An Interview with a Penetration Tester: Georgia Weidman [Career Advice]

An Interview with a Penetration Tester: Georgia Weidman [Career Advice]

Henry Dalziel | General Hacking Posts | July 24, 2016


What are you going to learn by reading this post?
We’ve interviewed hundreds of cyber security professionals over the years, and in this post we ask veteran and highly experienced Cyber Pro Georgia Weidman several ‘career-starting’ questions that are designed to help young people today get started in Cyber Security!

We often get asked by students and general enquiries to the site: ‘How Do I Become an Ethical Hacker’; so we hope that this blog post goes some way in helping you achieve your goal!

We’d like to say a big thank you to Georgia for having taking the time and effort to answer our questions and for her willingness to share her knowledge, not least with all our community but especially with our female audience. Cyber Security and the profession can be seen as being very ‘male-dominated’ so to have Georgia share her thoughts on our platform is very much of an honor so thank you again!

A little bit about Georgia Weidman
Georgia Weidman is a penetration tester, researcher, and the founder of Bulb Security, a Cyber Security consulting firm. In addition, Georgia is also involved in an exciting start-up called Shevirah. Shevirah is a provider of testing tools for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. The start-up also allows cyber teams to integrate mobility into their risk management and penetration testing programs.

Georgia has presented at many conferences around the world and she trains students on topics like penetration testing, mobile hacking, and exploit development.

We’ve known Georgia for a few years now, and in fact we interviewed her way back in October 24, 2012!


Henry, Concise
How did you get your get your break in Cyber Security? Was it an accident or was it done by design?

Georgia Weidman
I studied computer science in college and graduate school, but stumbled on cyber security as a specialty by participating in my school’s cyber defense club. As for becoming a security researcher It was completely by accident. The people I hung out with one summer gave talks. I never took the time to analyze the pros or the cons of the life they were leading because of it. I just submitted to Shmoocon mostly on a whim and surprisingly got in. Likewise I started teaching classes because the fledgling hackspace I was involved in needed events to attract membership, so I taught Metasploit to get bodies in the door.

Henry, Concise
You created the “Smartphone Pentest Framework” – how’s that project going? Do the attack vectors increase each year or are you finding that mobile OS are beginning to become more secure over time?

Georgia Weidman
In Spring 2015 I joined the Mach37 cyber security product startup accelerator in Northern Virginia to productize my security research work around smartphone security testing. The resulting company, Shevirah, will provide testing tools for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. Shevirah allows security teams to integrate mobility into their risk management and penetration testing programs. I have brought on an experience CEO and we are currently conducting a number of pre-release pilots with the first version of the tool releasing at Black Hat USA 2016 Arsenal.

Since I first started doing mobile security research, the baseline has greatly improved. Mobile ecosystem providers Apple and Google have made strides in further securing the device operating systems. However, the user is still at the center of the security equation. Unlike corporate-owned desktops, companies cannot fully lock-down mobile phones without the users’ consent. Anything that requires the user can be undone by the user, and therefore, the user can be tricked into undoing. Security on mobile has become more complex making it more and more difficult for the user to keep up with what they should and shouldn’t do. This leaves open plenty of opportunities for compromise.

Henry, Concise
You are very active in the Conference circuit. I’m sure you’d agree that speaking at events (perhaps starting at a BSides event) is a great way to get your name out there, but is there anything else you’d recommend to a young person to enhance their ’employability’? Perhaps mastering certain hacking tools like Metasploit etc – but is there anything else you can think of?

Georgia Weidman
Certainly doing research and giving talks is a great way to differentiate yourself in the field. A lot of people I talk to fear that doing security research requires superhero-like technical skills, but that is often not the case. There are plenty of worthwhile target projects that are appropriate for getting your feet wet in security research. In the same vein as you mentioned, mastering tools and techniques are quite helpful, though the latest and greatest in hacker tools and techniques as well as the attack surface is constantly changing, so more important than mastering a particular tool is gaining the hacker mentality to solve problems and pick up new skills. I find that the best way for me to master a subject is to prepare to teach it. Teaching at a local hackerspace or providing a workshop at a conference is another good way to differentiate yourself.

Henry, Concise
And lastly, where do you see the greatest demand for cyber professionals? Perhaps in SCADA, healthcare – or in compliance?

Georgia Weidman
As much as professionals like us want to make security complicated, most companies just need to get better at the fundamentals. The hottest “attack” this year is ransomware, which is nothing but a failure of security awareness training, mail filtering, and a lack of good backups. Cyber professionals don’t need to be experts in ICS and have a bundle of 0-days under their belt to help organizations overcome basic risk management issues. My expertise in mobile security matters because I’m trying to get CXXs to add mobile to their risk considerations. ICS/SCADA experts are trying to do the same, as are Health Informatics experts. What is really needed is not more of these specialities, but cyber professionals who can talk to their business counterparts and fuse cyber and business risks to the CXXs to make informed decisions.

Leave a comment or reply below...thanks!