This is a article from my "Dev Chats" series where I speak to an awesome developer or techie every week or so. You can read more here. Let me know in the comments if you find these useful to you!
Hi! I'm Kristina Balaam. I'm an Application Security Engineer at Shopify, based out of our Toronto office.
I had been interested in security for a long time, probably dating back to high school. I had a self-hosted blog that someone was leaving really inappropriate comments on. I managed to trace their IP address to a computer from my school. A bit of social engineering helped me figure out who was responsible, and I was able to talk to him and stop the behaviour. Unfortunately, my CompSci program didn't really offer a true computer security course; a lot of fundamentals were baked into other classes. I always figured I'd need to enrol in a Master's program in order to focus on security. That became my ultimate goal: pursue a master's part-time and eventually transition. However, I learned that there were actually a number of computer security programs offered by colleges and universities, and some were even available online. I enrolled in a couple of post-grad certificate programs: one through Stanford University, Advanced Computer Security, and another with Ryerson University, Digital Forensics and Cryptography. While completing these, I was thankfully able to transfer to a role in the Application Security team so that my day-to-day work aligned more with my overall career goals.
There are a number of things that excite me about the space, but I think my interest lies mostly in the protection of individuals. We're living in an increasingly connected world, and we hear stories about baby monitors being hacked and strangers saying inappropriate things to toddlers. That power and access to individuals' lives is just unacceptable, and I'd like to be a part of the solution.
Don't get hung up on not having some kind of designation or degree. Start learning as much as you can, hacking on apps (legally), getting involved in a bug bounty program, and make sure you're able to demonstrate that you understand the things you're learning! Most security teams are wildly understaffed, so if you can demonstrate passion, perseverance and competency, you should be able to find a position that will also help you to continue to grow!
My Instagram following has only really developed in the past 6 months, but it has been wonderful for networking and facilitating introductions with others in the field!
It has absolutely been to prevent insecurity and self-doubt from holding you back. I've struggled a lot with "imposter syndrome", and have come very close to turning down opportunities because I didn't think I had a hope in hell of being successful (Shopify was almost one of those!). I still struggle with it, but have found it's an almost universal struggle and discussing it with others has been really cathartic.
Never stop learning. Our industry changes so quickly, and although it's impossible to be an expert in every field, staying in tune with pertinent issues and technologies is super important. I really don't believe everyone needs to go back to school or continue to learn in some sort of structured, institutionalized way; it just happens to be how I learn best. We have so many incredible resources available -- free classes online, blog posts by experts in the field, meet-ups, hackathons, conferences, etc. If your company doesn't support your professional development, they're working against their best interests. If they do provide support for professional development, make sure that you (responsibly haha) take advantage of it to avoid stunting your growth!
Always T-Rex arms, but preferably as a typing cat gif.
I played the piano for 17 years, and although I'm rusty as hell right now, I do still try to practice. I ended my dance career in university, but have replaced that with running and cycling and yoga. I'm also involved with the vegetarian/vegan community here in Toronto. I'm currently learning Mandarin, which I think is likely the most beneficial hobby for my career.
I'm going to shamelessly plug my coworker Peter Yaworski's book, Web Hacking 101. It's a truly fantastic resource, and the forward was written by the founders of the bug bounty site, Hacker0x01. I'd also recommend the CyberSecurity Humble Bundles. They're only available occasionally, but are a great deal. The books presented as PDFs, incredibly inexpensive, and a portion of the proceeds go to charity. I also think hands-on practice is really important. There are CTFs (Capture the Flag competitions) offered in most major cities, and there are also a number online as well. Having a chance to actually try hacking into a vulnerable web, mobile or desktop application is a great challenge (and won't result in an arrest!). A quick google search for "Online CTF" or "CTFs in <your city>" will return a number of great options!
I'm really passionate about mentorship, so if you have any interest in getting into the security industry, please don't hesitate to reach out to me on Twitter (@chmodxx_) or Instagram (@chmodxx)! I'm still pretty new myself, but I'm happy to share what I've learned thus far :)