2018 BSides Toronto: Anna Lorimer

I give you the 10 5 and okay so I'll be somewhere around here all right cool all right folks if you could take your seats our next speaker is about to get going this means you alright folks if you could please put a big hand together besides Toronto hand together for an Lara Ana Lorimer and sorry about that and her time and her talk security internships bringing the next generation of hackers hi everyone thanks so much for having me this is actually my first time giving a talk at a security conference and you all have been wonderful so kind of changing sorry kind of changing mindsets from thinking about malware and how to break things

instead I want to talk about how to make things better and bring people into this super awesome community today I want to talk about internships I want to talk to you about how you actually like why they're important how you structure them so that both you and your intern are set up for success and how you actually find like a real human intern um we are out there I promise um so my career so far can basically be described as professional intern I've done six internships and a wide variety of things um and they've been absolutely vital to making my career in security and I think they're like a really great way to help bring people in and just

make this industry like the best it can possibly be cool so like I said today we're going to talk about why internships are important what makes an internship actually good and how to find a real live living breathing human intern this has been my path I started out in QA I wanted to some web development for a while and then I finally broken security and I'm currently doing my undergraduate degree in computer science and basically they really only trained me how to be a software engineer no one along the way told me that I could like break things for a living instead of building things for a living um which kind of really sucks and I've

been really into security for like ever and until it wasn't until my like at my third internship that someone was like hey you're really into this stuff you should do it for like money and it could've been any one of you and this audience who had given me that push and without that push I really would have never gotten the confidence to go after these internships in these jobs or to pursue security as my full-time career so kind of giving you a hint about why internships important but let's go into depth obviously internships encourage newcomers to go into security we constantly talk about how hard it is to hire a good security person in this

field and that we constantly have all these open jobs and no one to fill them giving people the opportunity to learn all these skills through internships and to bring them up that way it's a really awesome way to help make this pipeline a little bit less broken and get people in there in the first place it's also a really good opportunity to find out who on your team would make a really good manager being able to work with junior people is absolutely vital to running a team and if someone can't handle a team of one they certainly can't handle a team of many finally interns are going to be the full-time people of the future

hiring interns is a really low risk way to find out if someone is a good fit for your company you know after like a few weeks or months they're working into place you basically get to see how they work how they interact and then their contract ends and you can decide if you want to bring them back or not and that's you don't really get to do that with other traditional avenues for like full-time hiring when you go through the interview cycle you hire someone and then you find it with interns you get to check beforehand and the thing that I really want to bring home here is that it's actually really hard to break into

security on 100% intended um journey is unlike other software engineering disciplines where there's actually a really high barrier to entry to get into security you know if you wanted to be like a Python developer you can literally just Google how do I learn Python and you get like 15 different tutorial websites and like 15 thousand different medium posts going into like the intricate details of how you could learn it and the counterparts for security aren't as readily accessible you know software engineering even has like cracking the coding interview which is like a whole book dedicated to how to get a job in that field but thing the counterparts and security like micro corruption Google Gruyere a wasp there I

think it's called juice their framework for practicing with hacking you often know like basically how computers work at every level to do those already like micro corruption you have to know how to read assembly which I I don't I barely know how to do and it's definitely really hard to expect someone who's an entry level just starting out in this to also know how to do internships can really help break down these barriers like I said you're learning skills on the job you're helping teach people as they're doing stuff it's not like they're doing these little practice things on the side to get better they're actually doing the real work that we all do on the job

every day hopefully you're not convinced that interns are great and we don't just break things all the time but internships can go one of two ways that can be really great or they can kind of not be so great and there's a couple different things I want to talk about and how we can make these the best we possibly can the way I see it there's like two major parts to an internship there's the actual learning environment that you put the person in and then there's the actual project that you have them work on so let's start with how you make a good learning environment for an intern kearney a good learning environment involves buy-in from every

level of your organization you know if someone's not on board with having an intern it shows and your intern will definitely pick up on that and there's nothing a couple things that we want to do and a couple things that we don't want to do so let's start with what we want to do talk about expectations and goals in turn your internet is basically coming on to work full-time for however long their contract is and you should expect to have the same sort of interactions with them as you would a full-time employee in terms of talking about what their career goals are talking about how their tasks are going if there's something going wrong in the

project and basically having this open dialogue through something like regular one-on-one meetings you know maybe this is weekly or it's bi-weekly when you start depending on your intern they might be like I'm good to go I can only talk to you like once a month now but definitely beginning expect to interact with them a lot they're going to be kind of nervous and they're going to want to do so well and they just want to know how they're doing the other part of an open dialogue is mentorship so mentorship is when someone who has a lot of breadth and knowledge and experience in industry helps guide someone more junior through their project and their tasks in their day-to-day work life this

has been like I can't explain to you how helpful mentorship has been to me in particular the internships where I've had an assigned mentor who's basically like signed on to be my go-to person for when I'm stuck when I need help as an intern it's really really intimidating to ask people for help you already kind of feel like you're a bit of a burden on your team because everyone's just doing their job and you're they're trying to like sponge up everything they know and not get in the way but like I said having someone who's signed on to be your go-to person just makes it so much easier you feel so much more comfortable and he learned so much more how many

people have heard of sponsorship right it's not a really well-known thing and this is it makes it really sad sponsorship is when someone who's playing usually higher up in your company vouches for you so for me this was a really example of this was actually the first time I gave this talk back in Ross Portland was someone up and someone up higher and the company I was working at said you know what you should put your name in for this or like I'll put your name in for this and that's really great because as an intern I didn't have a lot of leverage within the company or the community to be like I'm going to go do that but someone who is

higher up and had a little bit more know-how within the community a little bit more respect to the community really leverage that to help make my career better okay so what don't we want to do I'm gonna go over a couple social rules here which you marry me don't heard of the first one is called feigning surprise and feigning surprise is when say your intern comes to you and they are stuck on this buffer overflow problem and you look at it and you go man that's super easy I can't believe you can't get that and the other one I heard once was Wow I can't believe you don't know who zero cool is I was born

in 1995 feigning surprise really just makes someone feel like crap for not knowing something and it's it's just totally detrimental to making someone feel like they're in an environment where they can learn things and the only reason someone doesn't know something it's because they haven't had the opportunity yet so give the person the opportunity to learn it instead of getting them down for not knowing something say oh yeah that was really hard when I first learned it so let's nerd out about it together and work through this problem you don't have to you can make it such an awesome opportunity to share your knowledge rather than dunk on someone for not knowing something the other thing that I

really really want you to keep in mind is gatekeeping keeping is also one of those ones where I feel like people haven't heard of it much but gatekeeping is basically when you guard knowledge until someone has somehow proven that they are deserving of it a really typical way that this gets expressed actually in the functional programming community is that they set up this artificial barrier where you have to know a bunch of like Laki boolean mathematics and able to do to do functional programming and this isn't true you can go out and like learn Haskell or whatever without knowing all the intricacies of how formal logic works so they set up this artificial barrier for you to start doing this

thing and security this might be something like oh you can't do SQL injection until you know how to do buffer overflows or oh you can't do cross-site scripting until you have cross-site scripting vulnerabilities until you've done SQL injection you set up these artificial barriers for people to start doing things and there's really no reason to there's no connection between needing to know how a buffer overflow works and how SQL injection works at the bare minimum when you're just starting and finally I one of the things that happens when you start bringing people into this community is you work with people from different backgrounds subtle isms refers to when you are subtly racist sexist homophobic transphobic ablest all of that jazz

these will encourage people to leave this community I myself have been on the receiving end of things like wow you're really good at security for being a girl which like you laugh but it really does make me feel like I don't have a place in this community and we're all guilty of this I've certainly done it I'm sure everyone in this room has done it and the best thing to do in these cases is to apologize educate yourself and educate yourself again doing things like this can make a huge difference in keeping people in this community and helping people bring them in so now we have an idea of how an internship should work we know how to make an intern happy

how did concurs them to stay here but an intern actually needs to do something during their internship and that's usually in the form of a project and like I said interns have this really bad rap for breaking stuff all the time I know I definitely have friends who've done internships and cause like sev ones which is a good learning experience I'd like to point out but I really really really can't encourage you enough to give your interns projects that are meaningful to your organizations when you give an intern a project that has no hope in hell of seeing production or a client using it you silo them off and isolate them from seeing just how cool

it is to work at your company and just how cool it is to work in security when you give them something that matters that you get invested they start to think it's really cool to work at your company now this doesn't mean that you have to give your intern the absolute mission-critical you know if this doesn't work our company's gonna go bankrupt or all gonna be have jobs kind of work a really good example that I heard was give your interns the nice-to-haves on a project so maybe there's like one or two features like you know maybe it could just be a little bit clearer how it sends this thing or you know adding documentation to a

project that has an impact but won't cause a sub one these projects mean a lot to interns we get to work on stuff that actually matters but you don't have to worry about it breaking everything the other thing to point out here is that interns talk to each other if you give your intern a super cool project that they think is awesome and has a lot of impact they will tell all their intern friends and your company is suddenly the coolest person ever to work for and I can't vouch enough for like the intern back channel like network as advertising for your company it's amazing like your hiring pool just expands exponentially when the interns think you're cool so we

kind of know we have an idea of how we should treat interns in the workplace get them work that's valuable but now we actually have to find an intern the good news is that there is a lot of us out there a lot of us are super enthusiastic we are all graduating and our terrified of what we're going to do with our futures so there's a lot of us out there it's really good the mediocre news is that often we have trouble finding these opportunities or accepting them for reasons I will get into so you can physically find us at things like conferences to second particulars when I want to highlight I realized the graphic

kind of sucks but it's the Canadian undergraduate software engineering conference and basically it is 300 Canadian undergraduate students crammed into one hotel for three days and they are all looking for internships and they are all very excited to be looking for internships they've been practicing their interview skills for months and they are ready to go I also really want to courage you to go to things like Cusick that aren't directly security-related one of the great ways one of the really important things about this community is we need to bring in people who don't have a traditional security background like I said I started off in like QA and web dev and broke into security we need to really

really think of those people who are really into security and just need a helping hand to get into it through something like an internship twitter is also a really great way to find us every intern ever follows the companies that they want to work for and the people they want to work for on Twitter and guaranteed that if you tweet out that you are looking for interns they will reply incredibly enthusiastically mailing lists are also a great way to reach out to us universities often have a kind of job hunt mailing lists or internship mailing lists my school in particular has like a really formal way you can do it but if you don't want to do that you just shoot

an email to them and asking if there's a mailing list and finally going to like physical meetups again maybe not security related are a really great way to find us as well a lot of us go to these meetups to try and get a feel for what it's like to work in an industry to see talks given by people to kind of see what companies are about so we're really great way to find us there I also want to insert your local University / college here like I said my school in particular has this big formal program where you can go through co-op but often you can partner with companies on campus or clubs on campus sorry or committees

on campus to run workshops have talks give a panel I know a particular the computer science club and the women in computer science Committee on my campus are super super active around this and we love it as students because you come in you talk to so how could your job is we get to learn something new especially if it's a workshop we really really like those because it's like an internship condensed into a few hours or a day and yeah there's a really really great way there's a really great University Network out there you should definitely take advantage of or if you want to find an intern the reason an intern may not be able to accept

offer really comes down to pay and housing for reference I pay about $7000 a term in tuition before additional fees and if you can't pay me enough to help me support that I can't take your internship I just can't and that makes it really tough so I really encourage you to pay interns above minimum wage upwards of $20 an hour's usually best I looked up the stats from my University of how much I turns get paid and at least by your second internship you're looking at 20 dollars and up unless your Facebook and your pain your interns like 50 dollars an hour but that's Facebook they're rolling in dough they don't know what to do with it

another thing that really helps with us is housing stipends helping us pay for rent my last internship I wouldn't've been able to take if they hadn't helped me pay for housing transportation is also really important it is expensive to use public transportation pretty much anywhere in the world so helping us pay for bus passes or transit passes in general may really really help us take your internship your company will also get an amazing reputation and interns will love you forever and will want to work for you full-time I also really encourage you to give us the opportunity negotiate this isn't again we're really trying to figure out what it's like to work in this industry and negotiating

offers as part of that and accepting an offer may come down to you being flexible around how much you give us for housing or giving us one or two extra dollars an hour now I just told you that Facebook pays their interns like 50 bucks an hour and you might be going oh my organization can't do that my company can't do that were that's too much for us right now and it's really important to recognize if you're not ready for an intern if you don't have team buy-in yet if no one wants to sign up to be a mentor if no one wants to sign up to be a sponsor it's probably not the right

time to take an intern but there's other ways you can help sponsoring conference tickets is life-changing for a lot of people this year there's a really big push to get I think it was 40 women in the end to Def Con and that's 40 people who went to the biggest security conference ever and who learned how how cool this industry is and who wouldn't able to get there otherwise running workshops is also life-changing for a lot of interns and people looking to work in this industry it's like an internship but condensed like today we're doing the Kali Linux training and that's all stuff you could learn on an internship but it's been condensed down into this one day and that's really

really awesome and that's something that these people can put on their resume to get more internships or to get a full-time job it's also a really good opportunity to do PR for your company because if you give interns like free access to your API for a day or they get to use your hardware for a day they will want to work for you and they will tell everyone about how cool your company is and lastly pay for licenses I've been really lucky a couple internships I've worked at have covered things like my burps sweet license which has let me continue to educate myself and continue to get better at what I do this is again

paying for tools of helping people to learn things and they will think your company is the greatest and they will be so much better when you go to hire them full time to reiterate internships are valuable for everyone not just the intern your organization gets to find out who would be a good manager who would make a great potential full-time hire and we generally bring really awesome people into this industry when you give interns meaningful projects they think your company is thebomb.com and they get to actually learn about how cool it is to work in security and how awesome your company is and also bring new people into the pipeline through things like going to conferences that

aren't directly security-related there's a lot of people like me out there who felt like they could literally never hack it to get into security until someone gave them the opportunity to do so that's it for me thank you for having me you can find me on Twitter here and the glycerine - awesome project and if you want to learn more about how to create a good learning environment I can't recommend the raker Center social rules enough they're basically retreat in New York and they spent a lot of time working on their documentation about how to create a healthy learning environment for people thank you [Applause]

I can take questions I guess yeah yes I

don't want to be without any names um so a project I worked on recently was so the company I was working at we regularly interacted with every other team in the company to do security reviews for whenever releases went out and we had this super janky script that let us know when a team was requesting a review through JIRA and it broke at least once a week often spectacularly and it wasn't like something that was mission-critical like it worked well enough we found out about them but my project was to rewrite it and to make it more robust and to integrate it into slack actually and it just made such a huge impact we actually discovered that

teams had been created that we didn't know about or requesting security reviews so yeah it's really an example of something that wasn't mission-critical the company would have survived if I hadn't redone it but I got to see like how much happier my team was and just people would come up to me and be like it works so well now and that was really rewarding yeah yeah

[Music]

it yeah I couldn't really only speak for people from my school but our first-year education is pretty comprehensive we can go straight into development usually for security things in particular securities and something that's not really taught in universities especially first year I think buffer overflows are mentioned once in my entire first year in terms of how much you can expect an intern to know I think that's definitely something that would fall under talking to your intern and when you do interviews see where they're at it's hard dislike blanket knowledge say like an internal know how to do this because we're all different and we all have different experiences and backgrounds but if you have like a thing

in particular you want an intern to work on put that in your job description yeah sorry that's bliss our guide way in the back

and how much they've taught themselves outside of university sometimes I'm gonna counter that a little bit just because the interns are will like husband no the shortcomings of our education will often go out and teach ourselves the things that we think are cool this has been expecially my experience in security like I had to go and teach myself everything but yeah it depends sorry that's the best I've got yeah yep exactly and take your internship as an opportunity to teach them those things you're looking for yeah thanks oh so many hands

mm-hmm yeah so the question was is it better to have an intern work on something completely that they don't they've never worked on before or to have them jump in on a project it's already existing so your question more on their back on their skills right

mm-hmm okay it depends I started out in web dev and very much did not want to continue doing that so I really looked for something that was going to take me on and teach me something completely new about security but some people decide really early on what they like and they do want to help onto those projects and continue to grow in that vein again it kind of comes down to if you have the resources to teach someone something completely new or if you only have the resources to help someone like have someone who's more advanced and jump onto a project and kind of almost consider them a full member of the team at that point you can structure you can

decide early on which one you want to do it doesn't have to be like you get an intern then figure that out you can put your job posting things like I'm we're looking to teach this person everything they need to know is a really helpful thing when interns are looking for jobs and it's really clear about what your expectations are then does that make sense yes

[Music]

yeah my best advice is to not back down especially when you're an intern you feel you have absolutely no leverage at all and that feels horrible but if the company does give you an offer they want you to work there use that definitely come in with examples of things you want like say I need a bus pass it will cost you this much or I looked up rent here and it is this much I need you to help me out with that yes and no if you have multiple offers I know people who have leveraged that in a perfect world you have multiple offers and you can leverage that but yes okay if you want

to talk to me I'll be hanging out in the front happy to answer more questions [Applause]