Cloud Security Career - Developer to Security Engineer

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so [Music] ladies and gentlemen we are live as this is the main event you've all been waiting for brought to you by exodius the cyber security asset management company it's time and welcome to another episode of virtual coffee with ashish for clarification podcast and today i have i i'll just say it's an interesting topic because for me uh i get a lot of questions asked by folks who are in the university or colleges trying to get into cyber security and how do i get my first job in cyber security how do i get an internship so i've got a friend of mine who i have i guess i've known of him for some time and i'm glad i have an opportunity for me to bring him on at least for you guys he's written blogs about this as well so i i couldn't think of anyone better to talk about this topic so if you are someone who is probably in university or probably know someone who's university this is the episode for you but as always i've got my music cued in so give me one second [Music] hey cave how's it going man hello good morning good morning thanks a lot ashish for having me and good morning to all the audience no problem i've we've got vini here already hey man good morning vineet um i was gonna say uh actually there's a trailer tradition over here i hope you have your uh cup with you man thanks for coming in for my virtual coffee absolutely cheers man cheers thank you now um for people i i know of you for some time but for people who may not know of you um what's uh i guess tell me a bit about yourself kev yes absolutely absolutely so first of all um a big hello to everyone um from the beautiful city of melbourne uh by name as my shoes have mentioned my name is kaif kaifassen i'm a migrant to melbourne and uh it's been exactly four years two days ago was our four four years anniversary of our family moving here so um and i studied uh computer science and software engineering at the university of melbourne and then i worked in the aerospace industry as a software engineer while i was in still in uni and i'm a big proponent of education and tech and throughout my uni degree and even now i'm quite involved in the community which to bring more accessibility to students and help them enter the industry help them better get um trained um i think the pro my proudest moment would be uh working with microsoft for the uh student programs which we run across last year and i'm very happy to say that um i'm very fortunate to be able to help thousands of students get access to the industry or get certifications get that very much needed industry exposure but apart from that my love and passion resides in cyber security even though my background isn't i have been self-teaching myself for a while now and i'm very happy to say that i finally landed a role in the industry and currently working as a security engineer where me and my team are continuously working to protect 10 million plus people who use atlassian's products every day that's awesome man i think uh i'm in a way i'm really happy as well that a non-security person is passionate about security but also i was curious why cyber security um it is it is very interesting question it isn't something i fell in love in first glance right so it's a very interesting story so i'll tell it and um if if if some people can take some morals or take aways from it then sure but for me it was it was more sort of me um when i started uni i was um i was a keen being i wanted to get involved with something i'm not sure with what so i got involved in the information security club and after a few days there was an opening of an education officer and you know me um just to have a high school kid fresh out of like um um and then trying to uh do something i applied for the role without looking much into the job description and um luckily for me i knew programming from a bit before so some of the questions they asked was okay i managed to deal with it and they said okay you have the role uh welcome aboard and i'm like cool what do i do and they were like oh you need to teach university students um cyber security and ethical hacking um on weekly workshops what the hell did i get myself into so i was this close to quitting and saying that okay i'm not i'm not qualified for this but i was like okay i need to save my face so i started googling and youtubing um basic concepts of cyber security i would put everything i have learned on a piece of powerpoint and go up there and pray that someone doesn't ask a question because everything i knew back then was basically on the slides so yeah that's how i slowly started getting into the concepts and um as i did more and more i slowly fell in love with it more um the main reason being i always wanted to make some impact the impact the positive impact of the the work is very important to me and i saw cyber securities where um i mean apart from just the cutting edge um the high amount of um new things coming on which i'm sure is more or less every industry right but something that really came in that i had the direct ability to help um people i loved and cared about and uh in the sense of protecting them um so that was one of the main i would say uh incentives or inspirations uh behind me getting into cyber security right it's an interesting way to corner yourself into an industry i guess yeah now that i'm here i don't intend on leaving so we need loved your journey by thanks a lot so i i think it's an interesting way to definitely get into cyber security so you kind of stumbled upon it in a lot of ways uh just by being by the nature of being a keen being so maybe maybe the question question that i have then is because that was just not your job at that point right so you kind of became a job and after that is you did you go down internship path or did you went straight for a class scene like what was the pathway after that so you became an education person you're teaching university security then then what happened so i guess it is a journey and in the sense that uh i knew that i wanted to work in cyber so i started to look i mean obviously i i was doing all this other stuff we'll all touch upon and they played a very key part but i guess in terms of talking about a career in cyber i knew that i wanted to work in cyber but it's something i wasn't sure how um i guess one of the biggest challenges i've faced is there's so much content out there regarding security like cloud security is a very big part but it's just one part right there's so many aspects of cyber security many people i talk to who are new to cyber security have a very one dimensional view of cyber security where it is um just hackers and they are trying to hack into the system but it's it's just a fraction of that right it is a it is a big part but there's so many aspects to it so i struggled a lot initially with what i wanted to do um and then i guess i had this conversation with a lot of people friends mentors who basically um said that um coming from a non-security background actually can be a benefit to you um and then i should play that developer background card well and leverage on it and i built my skills on it so i guess security engineer is one of those roles i felt that was suited very nicely so i googled people who were uh in linkedin um who are security engineers i i said google in linkedin but whatever you get the chest but and see okay what sort of stuff they did and tried to do some of those learnings but the other things i've done i think um slowly made me uh more um i would say absorbed in cyber security which was like um listening to amazing podcasts like this one um going to lots of meetups back when we could go to meetups um i remember i managed to like get a student ticket for the um australian information security the isa conference of i think 2019 that had a big impact on me like the whole culture the community just going there looking at all those talking to all those people i knew this was like super fun um and the student club as well apart from all those i used to do a lot of self-education like books um just try hack me this was part of the role and part of the curiosity part part not that i have like um uh i'm a man of sheer willpower and just just pushing my way through content it's not like that it was a little bit of necessity as well so yeah a combination of all those sort of led into further into the journey and i guess i i didn't um i'm sorry for the long preface just going back to the initial question uh which was uh did i start with internships or full-time at last year and i guess for me as a student the internship route seemed more lucrative because that is the role i was most qualified for and yeah unfortunately there isn't lots going on in the australian scene i can see i can say apart from atlassian only a handful of tech companies have entry-level security roles um and there's also like you know that uh the consultancies the big four some boutique um consultancy firm the security companies they have it so even though there's not a lot going on in entry level there's a huge i saw there's a huge um sort of activity in after one or two years if we have the industry so even though i took the internship route i see a lot of people work in another industry um soft engineering for say for a few years and then transition into cyber which is very very common yeah interesting and i think to um it's coming from a development background it's also interesting because what would be i mean i'm just thinking from a perspective that someone listening in uh and this is the common road for any and i guess a lot of people where everyone would go to meet up everyone everyone would say hey you should network with people and do all this but i imagine coming from development which i guess i don't think they teach cyber security there at all i don't remember cyber security so what was the biggest hurdle to come from that into cyber security and i imagine because if you can answer from a perspective that people who may not have done the education thing that you were talking about where you were teaching other people i imagine the the the hurdle is probably a bit more i guess larger as well i imagine yeah um i guess i have sort of touched on it i'm just trying to think uh for me what was the biggest challenge apart from and i've touched on the content expert like there's so many things uh people can get into so um a lot of people who i talk to are um so like large portion of the people i interact with are developers right because my university not that i didn't like cyber security i didn't have the option of cyber security it just does not have any cyber security degree at all so everyone i talk to in the club or in the community who's interested in cyber security uh are developers or data scientists or whatever but have genuine keen interest in security i guess the biggest hurdle then first of all is the content uh because like if you even think of development right there's so many areas of development there's like webbing for uh web web technologies there's machine learning there's um there's devops how do people figure themselves out right they start exploring the content they something like more something less and they venture towards it i guess with with security if they if you're not coming not having that structured learning which um a university or even a lot of people try to first um struggle with it's hard to get that sort of structured learning early on um but now i think it is much more or less solved with so many different platforms out there like you have try hack me um which is fantastic there's um um what else there's lots of ctfs like um i like a few days ago i saw crypto hack which provides you like a pathway so before hack the box and other stuff fantastic content you have over the wire and all those war games and ctfs right but they expect some amount of security background or learning on the on the sort of while doing it right which is very very hard whereas you have so many platforms these days um which can really help like my favorite is try hack me um no hands-on i don't i'm not getting paid from them in case anyone is curious but i just totally love them and use them so um that structured learning is something i i think we can now point people towards to that if you want to learn let's say see get the basics and then based on the basics diverge into incident response security engineering malware analysis you can now so yeah that was my take on it so to your point then i if there are structured learning available so if i'm a university student right now who wants to get into cyber security i mean i guess your recommendation probably is there uh that i can go try hack me that will give me some basic understanding would it cover basics like networking or i don't know yeah it does it does network right okay yeah all those stuff networking uh basics of some programming languages so they really took a holistic approach on people not just coming from tech background if you're coming from a non-tech background and getting slowly adjusted into tech that's also there you have people who are very very very experienced in development and soft engineering how do you transition them without feeling bored apart from try hack me pentester lab is is again an awesome resource the only difference from them from tri hackme in my opinion is apprentice the lab is much more offensive focused so if you're um the the things of pentester lab is hundred percent useful as a pen tester no no i mean no surprises in there but security engineer red team those kind of things but um also as security engineers a huge part of our roles are also the blue team and the defensive side of things so that also try hack me provides and apart from try hack me i definitely um recommend uh um exploring different books i know you you are familiar with tanya tanya janka and she has um apologies vice pronounce her name wrong um but uh she has a very fantastic book uh alice and bob learns application security um i'm a big fan of that book so um similar similar books can really help give a holistic picture of security and it's pretty awesome and uh fine fine avogad uh tanya coming at the end of the month as well so she should they awesome from their perspective but i i i love the uh the reason that they dug into their try hackney pieces because a lot of questions that are asked by people is around i'm from a non-technical background and i think the first couple of episodes we had this year or at least for this month was was around uh someone coming from a legal background of cyber security someone who was an executive assistant coming into cyber security and i'll be curious to know from others who are in the crowd as well as they're trying to hike me or what else have they worked on it oh actually tom just mentioned uh blue team lab is also a great resource with test and practical certification oh thanks for that tom yeah that's pretty awesome so seems to be a lot of resources that are available for folks to start uh at least start going down that journey and yes um i i guess not be disheartened by the fact that hey i'm not from a technology background or i'm not from a i guess a development or a cyber security university degree background so if if people are able to go down that path and say uh to try hackney or blue team labs or whatever do you find that that gives them enough skill to say quote i guess to uh i was going to say pass the uh internship interview i don't imagine it would help you pass the analyst interview or um it depends right it really depends on how in-depth you have gone with the content i mean obviously um those contents replicate um the actual work only to some degree not not entirely so obviously there would be some limitations um i think lots of people have made into [Music] even professional roles with those because you can actually go quite deep with that and the reason i mentioned try hack me because it is a starting point you're obviously not gonna stay there um i mean you can if you want to but obviously you're gonna start looking into different more more things a lot of people venture towards certifications a lot of people start doing um to get practical experience like bounty hunting um if people are not familiar with what bounty hunting is we can maybe touch on that um afterwards um a lot of way to get um so practical experience i had a friend who's like very interesting she wanted to do grc and those kind of roles so what she did is after learning the basics she started writing mock sort of frameworks and reports for companies so she would have um like you uh you know like um uh microsoft has this imaginary company called contoso and uh when you're learning about different microsoft technologies they use contoso a lot so she came up with an imaginary company and she wrote a whole whole report and whenever she applies to role roles he also points to those projects like hey i have i have done these projects so that's an example of how you can mimic um some of that experience um so you can definitely go for multiple roles um sorry senior roles based on them maybe not like principal security engineer or something but but more than enough for internships hundred percent and even for entry-level roles um if you're transitioning from another background or just getting started that they 100 percent will will um yeah will be enough that's awesome and i think it also points out the obvious as well uh because you touched on this earlier about the interaction with developers depending on the company people are going into there would be a lot of interaction with developers i mean i guess you can choose to not have that interaction as well you can totally go down the path where you're just doing security and not talking much but i love the fact that you brought up that uh it's almost that there are a lot of options in cyber security that people want to i guess if they want to take down go down the path off you can go red team pen testing you can go application security that book that you mentioned from tanya yeah yeah even though uh system engineer or security engineer as well um i i find it really interesting that you know like uh i love what your friend did with the grc part as well like this is really interesting that she went above and beyond and i think those kind of things definitely help you stand out because a lot of people the way i get at least the questions that i guess get asked by a lot of people that i'm helping who may be in university or trying to transition is more around the fact that i don't get interview calls and i think it's more around the fact sometimes because they're from a non-technology background and that becomes a barrier yeah oh they're not getting it because i haven't done that now certificate is usually a part that people have taken where if i get a certificate uh if it's in the resume a recruiter would see it and then you get qualified to the next round i guess for lack of a better word are there any certificates like that you feel are handy or was more helpful for you um look with certificates it's a really mixed bag um thanks to my involvement with the university clubs i had to interact with recruiters quite a bit of a lot of the times the recruiters are the people who are handling the uh university recruitment sites and i didn't necessarily get always the best vibes from them regarding certifications um right um obviously uh please take any any opinion about certification if it's a grain of salt including mine so um the um i've seen some certain recruiters prefer certain certificates more than the other it can vary a lot and um and again this is not particularly calling out on any certificate but if i had to use a concrete example like a ceh a lot of people do ceh i haven't personally done it i have nothing against ceh but some recruiters have spoken to feeds that it's not necessarily as in industry relevant in their experience whereas i i still see lots of people getting ch and using it and even getting jobs right so there's obviously a wide spectrum regarding what to do and what not to do um i guess if if you're really interested in certificates i think the the incentive really needs to be um you want to have a structured learning experience rather than just having that certificate and that's not going to magically land you a role right just having that certificate itself is not it's not a guarantee of any sort i definitely want to have that message across before i give any any other advice um that being said i personally pursue like lots of certificates uh myself and um um there's two two ways of going about this i think as as as university students who not necessarily have might have the best financial support available the bigger certificates you when you have oscp oswe um lots of the a lot of the sands course thousands of dollars sometimes um i think that those uh i wouldn't recommend people at the early stage of the career to pay by themselves um there are lots of things you can demonstrate instead um for example um platforms like pentester lab or try hack me when you complete certain challenges they give you a certification right and these certifications or these certificates don't come at any cost but you still can use them for example this is a very very practical example when i applied to atlassian they really preferred some linux or some other background or a familiar familiarity with it and pentester lab had this section called unix fundamentals and i was like why not so i had that i did that it took me like a day or two and then i had that certification unix fundamentals and obviously in the grand scheme of things it's not it's it might not be the most impactful certificate but these are the small small wins you can get and as a student these this can really set you apart apart from that um and no i'm not saying this because we are on the cloud security podcast but the the uh the different cloud provider certificates are very very useful there wouldn't be any uh i mean i i wouldn't generalize but most most of the cases you would work in a company or if even if you start your own company whatever your journey is you and and most likely nw's cloud and these cloud certificates are not only very cheap but but they also can give you um essential knowledge so you have azure aws those certifications i'm pretty sure some people use google cloud too although i haven't come across any yet um so those kind of certifications uh the azure fundamentals or aws cloud practitioner are very um useful ones to get into not just um as a cyber security person but also as a developer if you have that sort of certification you have that common lingo to speak with and just understand the basics from there on you can just take on if you like it and you like the structured learning you can take the certification further and further um i guess when when doing the certifications um especially the beginner ones there there is a tendency to deviate from practical learning and sometimes be a bit more uh um like book bookish learning uh i feel i kind of felt that with the beginner um cloud certifications that all you're doing is just like yeah watching videos taking notes and not actually very hands-on right um so there is a trap um of that um 100 be mindful of it i think we got a very uh interesting comment from tom uh which uh which uh talks about home labs and practicing things um 100 recommend that if you can again this is taking i would like to point out that this is um often people start offensive but offensive side of things learning the basics of offensive might be useful later down the track whatever you do so i'm not i'm not discouraging people from learning the basics so if you you can start obviously start with that and then venture out um i was playing i was gonna mention something but i forgot uh maybe we can touch on it afterwards if i remember but um oh yeah i guess uh later in the track whatever you want to do there is a certification for that if you want to be a pen tester oscp is quite good um for uh security engineers um oswe is is a good one uh i think if you wanna um um should i type it it type it out somewhere yeah that's all right sure you can leave it like leave it out there as well i can just like put that out i i think what i'm trying to get to is also the fact that the certificates are really interesting from a perspective that it helps you um i guess had that conversation and i'm gonna touch on tom's point as well because he raised an interesting point about the home lab i i think having conversations with the recruiters interesting is so important because uh how do you stand out like they could be yeah uh 10 chomps and 10 10k fin 10 vinnies and uh hey hey it could be one mustafa in the mix as well and uh then you're like trying to hardwire stand out for that one because there's only one job yeah you stand out and i think one way could be that you have a relevant certificate like in your case you uh they ask for units qualification you went down the path of doing the unix fundamental which is a great strategy as well but maybe i can i can probably throw a hiring manager light on this and it's really yeah i don't think it's been spoken about enough and so i think it's probably a great time to bring it in is you know everyone's been recruiting for a position it's not everyone's looking for a broad role even for an analyst as well there might be a certain thing that they would have had in their mind for oh okay so i would bring in this analyst to help me with um i'm expecting them to learn about say cloud or cloud security so not not that they should be already qualified in it but they maybe if they have a uh an inkling towards cloud i can definitely take them to that through that journey of making them a cloud secure engineer or secure engineer and i would encourage people who are applying for a job to find out hey what what is the what is the gap that's being filled because then you can answer your questions accordingly you can actually do certain some of those certificates accordingly as well like kind of like what you did with unix fundamental yeah and if you already have an aws one and you can actually uh put some meat in the bone for that or better but as they would say just by having a couple of services that you know you may have tested or done done a home lab with that as tom mentioned i think that combination it'll be perfect for you to qualify any job because then it's just a matter of hey if someone has more experience than you do then maybe that's probably the only other other factor but outside of that if you already have boxes that are being ticked off because that's the kind of role they're looking for it would be an easy win at that point it just would be a no-brainer for any hiring manager to go oh my god yes that totally makes sense this is exactly what i was looking for um so and it's not it's not saying that there's a bias because there could be a misunderstanding that hey if someone says analyst that could be any kind of analyst that could be a paid just analyst that could be so then the way i would recommend people do this is the job that you're applying for as an analyst whether it's uh whatever the company may be just have a look at what kind of team does it already have in linkedin which is a great information to have these days yeah but i i'm curious to know from your part now we've spoke about i guess your development journey onto secure engineer and what was the biggest hurdle we spoke about certification as well the other and i guess kind of from a skill set perspective we touched on talking to developers as well are there any like for people who may be aiming for that security engineer role uh oh yeah actually sorry before that i've got a few more examples here uh vineet mentioned deploy services in cloud 2. uh tom mentioned another free way to learn his podcast you can learn so much more importantly learn the lingo oh my god yeah actually that's a great point tom because yeah lingo or thermal industry is so important so so yeah you're able to have the tech speak as i i love it because a lot of times you go to the interview and you're just standing out as oh yeah i've heard of that i don't know i don't know where but i think it reminds me of something so be able to at least go yeah i know that uh and i'm grateful to people who listen to cloud security and are probably in university at the moment because these conversations when they listen to this and they hear about oh okay i need to talk to the developer so when they give asked get asked in a developing course if they get asked a question in an interview about would you be talking to a developer would you be okay with oh yeah totally because this is how you would solve it so um kind of bringing it back to your current role then in terms of the the skill set for a security engineer what are you kind of what do you think are the skill sets that makes uh yeah security successful i guess and what can you yeah yeah um just before on that i wanted to very quickly touch on um the podcast thing and i i suddenly feel that podcasts have been really really important in my journey like um i've learned so much um uh and it's it's the other side of the coin um or not other side of the coin more like the missing half right of recruitment that i i've seen even if you don't have necessarily the best technical skills if you can show your passion and your enthusiast enthusiasm um is this is some of the ways like you can talk about i listen to this podcast i will go to these kind of events i do all this by myself it's not just showing the recruiters from a positive light but from yourself it is a massive massive advantage like i wanted to give thanks to ashish and the cloud security podcast like i have my cloud journey actually begin with ashish's house you can podcast a lot um i didn't know that much of structural learning a lot of the lingo especially about kubernetes and aws infrastructure how do you scale all those things those conversations um i absolutely loved it and um we have a dedicated team at atlassian called platform security and i was very surprised how much i could relate to the lingo when i listen to cloud security podcast go back into the actual industry and i can actually get relate to them so i get lots of value out of this for this podcast i just wanted to say on that appreciate that and and yeah i i definitely recommend this podcast to anyone i i'll continue to do so so that's the thing i appreciate that i'll i'll slip you a 100 bill later on to tom's point and to your point uh it always makes me uh feel grateful when i um a lot of people who have gotten jobs uh actually were asked about how do you keep up to date like it's a very common question to ask about how do you keep up with what's happening in cyber security and a lot of people have used uh cloud security podcasts as a as a way that hey that's how they were getting the lingo and they can know about the industry and the amount of times that the recruiter recruiter or the hiring manager knew about the podcast that and i don't know if it has played part in it but i i feel uh it did play some part in them getting the role so i i definitely feel grateful every time someone mentions it because because to what both you and tom just mentioned right even if it's a conversation of a topic that you've never heard but it's like talking to people or it's it's like being part of a room in a talk you hear someone talk about oh what is this thing and then you kind of start listening why are people using it yeah what's the point of using it do i even need it like i think i it always uh through osmosis for lack of better what you get to know of terms and when you ever face it you go oh my god yes i heard about this and then like oh i need for my job so you can come back to the episode or you can actually go and explore yourself as well so it makes me really happy when that happens man so coming back to the soft skill um what would you say are some or some of the skills that you require as to be successful for a secure engineer role um i think i think you touched on it like the soft skills part and yeah and um obviously it is not just as a security engineer any role i think soft skills is very very important and i'm i hate calling it soft skills because the tech side of things i honestly think most people can't get it because it's you know it's black and white you either know it or you don't know it with the with this it is it is very very hard and i think this is something people naturally develop or develop in uh um gradually when you go to all these meetups or con having have conversation with other people and stuff i think as a security engineer it is very very important because um a huge chunk of my role is is security is not isolation right security is never in isolation if it's being done in isolation it's being done wrong so it's always interacting with a lot of stakeholders and our our prime stakeholders and customers are are our developers and our engineers so i have to speak a lot a lot with them so for example when i'm doing a security review i i need to have the ability to break down let's say a security concept and speak with them like they are developers they don't wake up in the morning and they they think oh i'm gonna make a super secure software their goal is different right so i need to somehow translate my priority to their priority and sort of show that why it is important why they should care and that is a skill no matter where where you are it's going to be super important even if you think you're on the offensive side right um you think okay i'm going to be a pen tester a red teamer i don't need any soft skills that is like uh furthest from the truth like atlassian has an in-house red team they do a fantastic job give us give us lots of trouble all the time um but um a big part of their role is i've seen obviously a um um laying out the operation uh in in a proper way and then speak with let's say these uh siso or speak with the cto and getting it done b after the operation is done they need to produce a report what was vulnerable how it was vulnerable having that community good communication written and spoken is very very important you need to be able to answer a lot of developers and security engineers why did you do this how did you do this and if you if you can't explain it it doesn't matter right like if you um i guess a very very good thing my manager always says that um it doesn't matter if you have conquered the world um in your own little corner if if if the world doesn't know about it or if you can't release it to the world something like that right um um and i 100 agree on it like because um those are the skills you definitely need and need to foster i understand that um it might not come as naturally in the beginning it did not come naturally to me um it sort of came through practice and more interacting with that i i think with every like everything else the the more you do it the better um like i a very basic piece of advice i can i can give is when meetups start happening again um hopefully very soon definitely go to meetups talk with a lot of people don't be that that person it's very easy to be that person i used to be that like just stay in the corner not talk and i'm i had this uh strategy that okay i'm gonna always go for the guest speaker everyone goes for the guest speaker how do i get him them to talk so i would go to the guest speaker and then say hey i'm from university of melbourne information security club i really loved your talk would you want to come and give us a talk here instead and 9 out of 10 times because the um guest speakers obviously love sharing their information right they'll be like yeah sure i want to come and they would then start talking and and expressing themselves more so this was my strategy of how to how to have more invisibility around people and talk with people people can think of me some ways themselves so tldr um i would say communication skills um obviously soft skills but communication skills is very very important written or written or verbal both are very important like in in your meeting you'll have stand ups you'll need to communicate with colleagues you'll um you'll never work in isolation so 100 try your best another thing is i see lots of people um shy away from group projects in uni they're all most of the time they're very difficult i agree but these difficult conversations and experiences are building you you up for the um for the journey in the future i see we need question uh which meetups i normally go um which i would like to add because some people might have had that so when p uh meetups used to happen like my favorite uh was sex talks melbourne um that was um like the one i i would try to go regularly there's also something called ruxmon that used to happen every now and then they didn't have a specific schedule or i have this couldn't see one there was also one called all sec which used to be run by a combination of people including ricky burke you might be familiar with him um um i think i me i met ashish in one of the uh meetups if i'm correct as she's right that's right yep yeah i'm gonna say you can probably even go broader than that as well because i think and thanks for that question as well by the way we need uh because i think i feel like a lot of people listening in may may not have access to i guess those same meetups but they would have related meetups that they can go to in their own local areas yeah i guess nowadays uh and i don't know if you guys did this but during the pandemic i took an opportunity to attend meetups from not just australia but from all over the world yeah like well we're an online world now and everyone else is being forced to go online but why am i limiting myself to say meetups just in melbourne or why am i limiting myself to my uh meetups just in the uk or just in america i want to know what's happening in in the uk i want to know what's happening in for cloud in the us or in israel like as long as we match the time zone and it just means like one day once a month or whatever you kind of have to wake up at all time uh to match the time zone but you get to hear from speakers from i guess uh i guess well in my in my context were just english-speaking countries i couldn't go for non-english-speaking ones but if you can if you can go for non-english speaking ones you'll go for that as well and you get to kind of hear their perspective on their side and i i think if you when you mentioned you started off by saying you're you're an immigrant to australia and i think a lot of people are uh and i think i include myself in there as well but so we are i guess fortunate enough to know multiple languages you can uh tune in to some of those languages as well those conversations going on these days uh i think a lot of uh people are on applications like clubhouse as well as um facebook has their new coming in linkedin has one coming in for audio so it's sky's the limit for how do you want to expose yourself to conversations about what's happening in cyber security or cloud security but the reason i kind of went down that rabbit hole was for one particular thing right do you find that uh you knew exactly where you wanted to go and even with cyber security like oh i want to be a secure engineer because a lot of people would just be like um i want cyber security job and i get that question quite often but i'm like which one exactly right it's not just one like it's not like it's a title cyber security and you get that title so uh how do you normally answer that question and i guess is there something you found helpful for identifying those different kinds i guess um just just just going back since a little bit sorry i wanted to throw in the meetup app in there because uh that's the main use of uh in the meetups section yeah about the meetups um i guess please use that fantastic app um bug but obviously you can work around it um also almost all conferences have sometimes student discounts or student passes please please make use of them you just need to google the question you ask is uh ashish i'm not 100 sure about that one can you clarify that a little bit if possible yeah sure man i think so i think it's more in the context you know how cyber security could have you could be an application security person you could be a uh pen tester like you touched on a few topics that hey you could be this you could be that yeah is there an easy way to identify [Music] uh what would be i guess what are these different types i guess first of all that you've cause you would have come on that journey where hey do i want a pen tester or do you want a blue team or do you want to be a team like what was that like for you like what was that thought process like for you a very good question and i guess this is something you sort of learn more as you absorb more and more content like i didn't know there is a whole industry about cloud security and cloud security engineering right before i tuned into this podcast more so there's a few other podcasts like risky business darknet diaries fantastic one hacking into security which talks about a lot of those carriers um i really recommend hacking into security because they take different roles and have that whole journey laid out and then you can you can see which journey you you relate to the most when i started it did not have so many things i i would say again this is just a lot of the exploration right i i remember there was a phase i'm sure everyone has this phase where everyone uh when uh when i wanted to be a malware analyst and a reverse engineer like everyone has this face like i swear to god and i i i i bought they're finding a bug somewhere yes yeah i bought the book like um uh what was it the art of um the out of hacking or art of exploitation that of exploitation yes that one um and i i read through it a little bit and i was like nope this isn't for me i signed up that malware unicorn course so as you can see this was a little bit of exploration without exploration you cannot find out you obviously start um with somewhere and then pretty much venture out i a lot of it is speaking with people like speaking with people about what they do in their role like is that something that i find really interesting so um even even tv shows i sort of got like um there is a tv show called mr robot uh it is very very based on hacking and that whole concept and i i got to know a lot about the whole so i i don't think there is a one single source people can learn there's so many streams and i um i always feel that the role we eventually or the area we decide to go with is is often influenced by the media we consume and i'm using media as a very broad term right i'm talking about social media platforms um uh educational platforms podcasts many different things so for me that was how i found out about different things and different roles um i i guess fortunately i wanted to tell people the message that um cyber security is very broad um you it's not one size that needs to fit all um if no matter what your background interests are there is it is very likely that you can get a role um for example i had a friend who was very very interested in cyber security and very and very interested in training side of things right they know not necessarily wanted to be the hacker themselves but more sort of training and that sort of things and now she's working in a repetitive firm as a like a developer awareness and leading the awareness program so um that's just one example she she is she learns technical stuff but she's not necessarily as technical i wouldn't say she's the most technical but she obviously has significant of amount of knowledge and passion on how to share that knowledge from others right you not always need to be the one who knows everything to teach others you just need to find the right sources and how you can amplify those sources so that's just one example of how if you're even if you're a non-technical background you can still make it in cyber security so that yeah i hope that answers the question it does and i think uh it makes me really think i should make a video on this as well because i think it definitely if there is no single source for this it's definitely worthwhile calling out uh because it's a like a certain kind of person may like a certain kind of job versus another person as well so yeah because i think your malware analyst reminded me of my first job as well uh i i tried being a pen tester and i think the first month i left the job because i just could not make myself manual i was like this is not something i want to do for the rest of my life yeah i i definitely would say explore different jobs and as you find them you kind of realize what works and what doesn't work so um uh just quickly uh i know we have uh we've been talking about different kind of topics around getting a job uh getting qualified for it like but i'm also curious you mentioned skills but what does a day look like for you as a security engineer yeah sure um quite fun i might add not that i'm biased it is it is amazing and i think it's partially uh due to the fact that atlassian's culture is simply amazing i cannot get over it um for me if if i'm trying to say it concisely i think 50 to 60 of the time is behind different security related activities so i'm doing security reviews um and when i say security reviews this can be threat modeling code reviews design reviews uh penetration tests even um and um either by myself or in collaboration with other engineers and um and speaking with developers or to how to fix certain bugs um in their products security vulnerabilities so a lot of my time goes into that and i really like this side of things and the other i would say 40 to 50 percent of the time is is projects i i absolutely love this because i can do um a wide variety of projects like i started uh atlassian um with a more research based project when during the internship and after that i did a very coding heavy project and then again some more processes related project and internal tooling and now the current project i'm working is how do i say improving internal plays and guides so for example i am now working on how how we can do threat modeling better so what are the what what we have been doing with threat modeling what how and how can we make that better and i worked on a various other other of our processes as well like how how can we do a certain type of test like graphql test better what are the tools um do uh and completely set up create a comprehensive guide which other security engineers can follow so the project i do is very broad and it's all it's like a wide variety which keeps me quite engaged um and yeah that's how just how we operate at atlassian there's also this ten percent of time which is every every four or five weeks i get an entire week to do whatever i want like um personal research any kind of training um right i really love that week because i do a lot of the cloud based learning uh in those weeks like um certifications or just doing some hands-on labs or even work on i don't know um writing something right um so the yeah so that's how our typical life of the the day in the life of the security engineers thanks for sharing that man so uh i that's i would love to keep country talking about the secure engineer part but i i only have limited time with you men so i'm gonna help to get people know you a bit more as well so i've got my funds actually towards the end i think we've answered all the questions that came in as well uh but feel free to drop them and say continue dropping them if you guys have silly for questions or comments um so three questions not too many uh first one what do you spend most time on in not working on being a secured engineer yeah absolutely um it really varies look when it comes to non non security stuff it's a jack of all trade master of none kind of thing um i do juggle a lot of things like um uni work if people doesn't know like i still study part-time so the story goes like i finish my internship and atlassian my manager was very nice very kind he basically said hey um like whatever you have done so far is awesome do you just want to continue doing it until you graduate and work part-time and i'm like yeah sure sign me up so um that and i also different uh um involved with different clubs that takes a lot of time um so i'm just trying to think so apart from that i guess the majority portion goes with me spending time with family and friends so that's a huge chunk i have recently developed a very pet peeve regarding investing and the personal finance side of things since the beginning of this year so i do spend a lot of times on watching videos uh learning consuming content regarding personal finance investing and trading a little bit um yeah so i guess that's it okay thank you so it sounds like you and i can have more conservation marketplace investments yes i can tell you about how i grow this beer just consuming all the content yeah i saw you you you are like an early stage investor now so which is yeah so definitely talk about that as well man um the the the next question that i have what is something that you're proud of but not on your social media proud of and not on social media um um i guess just developing a very good friend circle in in australia like like i mentioned similar to you i was a migrant myself i had to leave my entire social circle behind and just venture into a new country i was very very scared very nervous but i definitely had a lot of people support me along the way and um i i always tried my best to not get out of touch so i would proactively reach out talk to them the people who and develop a friendship so i'm really happy with my let's say the friend circles i have um and that's something i'm very uh proud of it's pretty awesome man uh and yeah definitely some some people to keep close to yourself as well yes yes cool all right last question what's your favorite cuisine or restaurant that you can share cuisine or restaurant oh no this is so hard this is so hot as someone who eats out a lot um i would i would lean towards japanese i i tried japanese food a lot i guess japanese is my favorite dish and no you cannot use that to social engineer me it's not any of my password prompts um but yeah i do tend to lean towards japanese food a lot uh i have a like i just mentioned my mates we have i have some mates who we're really looking forward to the borders opening and we can go to japan and actually have proper uh i mean we already have good japanese food here but actually experience the japanese cuisine in japan so that's something looking forward to yeah that's pretty awesome man uh i and thanks for sharing that as well man yourself uh so i think at the moment currently what i'm missing the most with the lockdown is uh somalian food somalian food yeah well i i i'll definitely so uh funny enough because you're in melbourne i can tell you the restaurants as well yes a popular place for volume uh yeah i'll definitely yeah yeah so i think uh for for me particularly i'm kind of like 40-year-old yourself so my food changes uh like i think last week i was definitely craving a lot of japanese this week it's definitely a lot of somalian food is what i don't care is what i'm yeah craving yeah so i think the week before that because i was talking to uh one of our guests was an ethiopian guest so i started craving ethiopian food because we have awesome ethiopian restaurants as well so han and i after after the show we were talking about injured bread and everything so uh yeah man i think it's definitely uh i i i for for the moment i'll say it's somalian food it's long long and short of it is but i was also going to ask uh the people who may be listening and maybe have follow-up questions or things we may not have covered where can they reach out to you um the best would be linkedin um other than that i have recently started uh being a bit more active on twitter because i found out a lot of the news i'm not too avid tutor user but i see a lot of the news do come out of twitter so just to follow the news mostly but i would prefer linkedin i definitely uh try to be as proactive as i can there so that would be the best two mediums yeah and feel free to reach out if you have a just to say hi or any conversation or uh if you have any questions or anything i can help with more than happy to do this one awesome and i'll i'll put the links in the show notes as well so people can reach out thank you so i can say thank you as well for coming in on the show but thanks so much man i really appreciate you hanging out with us and i think it i feel um a lot of questions that i was being asked by people are being answered over here as well so i'm hoping they can come back to this and contest i guess come back and have a look at what they could be doing and i appreciate uh tom vinith and stuff and other people who hung out with us as well and asked questions and shared their insight as well so thanks everyone and uh yeah man i think i'll i'll i hopefully i can i can bring you back on again i will talk will fox talk soon but for everyone else i will talk to you all next weekend oh you know next weekend this friday or thursday you'll you'll see i kind of have to keep developing the mystery of the podcast who's coming in so i'll i'll talk to you guys uh next time we're talking about stock and uh threatening analyst people so getting inspired by your malware conversation of the next person in line is a threat analyst or a soccer analyst person so let's see how that one goes man but thanks uh and i'm pretty sure uh there'll be a lot of learning that will come out come out of that as well the same way uh there has been a lot of learnings from here so i appreciate you coming in man and uh for everyone else i will see you soon and uh hopefully i can have cave again thanks everyone peace thanks for having me

Info

Channel: Cloud Security Podcast

Views: 108

Rating: 5 out of 5

Keywords: Cloud Security Career - Developer to Security Engineer, Cloud Securiy Career, Cloud Security jobs, developer to architect, sophomore advice, kaif ahsan, cloud security, cyber security jobs, cyber security certifications, cyber security career, cyber security, cloud security interview questions, cloud security analyst, cyber security career uk, cyber security career day in the life, cyber security career in bangladesh, cyber security career advice

Id: esK427lfw48

Channel Id: undefined

Length: 60min 17sec (3617 seconds)

Published: Sun Sep 19 2021