‘Find out what sparks joy’ – YouTube educator and security expert Katie Paxton-Fear on carving out a successful infosec career

“Computing history is genuinely amazing,” mused Katie Paxton-Fear during a Q&A session with The Daily Swig last night.

Yesterday (October 12), we celebrated Ada Lovelace Day by hosting an Ask Me Anything (AMA) session with hacker, educator, and infosec industry figure Katie Paxton-Fear.

Paxton-Fear, whose many contributions to the industry include her free education hacking tutorials on YouTube, lecturing at Manchester University, UK, and triaging for a popular bug bounty platform, joined us on Twitter to mark the annual holiday that celebrates women in tech.

Ada Lovelace, the daughter of famed poet Lord Byron, is lauded as the pioneer of computer programming after publishing the first machine algorithm back in the 17th century.

Each year, she is the face of a campaign inspired to educate and inspire women in STEM, both today and in the future.

If you missed our live Q&A, here is a roundup of the best advice from the night, including how to start a career in infosec, what bugs are best for beginner hunters, and how to switch off from an ever-switched-on industry.

Thanks to everyone who sent in their questions with the hashtag #SwigAMA, and of course to Katie.

Daily Swig: Did you have anyone in infosec/tech/STEM that you looked up to while you were growing up?

Katie Paxton-Fear: This is such a good question, not really, like many young girls I didn’t feel like people like me were trailblazers in tech. I’m glad we now celebrate Ada Lovelace Day because that is changing a lot. But even though I never had someone to look up to [in the industry], my family really encouraged my passion for computing even at a young age, and from that I think even though I didn’t have someone to look up to, I had a dream to look towards instead.

I remember as a kid I told my dad I wanted to make Neopets, and he bought me ALL the web dev books after that! I never did remake Neopets but I think I have the skills now!

DS: Why do you think Ada (Lovelace) is one of the coolest people ever?

KPF: So I am kinda a computing history nerd, so in my mind the coolest thing she did was write instructions for a machine THAT DID NOT EXIST, LIKE WHAT? How do you even do that? I sometimes get errors writing hello world applications!

Related: one of the reasons I am also really interested in the colossus computer from Bletchley is because it deciphered a code and the allies did not even see the machines which produced the code until after the war. Computing history is genuinely amazing.

DS: If you could change one thing about the industry, what would it be?

KPF: I think greater collaboration. I was a dev [developer] for a time and I definitely had the not a ‘me problem’ attitude. Security was simply someone else’s problem. And then I was the only one in when the production servers got ransomwared and I had no idea what to do apart from panic.

This doesn’t stop at tech though: I know a lot of folks through my knitting club who aren’t great with computers so I try to help out with their security when I can and give them some advice.

P.s my solution for the ransomware was simply to turn off the server and cower behind my boss as he sent the entire company home early.

Ada Lovelace, as sketched here, is considered the pioneer of computing programming

DS: What do you think about the trend of researchers giving a vulnerability a name, logo, website etc – is this necessary?

KPF: So as someone who is dyslexic I cannot remember a single CVE number, but I can remember ImageTragick which I think is a pro. I know it’s a bit dramatic overall. I really do think the names help users and practitioners communicate without confusion.

I wish we had more soft and cuddly names instead of what could be death metal band names. Where is the ‘sparkle unicorn friendship attack’?

DS: What are your thoughts on the new OWASP top 10?

KPF: Oh this is going to get me in trouble! I overall like the top 10, but I think it represents a general trend of lumping all web dev together but with that it ends up being very general. Maybe like we have an API top 10 we should have a JavaScript top 10, enterprise top 10 etc to better describe the hodgepodge of tech the modern internet has become.

I am glad to see SSRF get a mention, I think it’s somewhat misunderstood, and I do think ‘Injection’ as a catch all is more ‘future proof’ than XSS/SQLi. Plus I think using a data driven approach was a good call overall.

DS: Is it okay to have experience in any sub-domain of IT (e.g. tech support, dev, testing) before stepping into security roles? Will companies actually consider those people?

KPF: Yeah for sure. I think it’s all about how you position your career, really making sure you go for every opportunity you can, if your employer gets attacked, you can make the point that training you would be a good way to prevent it in the future. It will take time though, and it’s important in job interviews to not lie about your experience but look at how being in support for example can transition into security (e.g empathy for users). Things like bug bounty [participation] can help a ton in getting experience outside of work!

DS: How did you get started in cybersecurity? What suggestions would you have for others starting out fresh?

KPF: I think my biggest advice is to not to get attached to one field right away, spend some time figuring out what about security really sparks joy for you. There are SO MANY careers in security from techies to creatives to people-people and everyone in-between, it can be easy to get overwhelmed, so I’ve found friends and mentor figures have really helped guide me and advise on what opportunities are out there. And while I may never do forensics and investigate a crime scene, the experience was really fun and I had a blast learning!

DS: What made you decide you wanted to work in infosec?

KPF: I kinda ended up here accidentally a little, I finished Uni and got a graduate job doing software engineering and data science, and one day at lunch I realized wow I don’t like my job, and decided to apply for a PhD. Now unfortunately I realized this in October and PhD admissions were closed.

So I didn’t have a lot of choice in my field (natural language processing), I went for the PhD that combined both NLP and infosec and originally it was just a domain for my work, but within a year I found myself really interested in security!

DS: [What is] the first bug that a beginner with basic knowledge in bug hunting can start learning?

KPF: I cannot stress this enough, IDORs! They don’t require technical skills, just perseverance and they are EVERYWHERE.

Seriously they are one of the most common bugs and while the impact of some can be low, depending on the organization they can be high or critical, especially with the current direction of the modern web – I think they will take over XSS. Best way to find them is to sign up with two accounts and see if you can do actions to account A while using the cookies of account B.

Katie’s YouTube channel provides free hacking education tools and resources

DS: What is one thing you suggest infosec people do to take some time off and relax?

KPF: I think it’s important to have a hobby away from the computer. I can’t stress how much getting away from the computer helps me to think and process as well as randomly get inspiration. I really enjoy knitting because I like to create and it’s nice to have a thing to point at and go, ‘Hey I made that!’.

I can’t stress how important it is to take time off and manage your work-life balance, especially if you’re a student or starting a business, it’s really easy to let it take over and feel bad when not working but it’s essential to being successful.

Also my mum doesn’t understand anything about computers and I can’t stress how useful she is for chatting through my problems. My partner often teases me about me treating him and my mum as code ducks when I have problems!

DS: What class of vulnerabilities are you studying at the moment?

KPF: Ooh great question, I’m currently learning about vulnerabilities that targets AI/ML and data science more broadly. We’re often rushing to put in fancy algorithms that are deployed without thinking about security concerns. We can all laugh at GitHub co-pilot finding API keys but there are many of types of vulnerability that affect AI/ML systems and many have privacy risks!

Web wise I’m really trying to drill into HTTP request smuggling for a video. I think I understand it and then I’ll try to write it and realize I don’t quite get it. Me and HTTP have an off again, on again relationship.

DS: And finally Katie, do you have any final words of advice for our followers?

KPF: Thank you for having me! I think the best way to be successful in security is to stay curious. Never stop learning and to ask so many questions you annoy the people around you (kidding!)

Source: https://portswigger.net/daily-swig/find-out-what-sparks-joy-youtube-educator-and-security-expert-katie-paxton-fear-on-carving-out-a-successful-infosec-career