From Penetration Testing to Security Research and Beyond

At the time of writing, I am 26 years old, living in San Diego, and depending on how you measure it… I have either four years of experience in cybersecurity or closer to ten (LinkedIn Profile). Nearly all of this, apart from the last year or so, has been focused on information security and enterprise penetration testing.

On a recent flight to San Francisco, I thought about my first year as a Security Researcher @ Semgrep and how my own intrusive thoughts are, as usual, my biggest enemy.

Jack of all trades, master of none

“The first time you do something, it’s science. The second time, it’s engineering. The third time, it’s just being a technician. I’m a scientist. Once I do something, I want to do something else." -Clifford Stoll

An issue that I’ve always had is that I get bored very quickly.  When I start something new, I have to go all-in, which often leads to hyper-growth.  But once you get to a point, that growth tapers off, and everything seems to be less exciting.  For me, I usually reach that point within days, or at most a few months; certainly not years.

Thank God that I chose cybersecurity; without the fast-paced and ever-changing technologies, I don’t know how I’d survive.

Get a good job so you can pay your bills

“My doctor gave me six months to live, but when I couldn't pay the bill he gave me six months more.” -Walter Matthau

My first full-time role after my undergraduate degree was penetration testing, the role that everyone seemingly wanted. Ironically, it was not my first choice, but I definitely enjoyed breaking things, so I figured, why not? What I soon came to realize is that if you’re good, you can seemingly hack anything given enough time and resources.

But that doesn’t appeal to most customers seeking penetration testing services.  The primary responsibility is to identify vulnerabilities worth remediating to make the customer a less desirable target.  Unless your customer is the only opportunity for a malicious actor to get what they want, the attacker is likely to follow the path of least resistance.  This takes a lot of commitment, but you definitely don’t need to be a genius to follow trends, understand their attack vectors, and recommend mitigating controls.  

I don’t think of myself as a genius, but who dreams of being average?

That said, I was constantly searching for ways to challenge myself within the role and stay outside of my comfort zone. That led to an interest in business operations, customer relations, and sales while maintaining a passion for deep technical challenges.

“When you're uncomfortable, that's when you learn something new about yourself.” -Arca

Fortunately for me, I’ve now built a great repertoire of skills enabling me to earn lots of money, hence the moving to San Diego and living at a beach. However, when you’re good at something and it pays lots of money, it becomes increasingly more difficult to put it down and move on to the next thing that has you excited.

This is why I look for other ventures to satisfy my hunger to learn new while continuing my more mature ventures to pay bills, invest, and save in that order.  My latest (2) ventures have been becoming a Security Researcher @ Semgrep and Founder/Author @ CramHacks.

My first year as a Security Researcher

Starting at Semgrep in February 2023, I had major imposter syndrome. I originally joined as a contractor, making less money than I did as an intern. My hope was that by dipping a toe in the water, I would see that “yes, I can do this.”

At the time, I was starting my final year for my MS in computer science @ GaTech, but I had minimal professional experience writing production code, using GitHub, and speaking the lingo.  The lingo was honestly the most difficult to pick up.  For months, I couldn’t tell if coworkers were using real acronyms, making jokes, or just shortening things for no good reason 🤣 sorry if this is you.

What I’ve come to learn is that application security is a shit show.  The talent at Semgrep is incredible, and a lot of what they do feels like magic - but the more I learn, the more human people seem. 

Now that I have foundational knowledge in areas such as development, product security, and the day-to-day for security engineers, I feel confident in my abilities.  Additionally, I now see that my background in information security is a major value-add.  I have multiple years of experience working directly with customers, understanding their needs and wants and how to best serve them.  This has made it infinitely easier to prioritize my research efforts for the betterment of the company. 

On a daily basis, I’m saying, “Oh, that’s weird… On the information security side, I would’ve expected XYZ…” or, in the context of software supply chain security, “Wow, you don’t know what third-party packages make up your application?  Asset management for IT/InfoSec has been around for how many years now?”

When I started in information security, I was excited because it’s still a relatively new field.  Now, working in application security, I feel like information security is ancient, and application security started yesterday.  There are so many trivial issues to solve or mature, e.g., knowing what third-party components make up your application.  Yes, I’m well aware that software composition analysis (SCA) exists and has for 15+ years, but it still sucks.  We’re seeing the impact of immature SCA today as software bill of materials (SBOMs) are growing in demand, but the accuracy of the tools generating them are wildly inconsistent.

The magic is diminishing

So, in just about a year of working in the application security space as a Security Researcher, the excitement quickly diminished as I realized it was not magic after all.

I use this term a lot: “it feels like magic”. I strongly believe that not only is this what excites me personally, but it should also be a goal for any good product. Steve Jobs seemingly loved the ethos of “it just works”, which I use interchangeably.

In fact, I just re-watched Steve Jobs introduce the iPhone in 2007, and what does he say about multi-touch? “It works like magic!”

While the magic is wearing off in software supply chain security, there’s still so much remaining, in areas unexplored.  Artificial Intelligence and Machine Learning are creating a whole new market for security research, same goes for Virtual Reality and Augmented Reality.

If it were practical to pay bills doing what I want, I think I’d be working on something new every few months.  No bureaucracy, no meetings, just learn.  Learn with friends, learn with books, learn with doing.  How does one silo themselves into one niche for eternity?  I could never. 

Fun fact: this is my eventual dream for CramHacks.

Besides this being a brain dump for therapeutic purposes, I want this to be a message for those interested in application security but think it’s a career reserved for special talent.  Let it be known that the people in this space are human; they seem really smart when you talk to them about what they’ve been working on for the last 6 months, but you would too (hopefully). 

I know a lot about software supply chain security and a decent amount about static code analysis.  Ask me some low-level questions about dynamic analysis, and you may as well be talking to a brick wall.  Some will try to bullshit answers, but most will just outright tell you they don’t know squat. I think this is why honesty and the ability to say “I don’t know” is so well-respected in the technology space.  No one can know or retain everything.

The future!!!

My dream is to be a perpetual learner, and that is what I will be.

“Goals lead to success. Choose endless goals.”