warning icon QCon New York 2020 has been canceled. See our current virtual and in-person events.
You are viewing content from a past/completed QCon -

Presentation: From Developer to Security: How I Broke into Infosec

Track: Trust, Safety, & Security

Location: Majestic Complex, 6th fl.

Duration: 10:35am - 11:25am

Day of week: Tuesday

Slides: Download Slides

This presentation is now available to view on InfoQ.com

Watch video with transcript


I've spent roughly 18 years building sites and apps for the web and while I always did my best to apply the basics of security, I never truly understood the many ways systems could be hacked. That changed when Wannacry hit and I decided to refocus my career to help secure not only systems, but people. In this talk I'll discuss the impetus for my career change, the challenges I faced as a new person to the community, how I forged relationships that helped me pave a solid path in the right direction and how I eventually broke into this amazing & competitive field. I hope that sharing this will help newcomers better navigate the murky waters of this community.


What is the focus of your work today?


The focus of my work is Security Advocacy at Microsoft. One of the things that we want to do is make sure that we have really strong lines of communication at all levels of the security chain from the C level, CIO, CTO, all the way to the folks that are actually implementing the technologies, rolling up their sleeves and getting their hands dirty with protecting the networks their companies have. My role is to establish those lines of communication with security practitioners, bug hunters and researchers, making sure that the work that they're doing, the tools they are using, the methodologies that are there, that they're capitalizing on, all that stuff is brought back into Microsoft so that we have an understanding of the pulse of the community and that we're also engaging with them in a thoughtful way that supports them and helps them do their job more effectively.


What's the motivation for your talk?


I came from a software development background. I think I had almost 30 years of software development experience before I decided to transition over into security. One of the things that I saw was a need for knowledge and education for application developers across the board, whether you're web or desktop developer, and also just trying to help people who are interested in security and maybe even want to explore that as a career better understand how they can become involved whether it's as a hobbyist, whether it's as a professional. There's so many different routes and sometimes it feels like it's a bit overwhelming to get into the field because there's so many different areas. I hope to demystify that a little bit, offer my perspective on how I transitioned over and give some guidance to the audience so that if they do want to transition over into security they can understand where resources are to help them do that.


How would you describe the persona and level of the target audience?


The target audience for this talk would be anybody who is interested in understanding how to get into security in some fashion. It doesn't matter whether they're an application developer or an I.T. admin or somebody who is working customer support. There's so many different roles that are applicable to information security and one of the things that I'm a big advocate for is helping people who come from nontraditional backgrounds transition into security. There's a gap of three million job opportunities for cybersecurity professionals and we can't just assume that a person who is going to security will have 20 years of networking experience, hardening systems and things like that. We have to look across a broad spectrum of people and try to find unique sets of talents that can fill those gaps. I like that type of audience. Audiences that are diverse and that want to explore security. So I think it's going to be a good talk for them.


What do you want this persona to walk away with from your talk?


The main thing I want them to walk away with is that they know there is a ton of opportunities in security regardless of where you're at right now. If you're in application development then clearly you know that application security is a hot topic now. And if you wanted to explore that, there's a tremendous demand for security professionals in the application security space. But beyond that, just because you're in software development doesn't mean that you can't explore other opportunities within security. There's open source intelligence, digital forensics and incident response. You have Red teamers, Blue Teamers, Purple teamers, so many different facets of security that might attract people and so I want them to know that, yes, you can do it. Yes, it will be hard work, it's not going to be something that people are going to hand to you and to be just an easy transition. But if I was able to do it, not having a formal security background, then you and the audience can do that as well.

Speaker: Rey Bango

Senior Security Advocate @Microsoft

Rey is a security advocate at Microsoft focused on helping the community build secure systems & being a voice for researchers within MS.

Find Rey Bango at