The Application Security Podcast
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.
The Application Security Podcast
Meghan Jacquot -- Assumed Breach Red Team Engagements for AppSec
AppSec specialist Megan Jacquot joins Chris and Robert for a compelling conversation about community, career paths, and productive red team exercises. Megan shares her unique cybersecurity origin story, tracing her interest in the field from childhood influences through her tenure as an educator and her formal return to academia to pivot into a tech-focused career. She delves into her roles in threat intelligence and application security, emphasizing her passion for technical work, penetration testing, and bug bounty programs. Additionally, Megan highlights the importance of mentorship, her involvement with the Women in Cybersecurity (WeCyS) community, and her dedication to fostering the next generation of cybersecurity professionals.
The discussion covers assumed breach and red team engagements in cybersecurity, the significance of empathy in bug bounty interactions, tips for Call for Papers (CFP) submissions, and the value of community engagement within organizations like OWASP and DEF CON. Megan concludes with insights on the importance of difficult conversations and giving back to the cybersecurity community.
Links
Difficult Conversations (How to Discuss What Matters Most) by Douglas Stone, Bruce Patton, Sheila Heen -- https://www.stoneandheen.com/difficult-conversations
Being Henry: The Fonz...and Beyond by Henry Winkler -- https://celadonbooks.com/book/being-henry-fonz-and-beyond-henry-winkler/
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Meghan Jacquot is a security engineer with Inspective, and focuses on vulnerabilities and attack surface management. She's particularly interested in cloud security, threat intelligence, investigating vulnerabilities, and the ethical use of data. Meghan shares her research via conferences and publications, and she helps various organizations and folks throughout the year, including DEFCON as a SOC, GOON, Diana Initiative, OWASP, SANS, and WeCyS. She also visits national parks and gardens and hangs with her chinchilla to relax. Meghan joins us to explain the concept of Assumed Breach Red Team Engagements, and how these apply to AppSec. I hadn't heard this term before, so I wanted to understand it more deeply. Meghan takes us into various scenarios of assumed breach, and we understand how it all fits together. We hope you enjoy this conversation with Meghan Jacquot. Hey folks! Welcome to another episode of the Application Security Podcast. This is Chris Romeo. I am the CEO of Devici and also co host of said podcast with my good friend Robert. Hey Robert, what's happening?
Robert Hurlbut:Hey Chris, doing well. This is Robert Hurlbut. I'm a Principal Application Security Architect and Threat Modeling Lead at Aquia and excited to be here for another episode of the podcast.
Chris Romeo:With a certain amount of madcap fun. Always guaranteed with an asterisk attached to it for whatever reason the lawyers say we have to put an asterisk after it. I don't know. I don't know why that would be. But super excited to be joined by Meghan Jacquot. Did I get it right?
Meghan Jacquot:You did.
Chris Romeo:it there. I tried. I went all in. That was my full theater, kind of embracing my inner theater performance there, which I have only experienced as a very young child. Uh, but let's, uh, jump in, Meghan. We always like to hear people's security origin stories. Like how'd you get into this world of security? You can go back as far as you want. Um, and we just, we love to hear people's stories. So please share.
Meghan Jacquot:Absolutely. I think it's a fascinating thing to think about your origin story and, um, how you got to where you are and then maybe forecast to where you might be going next. Um, for me, mine begins very young. Um, so I knew that intelligence was a field because my grandfather was career military intelligence and had actually been in the OSS, which later on becomes the CIA. And so I was just intrigued that. Intel existed. Um, and he couldn't tell us anything, right? Like even nowadays, um, he's passed, but some of the missions that he was on are still classified. Um, some of the things are not. So I've been able to read up on some of the things, but it was just fascinating that that existed. And so I was like, Hmm. Store that away. Interesting. Um, and then both my parents were in STEM. So my mom was a nurse practitioner. My father was a database analyst using Tableau. Um, and so I kind of had that tech side of things always around me where it would be, you know, like, oh, learn a new technology, teach it to yourself, teach it to another. So had always loved tech, always was kind of the person in the family that would fix something if it was broken. Sometimes I would take apart that thing to figure out how it worked, um, so kind of like the breaker side of things. Um, but I didn't actually start in security, so I had like all this stored in my head. And I really liked helping others, really enjoyed learning and teaching. And so I actually went into education. And so I was a teacher, um, teaching engineering and computer science to 11th and 12th graders. Um, and then because I had that technology side and I was working at smaller schools, if you've ever been to a smaller school, they always have many, many needs. I was also the kind of like sysadmin, network admin, just because they didn't have that staff. So I was just doing like part time teaching and part time IT, essentially. And I kept leaning into the IT side of it and was like, Hmm, I, I think, I think I want to switch more into this. What, what would I do? How would I do that? So pre pandemic, I decided to go back to school and I got another degree. Um, so some people, you know, are more of the, like, I want to learn and just like break everything. Yeah. I think because of my background with education, I really like the formal learning style, as well as doing on your own. And there's no, there's no right way. There's no like, you know, this is the path to get into security. But for me, I enjoyed the formal pieces to it. So I went to, you'll see an Illinois behind me. Um, I'm originally from the Midwest, but I'm on the East coast now. So I went to University of Maryland, um, and got another degree in comp sci with a focus in, um, network and system securities. Um, so finished with that and was like, okay. I have some knowledge. I've, you know, already been doing the breaking side of things. What's next? Well, I knew that Intel was a thing. Um, what if I go into threat intelligence, right? That's just layering on technology with Intel. Um, and so I started doing a lot of research, um, started meeting people, networking, um, joining a bunch of different organizations. And then landed upon my first security job, which was at Recorded Future. And so I was part of the Insikt Group there, and I was doing threat intelligence for a variety of different organizations. Um, really interesting work, um, a lot of research involved. It wasn't quite as hands on technical as I wanted it to be. And so then I started looking for, well, what's the next thing? Um, and I ended up at this, you know, kind of fun startup, um, called Inspectiv and we do, um, AppSec work. It is very technical. Um, and we do, um, penetration tests as a service and bug bounty as a service for all sorts of, um, websites, AppSec, um, anything that you name it, we even do network stuff, but, um, it's really been enjoyable and I've been there for several years now, um, and yeah, it's been kind of a fun little journey of like twists and turns of like, you know, from my, From my, um, early ages, I knew that this was a thing, and then you store that away, and you store that away, and you're like, Okay, well, what do I want to be next? What do I want to do? Kind of the question that I think you can eternally keep asking yourself is what do I want to be when I grow up? You know, it's not that you have to be one thing,
Chris Romeo:I'm just laughing because I, I asked, you know, college aged young people these days. And then I always caveat it with, I have no idea what I'm going to do when I grow up. So don't feel like you have to, you have to figure it out at this point. Like it is, I'm with you. It's a, it's a constantly reevaluating type of thing. You can. Life is, has so many opportunities that you can change your scope and change your perspective so often. So, I am curious though, coming from the classroom, is that something that you think you'd, you'll return to in the future? As far as like investing directly in the next generation? Or is that something you feel like is kind of a chapter, like you did it for a period of time and now you're on to kind of other things?
Meghan Jacquot:Yeah, I actually still mentor, um, former students. So I have some students who are now in college, um, almost done with it. And, um, they are, I, a couple of them are going into cybersecurity. Um, so I, I've been still doing mentorship of that next generation. Um, and then I, every year participate as part of the, um, WeCyS mentorship program. So I'm a mentor for that. and most of the people who are my mentees are college students. As far as going back to the high school, I still do guest speakership at high schools, um, so I've continued to kind of give back to that, um, group, um, and, um, I know there's CyberPatriot as well, so I had set up one at my school. The current teacher who took some of the classes that I was teaching did not continue that, but if they did, I said, you know, if you ever need any ideas or mentorship for that type of program, I'd be happy to do so. Um, so I, I have continued it, just not as formally. Um, I could see further on down the line, um, it doing something that is a little bit more Intensive or intentional in the sense of maybe teaching like some college students or, um, helping out more with the high school type thing. So I think that there's always room. If you have the cycles, there's always room and need, um, for the next generation to. understand and learn better from people who are actually doing this work. Um, I mean, they, just the questions they ask, I, I find them to be really fascinating. And, you know, like people are like wondering, well, how do I do this? Or how does that work? Or is, is this really tracking me? Um, et cetera, you know, like. Yeah, just kind of going through different questions people have is a lot of fun.
Chris Romeo:And, and you mentioned WeCyS, I'm familiar with it, but I'd love for you to just introduce for those in our audience who might not know, um, what WeCyS is.
Meghan Jacquot:Yeah, so it stands for Women in Cybersecurity. Um, and so then kind of like the shortened form is like We Sisters. And so you might hear that and you might think like, oh, maybe that excludes me. It actually doesn't. So anyone is welcome to join. It's an international nonprofit organization and it's really for just increasing Anyone who is, um, less represented, um, in cybersecurity and bringing them further in. So either getting them to break in, helping them level up, helping them increase executive leadership skills, wherever you are in your career path. And so, um, you know, like, You might see, like, you can hear this and be like, okay, Meghan's a woman. Of course, she might be in that organization, but anyone could join and become someone who is doing mentorship or maybe is even like, um, going to the conference and doing resume reviews or is, um, You know, getting their resume reviewed, right? So it's not that it has to be a, you just give, give, give. You can also receive some of the services as well, too. And they do an annual conference, um, they were started in the United States. Um, so the conference so far has always been in the United States. They're having their 10th one. Um, in March of this year of 2024.
Chris Romeo:Very cool.
Robert Hurlbut:Well, Meghan, one of the things that, uh, you shared with us, uh, before we met today was, uh, talking about some of the things that you've done in terms of helping clients find things that they had no idea were being exposed. But one particular was, uh, an issue where credentials and clear texts in a public facing GitHub repo was found. Can you talk, talk to us about that?
Meghan Jacquot:Yeah, absolutely. So I think one of the skill sets that I really have is, is ability to do research and, and just think through, um, what the attack surface might be. And so that comes from both. background in education, but also the training that I had in Intel. And I've really applied that to the AppSec world and thinking through, like, where someone might hide something or where someone might inadvertently put something, right? And so you could potentially have a circumstance where one of your dev team sets up a GitHub repo. They connect things that maybe should not be connected public facing, right? And, and, like, I have a GitHub repo. I have things that I put on there just to open source. Um, but I don't have anything that is Company facing public. Um, and I kind of keep those two worlds separate, but not everyone does that, right? You might just have the one single GitHub account and then you've just set up everything through that and then you inadvertently set something to public. Um, and so what we did was we. actually combed through to see, like, who are some of the employees of this company, right? So this is just general OSINT, so just general open source intelligence gathering. Um, you can do this through looking at places like LinkedIn. Um, you can also use a variety of different, um, people finders. The, um, OSINT tool set is really good for looking through those. Um, and then, um, You know, cross referencing that to GitHub repos that align with both company and name match. Um, so just simple searching you can do. You can set up a crawler to do this, so you can do it manually. Um, and for this particular client, we actually found that one of their lead devs, um, had a public facing GitHub. Um, and as you were combing through, what was actually in there was the content of that. Um, it actually had clear credentials that were, um, we were able to authenticate with. Um, so it was one of those finds that, um, we deemed critical, of course, um, and let the client know immediately, even though we're still working on the penetration test. Um, and also one of those finds that you're like, yes, I'm so glad I found this. Here, here, client, here you go. Um, please fix this immediately. Please rotate those credentials, check to see if anything was compromised, because if we found it, We didn't know how long it had been, I mean, you can see when it was, like, you know, most recently, um, had a, like, pull or, or a push request, but we didn't necessarily know, like, how long it's been on there, right? Who's viewed it? Like, you don't get any, um, necessarily data around, like, oh, who's looked at this? It's just out there. Um, who scraped this? It's just out there. And so, um, it was a great find, um, and also something that we wanted them to, to change immediately. And they, they took swift action with it too.
Chris Romeo:And it's something that happens more often than we would like to report, right? Like, it seems like it's an issue where we've had lots of, lots of visibility into it over the last number of years. There are even some tools that'll help you, open source tools that'll help you scan and find secrets that are in any repo, right? But it's, it just, it still happens. It's still, it's still. People are still accidentally making that mistake. And so it's, it's something that I'm glad you found it. I'm glad you found it before somebody else, uh, could find it and use those credentials to, uh, their own advantage, um, as a, as an attacker. So the primary topic that we were going to, we're going to discuss here is something I'm not even really sure what this means. And so I'm really, I'm really excited for you to explain it to me because I know what the words separately mean. I don't know what they, when we put them all together. And so this is the concept of assumed breach of red team engagement. And so I'd love Meghan, if you can just, just give me a high level picture as far as I know what red team engagements are. But when we add the extra assumed breach qualifier on the end, I'm not really familiar with that concept. So I'd love it if you could explain that as a way to start.
Meghan Jacquot:Yep. And we might be using the same terms to mean the same thing. And so, I always find it useful to define what we mean, right? We could be speaking the same thing, talking about the exact same thing, but meaning different things, or we could be meaning the same thing, so, um, the way that we use assume breach, um, it means that, um, you as a way. You know, good guy. Um, you is the person going into the system with permission with the rules of engagement with the contract. Um, you have access. Um, and so just like how a threat actor could gain access and they've done a breach, um, if you're doing an assumed breach activity, you are given access. Or you're kind of shown a little bit of a pathway in, and then you're going to try to see how you can pivot further. Um, and so it really depends on a client and how much access they want to give from the get go. Do they want to give you, um, a low level access? of a fake actual employee. Um, I've seen many different designs. And so the design part of this is actually quite a lot of fun because you can be very creative in how you design it. For example, um, we had one recent one, um, I think it was last year where they determined to create a new employee, but they were going to use employee credentials, um, as far as like email and everything that they were setting up, user ID, that were very, very close to an existing employee. So if someone did not look closely, they might see this and see someone in the system, their, their regular sysadmin might see that person and think, okay, yeah, that's, that's just Mo doing her thing. Right. Um, but it was actually the pentesters in there. And so, um, They were given that access, um, and then they're going to try to take it as far as they can. So there might actually be a goal, um, for these. So there might be a particular server that you want to try to get to that has IP on it, that has maybe, um, PII of customers or internal employees. Uh, so it really just depends on what the client is looking for, but essentially You have some sort of foothold that you start with, and once you have that foothold, you're navigating in, um, and so they're typically not, um, a black box type test, um, it's more of a, um, you, you're given something first, because the idea is that credentials exist out there, or people get phished, right? So if Access isn't the issue, right? You know, if, if a certain group really wants to target your organization, they can get that access one way or another. It could be like an insider threat, right? We've seen that before. It could be phishing. I mean, we saw that with the MGM, with the call center techs. Um, and it could be maybe just a compromise. Maybe there's password reuse happening. So there's many different ways to gain that initial access. So set initial access aside. Let's see what can happen once you already have a foothold, um, and where can you go. And then the way that I view this is different than a penetration test and more of a red team engagement is it's not that you're going through some sort of list and trying to see, like, oh, are there issues with the OWASP top 10? Are there certain CWEs? You're actually trying to achieve and action like a threat actor would do. And so that's where I was referencing earlier. Maybe you're trying to get to a certain like server database or something. Maybe there is a specific keys to the kingdom. Maybe you're trying to do a pure privilege escalation elevation. Maybe you're trying, maybe you actually do some fishing, like fishing is part of the rules of engagement for this, and you can do targeted whale fishing, and you're trying to get to some of the highest C suite level, or maybe the board. Um, and so there's different like angles you can take with it. Um, but the idea is you're, you're setting aside, um, the hack this piece.
Chris Romeo:So a couple of couple of clarifying questions Do you think that this style of test is Used more because our external defenses are becoming? more battle hardened and more difficult for attackers to come through like a, uh, buffer overflow in a Unix service or something. You know, I know I'm going way back into the days of old when that was the easiest way into any given system was to just find a vulnerability in a Unix daemon and use a remote code execution to Get into a shell inside of that and then use that as your way in. But do you think, are we just, are we getting better at security from a kind of infrastructure perspective? And does that also lead you to wanting to do this type of test or, or customers wanting to do this type of test?
Meghan Jacquot:That's a really good question. So, I think, It's the type of test that is really great for a mature organization. So they are going to be better with their infrastructure. They are going to be better with just detecting. They're going to have a dedicated blue team. They're not going to just be a security team of one or zero, right? Some of these smaller orgs, you have A security team that's zero people, one people, two people. So these are going to be the larger orgs. Um, and it's going to be an activity that then can be switched over into a purple team activity, essentially, because you can take the findings from this and see, well, what were we able to detect? How did we respond? Um, you know, okay, when the type of report you get for this is really different too. It's a narrative style report. And so as you're looking through that reporting and you're seeing the different things that the red team went through, are you able to align those with detection? Where is it in the logs? But you have to have all those systems set up in place in order to do that. And so if you don't have any of those detection systems set up in place, if you don't have a hardened infrastructure, you know, it doesn't make any sense to do this type of activity yet. So you kind of need to grow and mature to it. Um, and so I would say it really depends on where the organization is in their security journey. Um, you know, you, you start as a new org, maybe you're doing, um, maybe everything on prem and you're doing like shifting to the cloud or something like that. And then you're continuing on your security journey or you're doing various things throughout. Um, you know, we, we always have a risk register, right? It's never that there's zero risk. Yeah. It's just risk you've accepted. Um,
Chris Romeo:a job if the risk register was empty,
Meghan Jacquot:exactly, exactly, right?
Chris Romeo:all know that's not going to happen.
Meghan Jacquot:No, it's, it's, it's never going to happen. And so, so there's always something more you could do. There's always something different you could do, but it's making those choices, right? It's like, what's the business trade off? Um, and so as organizations get larger, they're going to need to make that continued investment into security, into making those choices for how they want to reduce their risk.
Chris Romeo:So I have another scenario then, that I'm just, I don't know if this is even possible, so tell me if this is even, if this is even a viable, assumed breach of red team style engagement. But have you ever had or seen an example where, There was a SQL injection that was provided, and all you had access to was the knowledge of a SQL injection. So not as much of a credential where you're into VPN in, or you're into systems, but you're starting with a known vulnerability to see how you can, you know, experience that lateral movement once you're inside the fence. Is that, is that a assumed breach of red team as well, or is this, is that a more specific pen test? Yeah,
Meghan Jacquot:That's an interesting one. So with the SQL injection, are you able to then gain access? So like, is it like you have essentially like a POC with that? Like, like you, this is a known avenue into the systems.
Chris Romeo:yeah, I'm just, I'm literally just making this
Meghan Jacquot:Yeah. And I know it's a hypothetical scenario.
Chris Romeo:I'm just curious if that's a vector that, that could also fit into this style of test, or is that maybe just something that's different because you don't have, because it's not credential based, it's not access based.
Meghan Jacquot:No, I think it can be different avenues of access. I don't think it needs to be that they actually created an account for you. or they turned over an employee that's no longer there and they reactivated the account or something like that, right? I don't think it needs to be one style of initial access. Um, it's more about what is, what is the goal once you have that initial access? Like, is it goal based or is it more, um, like you're looking at the ASVS and you're trying to correlate different weaknesses, something like that? So, um, I think it's, you know, You know, any way you can set aside initial access. I haven't seen someone do that though, that is a really interesting idea.
Robert Hurlbut:I wonder about situations where you already have customers who can sign up for a service and then they log in and they get certain privileges to be able to do work. We sometimes will test for Uh, authentication issues, just being able to get in, um, but when they don't have an account, but if you allow them to have an account, already have an account, is that part of also assumed breach, where they're already have certain level, uh, that they're in, or is it potentially beyond that? Is that maybe another scenario?
Meghan Jacquot:Yeah, so I, you can test in a variety of different ways, right? So you could say, we also want you to test authentication, um, and the workflows for that. And we want you to test if you have no login, we want you to test if you have a lower level login, we want you to test if you have super admin, and so you could set up a variety of different scenarios. If you start getting into the testing the authentication workflow with no initial access, you You aren't doing as much of an assumed breach, right? Like, I mean, that, like, we, we, we do standard pen tests as well. And so to me, that would start veering into like the standard pen test. And I mean, you're kind of slicing and dicing definitions here, right? Um, but it could be that someone has a standard pen test they're doing, and then there's some things that you're also provided access, but same thing. The goal is not necessarily. To move laterally throughout, right? The goal is to find application security issues. And so it's like, what is, what is the goal behind what you're doing?
Chris Romeo:Okay, I want to change, uh, topics a bit because I know we had, uh, talked about kind of CFP reviewing and, and whatnot. And I'm, I'm curious, uh, what your experience has been there. Um, you know, why, why would you recommend somebody be a CFP reviewer? Like, what did you personally get out of that experience?
Meghan Jacquot:Yeah. So it's absolutely something I would recommend wherever you are in your career. Even if you're new, there's some smaller conferences, um, that you might feel like you're qualified to review for. Um, I've reviewed for, um, OWASP as well as SANS, um, and I usually do the Diana Initiative. Um, so there's a few different conference series that I've reviewed for and I continue to review for, uh, and what I find is For me, like I'm, I'm somewhat of a creative person and sometimes that creative energy can kind of like have ups and downs, can wax and wane. And I find that reading what other people are doing, it sparks ideas, right? You can kind of see, like, even if it's not a particular talk that gets accepted, You can just see like, oh, this is how they set this idea up. This is maybe the research that they're doing, particularly with OWASP. You really see some cutting edge, um, ideas that are out there, some ways that attacks are happening, um, some proof of concepts, some ways that people are working on defense as well. And so I think that it's really fascinating to get to read through those, um, and help build a conference too. Like I, I love being part of, um, Our security community and getting to be able to attend a variety of conferences and meet up with folk. And, um, so there's something about helping build that to from the behind the scenes that I really enjoy. And then some of the conferences, like the Diana initiative, actually do mentorship with the CFP. And so you'll have. two rounds. Um, and so the first round, if you weren't accepted as a speaker, you can then say, you know, I wasn't accepted, but I'd like to receive mentorship. And so I've done that as well, where I will mentor someone in order to help them maybe get accepted in the second round. And I found that that's a really great way to give back as well too, um, because you can help, um, newer speakers. So I've, I've been speaking at conferences for, well over a decade now and, um, really, really enjoy that fellowship that you find, right? Where it's like you, you are learning, you're diving deeper into a topic to understand it in order to be able to present it. I kind of think that that's a, um, carry on of education, of teaching, right? Um, you're continuing to share with people things that you learned, things you found fascinating. Um, and, you know, the questions that you get at the ends of the talk too are, quite often, excellent. So it's like you have this piece where You know, it's full circle. So, um, you're helping someone get accepted to a conference, you're maybe mentoring them, and then you yourself are speaking at conferences and helps give you ideas too. So I think it's a great way to continue to be involved in the community.
Chris Romeo:Yeah, I agree. I've had a chance to, to be on the, the review committee for some big events and, um. It definitely challenges my thinking as well, uh, to be able to see the depth and breadth of, of where ideas are coming from. And, um, let me just give a piece of advice to everybody out there submitting for CFP, ChatGPT is not your friend, okay? I don't know how many, it's like so many this past year for a big conference that I, that I work with. Like you look at the thing and you're like, This is ChatGPT. Like, it's obvious that this is ChatGPT that wrote this. Like, so, like, one of the, one of the big things I always tell people is, like, as a reviewer, I'm gauging how much of my effort I should put in based on how much effort I think you put in. So it starts with a snappy title. If you don't have a snappy title, you're probably not going to catch my attention. Like, I've got 150 of these to review, and I try to give all of them But if you've got a snappy title, I'm always like, Ooh, that's a cool title. I'm pulling the thread, right? I'm into the abstract now, the short abstract. Like, um, so I think, but, but chat GPT is not the way to get accepted at conferences, and I think we're going to see that, you know, throughout the, all of the industries, like people are relying on it more to try to create content. to build creative things and human brains are still required to build creative things. So that was just a free, uh, free bit of advice for those trying to submit to conferences these days. But,
Meghan Jacquot:Yeah, even if you use it for idea generation, like, you still have to read through it. Like, it may not have written something that's actually sensical. It may partially align with what you were thinking about, but not. So it's like you have to have a certain baseline level of knowledge to even make sure that what it's sending out makes sense. Um, but yeah, another, another piece of advice that I would say if you're trying to send in for a conference would be really look at the requirements. So if the abstract is asking for 500 words and you wrote 10, You're, you're not going to get accepted. Like, even if those were the most beautiful 10 words ever, like you just literally didn't
Chris Romeo:the worst of times. Like you even put that in there. That's not getting in,
Meghan Jacquot:No, no. Beautiful prose. You're still not gonna get accepted. So yeah, it's a combination between writing to the right level of detail and not writing like total BS. Like, so yeah.
Chris Romeo:I'll throw another one in here just cause it's top of mind for me. I'm just, I'm going back through all of the things that I'm like, Oh, this abstract was good, but it, they, they, they missed this part. If you work for a vendor, you can, and Meghan is proof. I am proof. Robert is proof. Like we speak at big events because we don't make it about our company. Like so many of these, I'm like, Why don't you just put sales pitch in the title just put sales pitch colon and then the name of the talk you're gonna do It's like it's not even like and I guess what I've always done is I've always said, okay, what's a I certainly want to talk about the area that I'm excited about, the area that I'm working in, but what's something I can just give away for free that gives people value in our industry? And some people will come and buy something from me in the future, sure. A lot of people won't, but I can say I moved the industry forward because I came up with something, you know, my, my talk from last year, I did zero trust threat modeling, which I had a chance to do at OWASP and a number of other events. And, and the reason I got into it, I was like, I am passionate about threat modeling. I wonder what happens if you put a blender. And you throw zero trust and threat modeling in the same thing. How would I do it? And then I built a methodology for how to apply it. I came up with a list of, of a mnemonic for threats that people could apply. And then I just threw it out there. Like
Meghan Jacquot:You just, you just shared it. Yeah.
Chris Romeo:it's for the, and I hope people are using it somewhere that I had that, that I hope they'll tell me at some point they got value out of it, but I hope people are using it places I don't even know about. Right. Because that was my goal was to, and, and Meghan, like you, I'm a teacher at heart. I taught my first college class when I was 18 years old. That's a different story for a different day. Um, that was, uh, when people didn't know much about computers and, and I grew up in a place where I had lots of computers as a, as a young kid. And so, but that's, that be, and, and Robert's the same way, like, you know, we're teachers at heart that do other things, but like, we can't, you can't take the teacher out of you once you're, once you've got that mindset, it's all about, and that's how you get into conferences though, is by having that approach and that passion, but also just being willing to give things away. And people will be like. You should charge for that. Yeah, I probably should, but I'm not going to because this is how, this is how we make our industry better. So that was a bit of a rant about, uh, CFPs and all those other things. But Meghan, what other communities? I know we don't have a lot of time to dive deep into these communities, but I love for you, we talked about WeCyS already, talked about Diana Initiative, um, what other communities are you involved in that you want to draw some attention to?
Meghan Jacquot:Yeah. I'd say the other two that I'm pretty involved in are OWASP and DEF CON. Um, so with OWASP, um, I've been a CFP reviewer for years. Um, I was their volunteer coordinator for the, um, Washington DC conference in the fall of last year. I think, Chris, I ran into you there. Um, And I just, it's, it's a great organization. Um, you know, there's always something new. There's always a new project. There's always a new thing to kinda be paying attention to and, and learning more from. Um, and so I, I find that those are really rewarding experiences. Um, I've, they're, they're working on switching over to the application security verification standard 5.0. Um, so I've helped out a little bit with that, um, working group. Um, so just really enjoyable experiences that I've had with fellow professionals. Um, and then, um, DEF CON, um, Hacker Summer Camp in general is like one of my favorite weeks out of the years. I think it's for many of us. Uh, and so I had the pleasure a few years back to get recruited to be, um, a goon. So first you start out as a noon, so you're a new goon. Um, and then if you make it past year one, then you actually become a goon. Um, and then you become a coin goon later on. Um, and so I'm in the SOC, um, where the people on the floor are yelling and, like, trying to make sure everyone's having a good time and having squeaky chickens and such, so, um, it's, it's a good time, um, very much so, so.
Chris Romeo:Very cool.
Robert Hurlbut:Yeah,
Chris Romeo:Alright, well, it's time, Robert. Robert is now famous or infamous, I can never remember what word I'm supposed to use, which adjectives describes this section of the podcast, but it is our lightning round, so Robert, take it away.
Robert Hurlbut:you bet. Well, Meghan, our lightning round, we have three questions. So the first one is controversial, uh, potentially, uh, but what's your most controversial opinion on application security and why do you hold this view?
Meghan Jacquot:So, I guess it would be, um, build empathy with beg bounty people. So, imagine you get that annoying email and you're like, oh, why is someone even sending this? I'm just going to ignore it. Um, so either figuring out. Um, some sort of VDP process that you might want to build or just thinking like, Hey, the person who's sending this, we don't know their circumstances. We don't know their background. Um, and they might be sending it out of duress. Um, and so just trying to build empathy, even if something is really, really annoying.
Robert Hurlbut:Our second question is what would it say if you could display a single message on a billboard at the RSA or Black Hat conference?
Meghan Jacquot:So I'll, I'll be at RSA. Um, and. I, their theme this year is I'm possible. Um, so I think as a woman who didn't start in tech and is in cybersecurity and on the more technical side of things, assign this as I'm possible.
Robert Hurlbut:And number three, uh, what's your top book recommendation and why do you find it valuable?
Meghan Jacquot:So it's a book that's not a security book, but it's, um, looking to see if I have it on the shelf over there. I, I don't see it. Um, but it is a book called How to Have Difficult Conversations. Um, and it's an allegorical style, so kind of like, um, Phoenix Project, um, and I, I just find the writing to be really compelling because you never know when in your career you might need to have a tough conversation and it could be with direct reports, it could be with someone above you, it could be with a colleague, whatever level. And it, and it doesn't just apply to professional life. Um, it, you know, it can apply to personal life. And so I think it's a book that everyone should read. Um, I actually, when I read it, um, I actually bought a copy for everyone in my family, my immediate family. And not to say like, oh my gosh, like we're so like conflict filled, but I just think it's a really useful. tool to have in one's tool belt for having those conversations, um, that maybe you might ignore, but maybe you should have.
Chris Romeo:that's really neat. And then we can't forget your other book recommendation. Which I've already, which has nothing to do really with the podcast other than we were talking about, uh, Henry Winkler before, before we hit record. And Meghan pointed me to Being Henry, The Fonz... and Beyond, narrated, or that's by Henry Winkler. This is his, uh, I guess autobiography, right? That's sort of
Meghan Jacquot:Yeah, yeah, it's an autobiography about the Fonz, but also his life beyond that, that he just recently wrote, so, which is impressive itself.
Chris Romeo:I, I read a lot of autobiographies. I don't know. I just, I'm fascinated by, you know, What, how people, people's stories, ultimately, it's why we ask the origin story is the start here. Like it's, people's stories are just fascinating, like what they've been through and things they've overcome that you would never know just by, you'd look at them and say, that person's life is easy. And then you look at their, you know, Their story is like, no, it wasn't like they had to fight for their life at a certain age, you know, to be successful. So, all right. So Meghan, what about a key takeaway? Something you want to leave our audience with here? Uh, that's potentially they can, you can give them homework if you want. That's allowed. I mean, you're a teacher, so I mean, you're, you're going to be all in on giving people some homework and having them send it in and checking it and grading it or whatever, but what are you,
Meghan Jacquot:I don't actually use, I didn't actually use red pens. So I would actually use, usually use green pens when I was doing grading. Um, but yes, um, I, I will grade your homework. Um, so I would say that wherever you are in your career, you know, you might be, you might be new, you might be, um, C suite to executive level. You have something to share and give back to others. Um, and so you might think to yourself. No, I don't know anything yet. You know, you might have a bit of imposter syndrome, what have you. Um, but you do, you're, you're further along than someone else's. Um, you got to where you are through, you know, your unique origin story and you can share and give back to others. Um, and so I think that would be my key takeaway is that you always have something you can do to share and help others from what you've learned. Um, and I would encourage people to do that.
Chris Romeo:Very cool. What a great, great key takeaway. What a great way to end our conversation. So Meghan, it's been, uh, it's been excellent to have you on the podcast and, uh, we'll definitely do this again at some point in the future and, uh, hope to bump into you at RSA, even though there's 50, 000 other people, but it's funny how you bump into
Meghan Jacquot:You do, you tend to.
Chris Romeo:statistically we should never have actually been in the same physical vicinity, but we end up, you end up bumping into people in the hallway and like, Hey, how's it going? So it's a
Meghan Jacquot:My friend calls it the vortex. It's like you're, you're being brought together in a way that was meant to happen.
Chris Romeo:I like that. That's really cool. So, all right. Well, thanks Meghan. Thanks for being a part of the podcast.
Meghan Jacquot:Thank you both.