“Find out what makes you happy”: Katie Paxton-Fear, educator and YouTube security expert, explains how to carve out a successful career in infosec


“Never stop learning,” Swig readers said in a question-and-answer session

“The history of computing is truly amazing,” Katie Paxton-Fear reflected in a question-and-answer session with The daily sip last night.

Yesterday (October 12), we celebrated Ada Lovelace Day by host an Ask Me Anything (AMA) with Katie Paxton-Fear, hacker, educator and industry figure in the infosec.

Paxton-Fear, whose many contributions to the industry include his free educational hacking tutorials on YouTube, lectures at the University of Manchester, UK, and the triage of a popular bug bounty platform, joined us on Twitter to mark the annual vacation that celebrates women in tech.

Ada lovelace, the daughter of the famous poet Lord Byron, is considered the pioneer of computer programming after publishing the first machine algorithm in the 17th century.

Each year, she is the face of an inspired campaign to educate and inspire women in STEM, now and in the future.

If you missed our live Q&A, here’s a roundup of the night’s top tips, including how to start a career in infosec, which bugs are best for novice hunters, and how to disconnect from an ever-changing industry. .

Thanks to everyone who sent in their questions with the hashtag #SwigAMA, and of course to Katie.

Daily Swig: Did you have anyone in infosec / tech / STEM that you admired as a child?

Katie Paxton-Fear: That’s such a good question, not really, like a lot of young girls, I didn’t feel like people like me were tech pioneers. I am happy that we are now celebrating Ada Lovelace Day because it changes a lot. But even though I never had someone to turn to [in the industry], my family really encouraged my passion for computers even at a young age, and from there I think that even though I didn’t have anyone to admire, I had a dream to turn to instead .

I remember when I was a kid I told my dad I wanted to make Neopets, and he bought me ALL the web development books after that! I never did Neopets again but I think I have the skills now!

DS: Why do you think Ada (Lovelace) is one of the coolest people of all time?

KPF: So, I’m a bit of a computer history nerd, so in my mind the coolest thing she did was write instructions for a machine THAT DIDN’T EXIST, LIKE WHAT? How do you even do that? I sometimes get errors while writing hello world!

Related: One of the reasons I’m so really interested in Bletchley’s Colossus Computer is because it cracked a code and the allies didn’t even see the machines that produced the code until after the war . The history of computing is truly amazing.

READ MORE “Thought it was fluke” – Katie Paxton-Fear on her baptism of bug bounty and why AI will never completely replace security researchers

DS: If you could change one thing in the industry, what would it be?

KPF: I am thinking of greater collaboration. I was a developer [developer] for a while and I definitely had the not a “me problem” attitude. Safety was just someone else’s problem. And then I was the only one when the production servers were ransomed and I had no idea what to do except panic.

It doesn’t stop with technology: I know a lot of people in my knitting club who aren’t good with computers, so I try to help keep them safe when I can and give them some advice.

Ps my solution for the ransomware was to simply shut down the server and hide behind my boss as he sent the whole company home earlier.

Ada Lovelace, as sketched here, is considered the pioneer of computer programmingAda Lovelace, as sketched here, is considered the pioneer of computer programming

DS: What do you think of the tendency of researchers to give a vulnerability a name, logo, website, etc. – is it necessary?

KPF: So as a dyslexic person I can’t remember a single CVE number but I do remember ImageTragick who I think is a pro. I know it’s a bit dramatic overall. I really think the names help users and practitioners to communicate without confusion.

I wish we had softer, cuddly names instead of what could be death metal band names. Where is the “Sparkling Unicorn Friendship Attack”?

DS: What do you think of the new OWASP top 10?

KPF: Oh that’s gonna get me in trouble! Overall, I like the top 10, but I think it represents a general tendency to lump all web development together, but with that it ends up being very general. Maybe since we have a top 10 APIs, we should have a top 10 JavaScript, a top 10 enterprise, etc. to better describe the mishmash of technologies that the modern Internet has become.

I’m happy to see SSRF get a mention, I think it’s somewhat misunderstood, and I think “Injection” as a catch-all is more “future-proof” than XSS / SQLi. Also, I think using a data driven approach was a good call overall.

DO NOT MISS Infosec pro Vandana Verma on enhancing diversity and helping the growth of the Indian security community

DS: Is it okay to have experience in any sub-area of ​​IT (eg tech support, development, testing) before entering security roles? Will companies really take these people into account?

KPF: Yes of course. I think it all depends on how you position your career, really making sure you grab every possible opportunity, if your employer is under attack you can argue that training would be a good way to prevent it in the future . It will take time however, and it is important in job interviews not to lie about your experience but to look at how being supportive, for example, can shift to safety (for example, empathy for people). users). Things like the bug bounty [participation] can help a ton gain experience outside of work!

DS: How did you get started in cybersecurity? What suggestions would you have for others who are starting from scratch?

KPF: I think my biggest tip is not to get attached to one area right away, to spend a little time figuring out how security really brings joy to you. There are SO many careers in security, from techies to creatives to people and everyone in between, it can be easy to get overwhelmed, so I found some friends and mentors who have me. really helped guide me and advise me on the opportunities that presented themselves. the. And while I could never do forensics and investigate a crime scene, the experience was really fun and I had a lot of fun learning!

Learn more about the latest bug bounty news

DS: What made you decide to work in infosec?

KPF: I ended up here kinda by accident, finished college and got a graduate job in software engineering and data science, and one day at lunch I realized I didn’t like not my job and I decided to apply for a PhD. Unfortunately, I realized this in October and doctoral admissions were closed.

So I didn’t have a lot of choice in my field (natural language processing), I opted for the doctorate which combined both NLP and infosec and originally it was just a field for my work, but within a year I found myself really interested in insecurity!

DS: [What is] the first bug that a beginner with a basic knowledge of bug hunting can begin to learn?

KPF: I cannot stress this enough, IDOR! They don’t require technical skills, just persistence and they are EVERYWHERE.

Seriously, they’re one of the most common bugs and while the impact of some might be low depending on the organization they can be high or critical, especially with the current direction of the modern web – I think they will take control of XSS. The best way to find them is to sign up with two accounts and see if you can perform any actions on account A while using cookies from account B.

Katie's YouTube Channel Provides Free Hacking Educational Tools and ResourcesKatie’s YouTube Channel Provides Free Hacking Educational Tools and Resources

DS: What is one thing you suggest that infosec folks do to take time out and relax?

KPF: I think it’s important to have a hobby away from the computer. I can’t stress how much getting away from the computer helps me think and process as well as find inspiration at random. I really love to knit because I love to create and it’s nice to have something to point out and say, “Hey, I did that! “.

I can’t stress enough the importance of taking time off and managing your work-life balance, especially if you’re a student or starting a business, it’s really easy to get caught up and feel bad when you does not work but it is essential to be successful.

Also, my mom doesn’t understand computers at all and I can’t stress how helpful she is in discussing my problems. My partner often teases me that I treat him and my mom like coded ducks when I’m in trouble!

DS: What class of vulnerabilities are you studying right now?

KPF: Ooh good question, I’m currently learning the vulnerabilities that target AI / ML and data science more broadly. We often rush to set up sophisticated algorithms that are deployed without thinking about security issues. We can all laugh at the GitHub co-pilot finding API keys, but there are many types of vulnerabilities that affect AI / ML systems and many pose privacy risks!

When it comes to the web, I’m really trying to explore HTTP request smuggling for a video. I think I understand it and then I will try to write it down and realize that I don’t quite understand it. Me and HTTP have a relationship again, again.

DS: And finally Katie, do you have a final tip for our subscribers?

KPF: Thank you for hosting me! I think the best way to be safe is to stay curious. Never stop learning and asking so many questions that you annoy people around you (just kidding!)

YOU MAY ALSO LIKE “Soft skills are the least studied area in the bug bounty industry” – YouTubers “Reconless” on Filling a Gap in Infosec Education

Leave A Reply

Your email address will not be published.