David Klassen

Mentorship

In 2010 I offered to help mentor a BCIT CST Student in their half year program. I was excited to take part as I found my career quite rocky through the dot-bomb and what has since followed. I have tried to stay in touch with this individual as much as I felt would be welcome. Surprisingly I found myself to be in a position of being a protege and mentored by some senior engineering staff, from 2012-2015 for the cause of Internet/Web/Cloud Security.

In 2013 I offered to help SANS Mentor security concerned professionals with the SANS 542: Web App Penetration Testing and Ethical Hacking course. On a part-time basis I attempted to generate interest in the area of web application security assessment (ie. legal and ethical hacking practices) in the Vancouver Canada area, and market SANS as a source of training materials and advice for interested parties. Generating interest in this space in the Vancouver socio-economic market was not easy, and no official classes were held. I did however make every attempt to explore how I could legitimize this market in the Vancouver area and help others find the extra bit of training (and/or reputation) required to enter into this particular area of technical work.

Knowledge

There are so many resources for Network/Internet and Web/Cloud Security on the web that you can get lost in all of the information. Early on in my studies I found NIST, SANS, and Mitre very informative. Many of their staff produced some great books and research material. As I tried to describe security to software engineers I found the BSI / CERT resources invaluable. When it came to describing security issues to the entire business I found BSIMM / OpenSAMM very important. Here is a short list of some great materials I have found:

• Common Weakness Enumeration (CWE)
• Common Vulnerabilities and Exposures List (CVE)
• Critical Security Controls (CAG/CIP)
• Top 25 Software Errors
• Cryptographic Standards - FIPS/CC - Evaluations
• Special Publications - 800-x - Cybersecurity Framework

Memberships

When it came to reviewing new research in the space certain academic research sites became important to me, however in terms of consulting with real companies I have found the work and support of OWASP to be quite compelling in terms of communicating directly to Mobile/Web Application development groups and/or staff. To be quite frank OWASP is much more in your face and can help create security awareness in development groups not just the management: To be honest given it is much harder today to have a silo role that does not involve technology decisions, I believe OWASP speaks to the heart of today's business in the software sector, with a wide variety of materials and interfaces that provide members with the ability to learn/contribute:

• The App Sec Tutorial
• Regular Interesting Podcasts - New Series
• Annual Events
• Research Conferences
• Practical Projects
• Website Wiki

It is also important to be able to challenge your local community concerning the security concepts you are encountering. I have found the Security B-Sides conference an excellent place to receive new local incites and dialog with fellow security practicioners. The B-Sides Vancouver conference is also a great place to communicate your own ideas to a larger local community.

Local Dialog

Simply knowing about one or two specific security features (like Authentication, Authorization, Accounting, Password Hashing, and Encryption Algorithms ), might actually make you think you know alot, but knowing everything won't help you respond or prevent incidents and/or attacks. If your looking to gain wisdom and not just knowledge, you are probably looking for the impossible not just the possible. Preparing for the impossible is one of the reasons I started attending a local security group called VanCitySec. VanCitySec isn't a group of professionals in suits talking about how big/small their budget is, it's a group of people that work in all aspects of Security Technology, and if you are looking to ensure you have covered all the bases for your organization, it is something you should seek to be a part of. I may have phrased this wrong, but that is the purpose this groups serves for me. They won't just drill you on Policies, Profiles, Intrusion Detection, Intrusion Prevention, and Computer Security, often the discussion goes beyond the basics towards the principles of Security Engineering,

They will also let you know about what they are learning in the ever changing section of the Security field they are working in. Once you have tried to take the current Security Risks seriously by being vulnerable with others in the field, perhaps you would like to learn more about the corporate security business. In Vancouver there is a Security Special Interest Group(SIG) for businesses called VanSecSig, and if you find yourself representing the businesses for the cause of security, this is a good place to review (or help present) a variety relevant and/or interesting related topics.