, I got to speak with Claudia Johnson. She's been in the tech industry for a long time, and she got into security the same way Brian Krebs did – by being attacked.
Now I got to talk to Kristen Kozinski
. She knows about secure code and web vulnerabilities. She also maintains a pretty nifty website for educating end users about security.
Please tell me about what you do.
I am a Junior Application Security Engineer for a marketing automation company. My job involves patching security flaws in the web app, reviewing code for potential security vulnerabilities, and building applications that help the company stay secure.
Outside of work, I manage a blog that is focused on educating non-technical people about how they can be more secure. It’s comically named dontclickonthat.com
. It’s still very new, but there are so many areas I want to cover. The biggest challenge is finding the time to research and write.
Wow, that sounds like a lot of fun. Tell me about dontclickonthat.com
Don't Click on That was born after coaching countless family members and friends after they had encountered security issues themselves.
I wanted this to be easier for them (and me) and have a resource I could point them to, which was also easy for them to understand. I also wanted to point them to resources that would teach them how to be more preventive when it came to their online security. I feel like a lot of people have family members and friends who they want to help but lack the time to help them. This is what inspired me to start the blog. It is still in its infancy stage, but there are a lot of plans to develop it.
My first couple posts revolved around social media because that is where people tend to be more vulnerable. I'm working on a basic security on-boarding series, which will be more in-depth and cover things like passwords, two-factor authentication, phishing emails
, and more.
Well, I think it's really cool that you made that website, and I'll be sure to check it out. End user education is very important, and it seems like you're doing it with a sense of humour.
Since you work in web application security, I must ask, is it true that websites and web apps are some of the easiest cyber attack targets?
My career so far has been spent solely in web application security, and I'd say it’s a lot easier for vulnerabilities to slip through the cracks when a company is continuously pushing out new features. Web applications are also accessible to a much larger audience, which makes them a great target. An attacker is much more likely to have a higher payout attacking an application with a large user base.
Given the number of known vulnerabilities in popular CMSes like WordPress and Joomla, would you still recommend that people use them? What advice do you have?
I wouldn’t recommend anyone shy away from using a CMS for security reasons, especially because custom coding something can open up other potential vulnerabilities. They are a great option for those who don’t have the resources or time to hire a developer.
My advice, though, is to do your research before making a decision, and once you choose one, make sure you stay up-to-date on any new updates.
For example, WordPress is pretty quick to inform its users and release updates when they become aware of a security issue. Additionally, read reviews and stay on top of any updates for plugins that are being used. I use WordPress myself, and I like to use plugins and themes that are widely used and have a team of developers working on them.
These are more likely to have frequent updates, and you will hear quickly if a vulnerability is opened up in one of them. They might cost a little more up front, but it is worth the investment.
How did you get into cybersecurity in the first place?
It’s been an interesting journey to get to where I am now. After chasing an art degree and waiting tables for several years, I decided to go back to school to become a web designer and get my degree in web design and development. I quickly fell in love with the coding side and decided that was the path I wanted to pursue.
I started working in tech support at my current company while still in school. After a year in support, I took a position as an Email Deliverability Engineer. Working to protect the reputation of our IPs and finding users who were being abusive peaked my interest in security. My company has a wonderful apprenticeship program which allows employees and learn and try out new positions before making a full commitment. I was able to take advantage of this program, which led to where I am now.
It’s a path I never really expected to take, but I love how challenging the field is. I’m one of those people who thrive off of change, and working in cybersecurity satisfies that. I also still get to write code, which makes it even better.
There are some similarities in our backgrounds. I also went to art school, and I started playing around with web dev when I was 11. Web development sure has gotten a lot more sophisticated since then! I also did tech support before I became a cybersecurity journalist.
I think it's great that your company has an apprenticeship program. Frankly, I don't think there are enough out there.
How do you think we can encourage more women to enter the cybersecurity field?
I think there needs to be more exposure to the types of careers that are available in cybersecurity. I had no idea a couple years ago that my job was even an option for me. Informing women who are already pursuing technical fields that this is an option and speaking at general tech conferences and meet-up groups is a good place to start. I attended The Grace Hopper Celebration of Women in Computing last year, and it was encouraging to see a couple panels focused on security. I would have loved to see more of that, though.
What are some of the misconceptions that people have about what you do?
I think a lot of friends and family think of me as some sort of hacker who could break into their phone or email at any minute. Mainly the stereotypical stuff you see on TV. In reality, I can’t do that, nor would I. I’ve joked about writing a TV show about a group of women working in security, so that there would be better understanding outside the field of all the different areas. It would also dispel the idea that only men work in security. After I’ve conquered my blog, this is my next project.
Ha! I've had people ask me in earnest, "how can you hack a bank to get money?" As if that was something that could just be done with the right know how.
Is there anything else you'd like to add before we go?
Hah, of course. They make it look so easy on TV.
Thank you for taking the time to interview me! I’ve really enjoyed reading the previous Women in Infosec interviews.
It’s so nice to see what other women are working on and how they got there. It can be hard sometimes working in a field dominated by men. I guess my last minute advice for any other ladies working in security (or who are interested in it) would be to find your allies.
Also, find a great group of ladies that will give you the space to vent when you need it and who will celebrate your accomplishments. I’m also more than happy to talk to anyone who needs that.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.