked, so I really needed to do what I could to prevent that again. Then the department started doing forensic examinations of computers and phones. That intrigued me, so I started learning more about it.
Sadly, many police departments only allow sworn officers to do this work, so I had to be content with just learning some about forensics on my own. In 2010, the City had some layoffs, and I was transferred to the Library. That position just did not hold the same challenge for me, so I started taking college courses online for information security.
About a year and a half into those courses, I saw an ad for a security analyst for a hospital system. The ad said they were looking for someone to develop a security awareness program. The candidate needed the ability to write, create graphics, produce video and be knowledgeable in information security. It was perfect for me, as I’d done all of those things professionally.
So, I got my first job in infosec, and it was a great experience!
KC: That’s an amazing career path! You ought to be proud of yourself. So, as you started with web development, how did you get into that?
PA: Well, in a roundabout way, of course. I was working for a video production company doing videos on how to use computers, and I was always looking to learn and do new things. I taught myself how to do 3D modeling and animation – and then, of course, I needed a website to show off some of that work, so I taught myself how to build websites.
The company I worked for was sold, so I thought it would be a good time to get into doing web design and development full-time. So I got a couple jobs in the field. One really good opportunity was working for Cox in their interactive arm they had at the time.
KC: I’m pretty much self-educated too, so I can appreciate what you’ve been able to accomplish.
PA: It’s sure been fun!
KC: 17 or 18 years ago, could you envision webpages evolving into full-blown web applications that go well above and beyond what Tim Berners-Lee initially designed?
PA: I’m not familiar with Tim Berners-Lee, but once I started working with the folks at Cox, my eyes were really opened up to what could be done. They were very cutting edge for the time. Sadly, the bubble burst.
KC: I remember the web before Web 2.0, back in the 1990s. Webpages had text, graphics embedded in them, hyperlinks, occasional media applets playing MIDI files. The vast majority of webpages were static and not dynamic. Tim Berners-Lee invented the web and imagined people just sharing knowledge with text and occasional pictures. He didn’t seem to design the web for full-blown applications with the capabilities of applications that run directly in operating systems rather than web browsers.
PA: Good stuff! Now I know!
KC: That’s what I was referring to. Could you imagine the web apps we have now back in the 1990s and the early 2000s, pre-Facebook?
PA: I’m not sure I imagined exactly where things were headed, but I was just ignorant enough about constraints to end up pushing the envelopes of what I and my clients wanted. I definitely did not see mobile apps and phones becoming this cool.
KC: Are there challenges involved in securing web apps that don’t apply to other types of applications?
PA: A few years ago, I might’ve said yes, but now applications are so available to everyone in the cloud, and all you have to do is build with the same security in mind. Of course, you have to measure what the security may be costing the business in productivity and balance it from that viewpoint.
KC: Does the fragmentation of different web engines make your work challenging?
PA: Well because there are so many different ways of building things, you have to really keep up with what each program and so on is bringing to the table. But that’s not much different from whatever infosec area you are in. There are always new threats to be aware of.
KC: Do you have any advice for people who are curious about pursuing a career in cybersecurity?
PA: Always keep learning. If you really want to be in the field, keep working towards it by reading books, taking classes and doing hands-on training. Don’t take no for an answer; keep trying and showing your passion.
KC: Excellent. Do you have anything else you’d like to add before we go?
PA: Nothing strikes me at the moment. Except I’d love to encourage more women to get into the field. It’s good to have more points of view and different ways of thinking in the mix.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.