Last time, I spoke with Jelena Milosevic. She's a nurse who discovered a huge security problem in her hospital and is now on a mission to educate people about improving medical cybersecurity. This time, I spoke with Stephanie Vanroelen. Not only is she an OWASP contributing web security specialist, but she also volunteers at a camp that teaches information security to children. Kim Crawley: Tell me about what you do. Stephanie Vanroelen: I work as a web and mobile pentester for a small Belgian company called Nynox. We tailor to all types of clients both large and small, defensive and offensive. Our team is made up of people who specialize in certain areas of security. I also contribute to the OWASP Mobile pentesting guide project. Besides that, I co-organize BruCON, the largest security conference in Belgium, and I founded CyberSKool together with two guys, Koen Burms and Larry Vandenaweele. Both projects are on a volunteer basis. CyberSKool is a conference for kids between the ages of 7 and 15. We teach them about STEM, IT, and IT awareness, with a special focus on safe internet usage with guides for both parents and kids. The kids learn by playing. We make sure that they try and fail and learn as a result in a safe environment. We do lockpicking, hardware destruction, programming, encryption techniques, and so on. CyberSKool was based on Hak4Kidz from the United States. KC: That's really cool. Do you think adults underestimate what kids can learn about cybersecurity? SV: Yes! I constantly get questions like, “Does my kid need to know anything before we attend?” or “I'm not sure that he can do that already.” Then we just make them do it anyway and tell the parents to be quiet. They're actually very amazed at the end of the day, which is nice. We also notice that a lot of the parents often don't know what to do themselves. “Should I let my kids use social media, and is it safe?” So we try to guide the parents, as well. KC: Do you get many girls in that camp? SV: We get some girls, and it's getting better with each edition we organize. I think last year we were around 30-45% female, which is beating every single statistic I know about women in IT or women in infosec. KC: Do you think many of those girls will move onto cybersecurity careers? CV: I'm not sure, to be honest. An event once a year will probably not change that. But meeting people could still have an impact. I'm confident that at least two girls I've met there will continue on, but they're still very young. I think it would be easier to gauge if the kids were older. KC: You're probably an excellent role model for them. As you work in web security, are websites and web applications easier to attack than operating system applications? SV: For me, they are. I probably have a few colleagues who disagree. I think it depends a little on your knowledge base. It also depends on the knowledge base of the developers. KC: Are web application attacks growing? SV: To be honest, I don't really know if they're growing or not. We are noticing that developers are starting to educate themselves, making it more difficult to find standard vulnerabilites. But hackers are getting more and more creative and advanced with the type of hacks they perform. KC: What are the biggest issues in web application security? SV: The standard things, really. OWASP top 10 is a great guideline in this respect. We find in our tests that this list stays relevant. KC: What are some of the biggest misconceptions about what you do? SV: Most people either think it's illegal or want me to do something illegal. Belgium hacking is also a dance style, and their mind always goes to that first. Most people also think I'm some kind of genius, and that “hacking” is really hard. It's not; it's a skill like any other. I could never be a great carpenter. KC: Is there anything else you'd like to add before we go? SV: I think the most important lesson I learned and that I can teach is while knowledge is useful, knowing people in the industry who help you out when you're stuck or need guidance is gold. Don't forget to get out from behind your computer and go meet real people in real life. KC: Excellent, Stephanie! Thank you. SV: Thank you for the opportunity!
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
