Detectify’s 17-year old security researcher shares his best advice
The IT security field is growing rapidly. More and more stuff is being connected to the internet, and existing services are expanding at a brisk pace. Consequently, there is a growing demand for IT security experts. We need to attract more young people who will grow up to be our future IT security specialists.
Participating in Google’s bug bounty program at age 14 sparked my interest in web security. I have now, at 17, been employed by IT security startup Detectify for two years and written IT security-related columns for leading media houses in IT and tech.
I am not saying that people doing IT security today have some kind of moral responsibility to attract new people, but I believe it would benefit everyone to expand the IT security community and it is therefore something that we should work towards.
Here are 5 ways that I believe we can get more young people into web security.
1) Welcome new people
Be open-minded towards new people. Help out when possible and answer questions that you receive. By this I refer to everything between general technical questions to more concrete help getting a foot into the industry. This is something I remember people were really good at when I started out a few years ago but things can always improve. When all my experience consisted of reading blogs and I was gasping for more someone I had got to know over the internet reached out with a ticket to SEC-T as their company sponsored the event and had a few tickets left over.
As with all new areas of potential learning I do believe that being able to ask questions without the fear of being judged is very important for development.
Many are also quick learners, and networking amongst new people may give results faster than you might expect at first. Being the one who helped out in the beginning also builds trust, who would not want to help out their mentor if they develop to such a position where it would be possible? Helping out new people pays for itself in the long run, so see it as an investment rather than charity.
2) Free resources
While attending a conference might be hard to pull off for the average teenager, an internet connection is all you really need. There are a lot of free resources available for free today, and in any medium you can think of. Defcon publish almost all their content on Youtube, and there are a lot of free text write-ups to mention a few.
However, the existing information is not always that easy to find for someone “outside” the community. If we are going to improve on this area, we need to make the existing information more accessible. If you are releasing security content yourself, consider spreading it in channels outside the traditional security community. While it might be fun to be retweeted by some security guru that maybe should not be the only goal regarding content spreading.
The Internet is full of public sites to get information from, and you can just google for them as best you can. I would recommend to avoid following specific blogs at first but rather find sites that update with links to interesting posts. Anything worth reading in the beginning often finds its way to Hackernews or /r/netsec fast enough anyway. Building a personal network of interesting people on Twitter is also a great idea, but it takes a bit of time before it gets useful.
3) Challenge the stereotype
Even though people within IT can joke at the stereotype of a hacker, and feed it themselves, understanding it does not involve everyone and risks to scare away new people. A good example of this would be when the FBI director jokingly said that everyone in IT-security smoked pot. Did he really believe that would be a good way to get parents to encourage their children to go into that industry?
There are a lot of jokes about alcohol, drugs, etc. and I am not saying that we should stop joking about it altogether, but it is something to keep in mind. Would you introduce your teenager to a group of people that talks about alcohol as a necessity, illegal substances as something normal and builds bombs as a hobby? Most likely not.
4) Doable cool stuff
When I first started to write C++ at age 12 I stopped after a few days due to lack of patience. I realised it would take ages to be able to create the game I had as inspiration. ‘Hello world’ on the other hand would not have been a problem for my patience, but also not much of an inspiration.
People differ, but this is something I have seen with others as well. One of the better ways to introduce someone to programming and thereby security is to show off something that looks cool, but is still achievable within reasonable a time frame. One could call it a combination of the game and ‘hello world’.
Transferred to web security, maybe show off a simple reflective XSS at first? Let people play around with that, and when the lack of patience has been replaced with interest, start to introduce more advanced stuff and explain how and why it works.
5) The approach in school
Many say that programming in school should be mandatory. While that sounds like a good idea, we must be careful to not create a climate where it is forced upon students. Programming is an interest that must grow naturally. Even if you feel like it is the best thing you have experienced, not everyone will feel the same, and that is okay. I sometimes get the feeling that the debate climate is somewhat infected today because programmers hold a black and white view of it.
How fast you grasp the logic behind programming also varies a lot, so letting each individual study at their own pace is important. I have seen it myself in school where the ones that understood it quickly felt unmotivated and the ones that did not grasp it gave up and hated it altogether. Just focusing on the middle group is never a good idea, but it gets especially bad in programming where there is even more initial differentiation in knowledge.
I believe the process for the best result would be to make sure everyone is exposed to it, see what sticks, and encourage any curiosity around it that may emerge. Explain why and what is possible to do with that knowledge (similar to ‘doable cool stuff’) without making a cliché of it.
About the author:
Linus Särud stumbled across the world of web security by accident after finding a virus on his computer. His career in web security quickly took off and at 14, he hacked Google. Now, at 17, he is a web security columnist at IDG Sweden as well as a skilled security researcher and much appreciated member of the Detectify team.