Episode 103: Enterprise Security with Kyle Tobener | Salesforce Developers Podcast

Kyle Tobener is the VP of IT and Enterprise Security over at Copado. Today we talk about his experience in getting into enterprise security, how Salesforce and cloud computing play into security, and some general advice on security.

On top of fulfilling his role at Copado, Kyle runs a very popular Tik Tok account where he delivers some interesting facts on security.  Tune in to hear it all.

Show Highlights:

  • How Kyle became an IT professional.
  • What his transition from a support role to an engineering role was like.
  • The unique challenges of managing the security of cloud companies.
  • How Kyle paved roads at Salesforce for people to do things flexibly but also safely.
  • What Copado does.
  • Why early developers should learn and integrate security as soon as possible.
  • Why it’s cheaper to prevent security vulnerabilities early on.
  • What can happen if we ignore SOQL injections.
  • What the static code analyzer PMD does.
  • How Kyle got into Tik Tok and what he does on his channel.
  • What bug bounties are.
  • How “Capture the Flag” prepares people for cybersecurity careers.

Links:

Episode Transcript

Kyle Tobener:
What happened was I came over to Salesforce on the security side, and was able to make a great impact because of my knowledge of the Salesforce platform.

Josh Birk:
That is Kyle Tobener, Head of IT and Security over Copado. I’m Josh Birk, your host of the Salesforce Developer Podcast. And here on the podcast, you’ll hear stories and insights from developers for developers.

Josh Birk:
Today, we sit down and talk with Kyle about all things enterprise security, especially his experiences with Salesforce around that. We’ll also go through some of the interesting things to learn if you follow his very popular TikTok. But we’re going to start with how he became an IT professional by escaping the jungle.

Kyle Tobener:
Yes, that is a fun little story. So when I was in college, I kind of had two ideas. I like computers. I like computer games. So I either go into computer science, or I have a big love of animals, and I’ll go into animal science. And I thought, “Well, I play a ton of video games in my free time. So maybe for work, we’ll do the animals. For free time, we’ll do the gaming. And then that’ll work out great.” So my first job out of college was a research assistant in Thailand, studying monkeys in, it was called a cloud forest, but it’s kind of like a rainforest. And I hated it. I hated it so much.

Josh Birk:
Really?

Kyle Tobener:
Yes. My job was essentially data collection. So I was monitoring these squads of monkeys, noting down their behaviors. And it was just so manual. And I was such a technology person that I just couldn’t stand it. So I ended up spending all my time repairing the computer equipment, and doing all the data entry that they needed. But came out of that job like, “No, this is not for me.”

Josh Birk:
So you didn’t really get to play with a lot of the monkeys.

Kyle Tobener:
No. No, not so much.

Josh Birk:
Yeah. No. I can see where that’d be less of a job benefit. And was there something about a hallucinogenic state?

Kyle Tobener:
What finally caused me to quit that job is I ended up with a water illness that had me go to a hospital. But rushing to the hospital from a Thai jungle is like a three hour drive in the back of a truck to the local hospital, which is very small. And so, yeah, I had sort of a hallucinogenic fever trip. I don’t even really remember it. I just woke up in the hospital. It was very exciting. And I was like, “You know what? I need to get out of here. I need to go back to San Francisco.”

Josh Birk:
Nice. So you get to play with computers, and they’re unlikely to put you in a hallucinogenic state.

Kyle Tobener:
Exactly.

Josh Birk:
Very wise, very wise. But now if I’m reading your CV right, you went from wanting to be in the jungle, to not wanting to be in the jungle, to going right into Salesforce development, which is kind of unique. How did you squarely land on that?

Kyle Tobener:
Yes. I have my wife who is also a Salesforce employee to thank for that. Shout out to Jennifer Sacks, who owns the Idea Exchange. We were dating, and she was a Salesforce consultant for an ISV at the time. And we were having brunch with her cousin who was also part of that ISV. And he was like, “We really are struggling to find developers to work on Salesforce. It’s this new thing. None of the developers I talked to want to work on it. Jenny told me that you used to do computer programming. Do you have any interest in learning?” And I was an idiot. I did not see opportunities when they were smacking me in the face. And I was like, “Oh, I have a friend who I think is really into computer science. Maybe I should connect you with him.” And then after that brunch, my wife hit me across the head and was like, “He’s trying to offer you a job.” I was like, “Oh. That sounds fantastic.”

Josh Birk:
Nice. I feel like you owe your wife a lot of things.

Kyle Tobener:
Oh, I owe her so much. That’s not the only time that happened, actually.

Josh Birk:
Nice, nice. Now how was it going from a computer science background to jumping into Salesforce? Because you’re probably talking about the Visualforce years, right?

Kyle Tobener:
Yes. The Visualforce years. Actually, I came out of that period with a really great opinion of learning technology, learning how to code on Salesforce. Because Apex is not the friendliest language. There’s a lot of weird things about governor limits. But what is really great is you want to set up an environment to start coding, you put in your email, and they send you a dev organization, and you’re off. You can go. Versus Java or something. You have a lot of complicated hoops to get started and really see something visually in front of you.

Josh Birk:
Right. Yeah. I’ve had Java projects where I think I’ve spent more time setting up the server than actually coding.

Kyle Tobener:
Exactly. So I really enjoyed learning on Salesforce. And that’s kind of colored my view of development, and Salesforce, and SAAS platforms generally since.

Josh Birk:
Gotcha. And then how did you end up joining Salesforce itself?

Kyle Tobener:
This is again where my wife smacked me across the head. So she joined Salesforce. I was still consulting. And she’s like, “You know what? Salesforce is a pretty great company to work for. You might want to consider applying. There’s some jobs you’d be great at.” And I was like, “Oh, I’m having fun consulting. It’s really great. I think I want to stick to this.” And then like a month later, she’s like, “You’re really being an idiot. You should apply.” So I did, and it was the best decision I ever made.

Josh Birk:
Gotcha.

Kyle Tobener:
Second best, I guess.

Josh Birk:
There you go. Now, what was that early role like?

Kyle Tobener:
So my first job at Salesforce was doing what we call tier three dev support, specifically focusing on managed packages. So I was doing support of all the partners, building managed packages, debugging, all the crazy stuff that was happening with packaging at the time.

Josh Birk:
Now you’re one of the people, well there’s several guests I’ve had, where you transitioned out of more of a support role into a more specific engineering role. What was that transition like?

Kyle Tobener:
I think when you work in a support function, you have this sense that it’s kind of a fun job. You solve really great problems. It’s interesting and exciting. But I didn’t have the sense in that moment where I was like, “This is a career that I want to invest in, growing myself as a support engineer for the rest of my life.” And I’d always been fascinated by information security, cybersecurity, whatever you want to call it. I’ve always been fascinated reading about the big data breaches that were happening. And I saw this as an opportunity within Salesforce. Salesforce provides a healthy training budget for all of its employees. And I thought this is an opportunity to train myself in something, and potentially move into a role that I really could see as a career.

Josh Birk:
Gotcha. Nice. Nice. And what was it like going from being that frontline coder to a director, and a people manager.

Kyle Tobener:
It took me a few years to get there. But I think what happened was I came over to Salesforce on the security side, and was able to make a great impact because of my knowledge of the Salesforce platform. And that gave me a lot of context on the security problems we were trying to solve at Salesforce, that a lot of my colleagues who came either from other organizations’ security teams into Salesforce, they didn’t have that same context. So it helped me see a lot of the bigger picture, and a lot of the problems Salesforce was trying to solve.

Kyle Tobener:
And what I kept bumping my head into was having a boss that maybe didn’t necessarily understand everything the way that I thought I understood things, and me wanting to solve problems a specific way. I eventually got to the point where my boss at the time left the company, and I went to his boss and was like, “You should make me the manager. I can do this better.” Because I was just fed up with how things have been going. And I was like, “I’m going to do a better job.” And my staff from then to now can be the judges of that. But I think I did pretty decently.

Josh Birk:
Well, congratulations on that success, because I know those conversations don’t always end up going the way that you want them to. But that makes some sense. There’s development management, which is just you can be an okay people person, and if your engineers are really, really good, you’re probably okay. I’m thinking maybe security isn’t that [inaudible 00:08:35]

Kyle Tobener:
There are a lot of different kinds of security leaders, and some of them are less technical than others. And I think there are different ways for those people to be successful. The kinds of security jobs that I like are the very technical, hands-on security jobs. I like getting stuck in with the big challenges. And so my technical background really does help me a lot.

Josh Birk:
Got it, got it. I’m a going to just walk out there and assume that cloud, and SAAS, and that kind of structure, does that have very specific requirements when it comes to security? Are there unique challenges there?

Kyle Tobener:
Yes. I think they’re becoming more common. So when I started with the Salesforce security team, they were less common, but now they’re much more common. There’s this traditional security mindset, which is you have a firewall. And then inside that firewall everything’s safe, and everything outside of that firewall is dangerous. And I think what a lot of cloud companies like Google, and Salesforce, and the other big ones are pushing is this kind of zero trust mindset. Which is a buzz word that you’re going to hear a lot from security vendors, but essentially means we live in this world where everything we use is a cloud app. If you’re just authenticating the cloud apps all day, and that’s all that you use, there really is no concept of this trusted, secure center. You just trust everything equally, which is you don’t trust them at all. You just authenticate to each service separately. And that’s what composes your enterprise lands.

Josh Birk:
Got it. Got it. And you were around during the acquisition of Heroku, right?

Kyle Tobener:
That had happened before I joined security, but was a big part of what happened once I joined security.

Josh Birk:
Okay. I was following up on a presentation that you did. And it sounds like giving people the ability just to spin up basically applications, and then offer them up as plugins, and things like that. What’s some challenges there in making sure that that’s a sustainable kind of ecosystem?

Kyle Tobener:
The presentation that you’re referring to goes back to a philosophy of mine, which is you want people to use the safe path whenever they’re doing something. And for engineers, we don’t always know what path we’re going to go down. We have to be flexible and use a lot of tools. And so that can be a headache for the security team. Because if you do something the security team has never seen, there’s a potential for you to do something dangerous. So what I was really focused on my time with Salesforce security was paved roads, or ways people could do things flexibly, but also safely.

Kyle Tobener:
And one of the ways that I did that was by working with a colleague of mine, his name was [Alessandra Lipucci 00:11:21]. We set up an internal portal within Salesforce where you could go and get access to Heroku resources very easily. And we gave you some guidelines. We gave you some default configurations to make your deployment a little safer, like an SSL certificate. And then we said, “Follow these guidelines and you never need to talk to us. You don’t need to interact with the security team at all. And if you are going to edge outside of these guidelines and do something that may be a little bit stranger, then please come talk to us. But otherwise go forth and be productive.” And that was super, super successful for us because it centralized what people were trying to do into a single place, which was this Heroku portal.

Kyle Tobener:
And so we built a Heroku app on our end that could monitor all the deployments of Heroku that all these people were using. And we had centralized visibility into what was going on. And it scaled really well because we didn’t need to get involved very often in what people were doing. And so the marketing team loved it. The engineering team loved it. IT loved it. We had very broad adoption of that.

Josh Birk:
Very, very nice. How’s Copado treating you these days?

Kyle Tobener:
I’m very happy to join Copado. I love it here.

Josh Birk:
Gotcha. Quick shout out. What does Copado do?

Kyle Tobener:
So Copado does dev ops for the Salesforce platform. And we’re also moving into some other really cool areas, like robotic testing. We recently acquired a robotic testing company to help people scale their testing efforts as their code base grows.

Josh Birk:
So defined robotic for me in that context.

Kyle Tobener:
So if you’re a long-time Salesforce developer, you have in mind you build your Salesforce code, you deploy it. And then you need to have unit tests. Then you may also have functional tests to make sure that you don’t break everything when the new release comes out, you deploy some new functionality. The idea behind robotic testing is that it uses AI to build your test suite for you, so that as your code base grows, as your custom software stack grows, you aren’t growing your testing debt along with it. Your test cases, you constantly have to maintain them, keep them updated. And that can drag down the productivity of the engineering team. With robotic testing you have an AI assistant to help build those test cases out for you.

Josh Birk:
Got it. Got it. Okay. So sticking with the Salesforce platform for a little bit, if I am a day one Apex developer, totally green field, fresh off my certificate, maybe I’m still getting my certificate, what are some things as a security expert you would want for me to have top of mind?

Kyle Tobener:
So there’s a very fundamental philosophy that’s taken root in the security world, which is this idea of shifting left. And I need to explain a little bit what the axis is to explain the left. Several years ago, maybe 15 years ago, NIST, which is the National Institute of Standards and Technology, they released this report about the cost of fixing software flaws, or the cost of fixing vulnerabilities. And what they showed was that if you’re fixing vulnerabilities in production, it’s significantly more expensive in terms of time and resources than if you’re fixing those problems early on, like in the development cycle, or even in the requirements gathering, architecture phase. And so a lot of security people like myself have taken this to heart, and said, “The earlier we can get security resolved, the earlier we can prevent vulnerabilities, the cheaper it is, and the more scalable security and software engineering securely can be done.”

Josh Birk:
Now tell me some specifics there. It makes sense. But what are some of the realities on the ground that make it much more expensive in production, as opposed to say, pulling out a beta?

Kyle Tobener:
So I think there’s two key phases where security issues are often found. In production, if someone outside of your organization finds them, well that’s going to cost you a lot. Because that’s potentially a data breach. It’s potentially lawsuits. It’s lost customers. That can be very problematic. But even if it’s just someone reports an issue to you, and you go and fix it, it can involve refactoring architectures that you’ve gone down, directions you’ve taken your code for years even. That can be very expensive to redo.

Kyle Tobener:
And then the other area where we often find issues is you’re doing development. And then your company has some process where before you deploy, the security team has to review it. And even in that phase where it’s not released yet, oftentimes that process of working with the security team could take a week or two weeks of time to get on their calendars, get them to the code, have them review the code, they give you the feedback, you have to fix the issue. And those delays add up, and cost you time, and money, and resources. Because all of the development work that you’ve done to make your software better is not getting released to production and providing value to the company.

Josh Birk:
Gotcha. Gotcha. So what I’m hearing here is if you had one thing to say to a day one Apex developer, it’s not like, “Here’s a few things to know about security,” but simply blanket learn security as early as possible, and integrate it into your development cycle.

Kyle Tobener:
Yeah. Because if you are a developer who is security conscious, and knows the things that you could do to introduce vulnerabilities in your system, and you avoid them, you’re going to save yourself so much effort down the road. You’re not going to have to deal with all that tech debt that comes back to bite you.

Josh Birk:
And you either wrote or helped write courses up on Trailhead for this, right? What kind of content is up there?

Kyle Tobener:
So when I was at Salesforce, myself and a colleague of mine, her name was [Asta 00:17:28], she’s now the leader of a security team at Netflix. We envisioned a secure coding course on Trailhead. Because Trailhead was just coming out, and we loved how interactive it was, that it gave feedback on, “Here’s what you did wrong. Here’s what you could do better.” And we envisioned what if we could take the idea of Trailhead and apply it to security vulnerabilities. And build a sandbox where we give you code with vulnerabilities, and you learn how to fix it, and Trailhead gives you feedback about your fixes. And so that was the first iteration of the Developed Secure Web Applications Trail. Which if you’ve ever met me, it was probably at Dreamforce on the floor there talking about it to you. That’s where I met a lot of the developer community. And I loved that course. It was so fun.

Josh Birk:
Nice, awesome. And we will point to that in the show notes. I always liked a good, scary story. And I think Salesforce has a tendency to lull people into a little bit of a false sense of security, because there’s so much being done behind the gated wall of the cloud application. But can you tell me a nightmares tale of something that occurred in a Salesforce application because somebody just totally ignored what [inaudible 00:18:44] injection was?

Kyle Tobener:
I won’t name any names.

Josh Birk:
Don’t name any names. Yes. Thank you.

Kyle Tobener:
When I was at Salesforce there was always this concept of VTO, or volunteer time off. And one of the ways that me and my team tried to use our time off was could we volunteer with non-profits from a security perspective to lend them our expertise. And every once in a while I would get pulled in to say, “Hey, this non-profit has a Salesforce implementation. Can you come take a look at it, and see how it is from a security perspective?” And I loved doing that because it was super fun. And I could give feedback to people who’d never had that kind of feedback. And unfortunately every once in a while I would find very, very vulnerable deployments.

Kyle Tobener:
And so the thing with Salesforce is it’s a framework, but what you do with it is up to you. And there are guidelines and security settings within Salesforce that are often enabled by default, but you can disable them. And these people had disabled some of the critical security settings to make their customer portal work the way they thought they wanted it to. But in doing so had exposed quite a few records. And I had to show it to them. And once they realized, they were horrified, and we had to work together to clean it up. That’s how it goes with Salesforce. There’s this shared responsibility model in the cloud that people don’t always understand, which is we build the cloud for you, and we do it to the best of our ability, and as secure as we can possibly make it. But some of the responsibility is yours too.

Josh Birk:
And I want to just put an asterisk on there that by asking for a nightmarish tale I am in no way denigrating the great work of the security team for keeping insecure apps from going out the door. And it sounds like a tip I’m hearing there is don’t touch the CRSF settings unless an expert tells you you can.

Kyle Tobener:
Exactly. There were a lot of those security settings that are toggled on by default for a very specific reason. We knew what we were doing. We want you to use those.

Josh Birk:
Exactly. Exactly. All right. So shifting topics a little bit, I always love to give an ability to PMD, one of my favorite static code analyzers, if not my favorite static code analyzer. What kind of work have you been doing on that project?

Kyle Tobener:
So I haven’t touched PMD for a while. But what I love about PMD, it ties back to what I was saying about shifting left. PMD, if you’re not familiar with it, is a tool that you as a developer can use for free in your IDE that can give you feedback on the code that you’re writing. And it was primarily designed for formatting things, and common mistakes that you would make with your code. What we looked at when we saw PMD was an opportunity to get security feedback into the hands of developers very early on, and for free. So members of my team, [Sergei 00:21:37], and [Murat 00:21:38], who are both at Salesforce, I think Murat’s still there, and Sergei is now at Fastly. We put rules into PMD for security issues, common security issues, things like cross-site scripting. So that when you’re developing, PMD will say, “Hey, by the way you turned off encoding, or, you turned off output encoding, and that’s going to bite you in the butt, because you might have a cross-site scripting issue.

Josh Birk:
Got it. Got it. And have you seen the code analyzer project?

Kyle Tobener:
Code analyzer project? I am not familiar-

Josh Birk:
Yeah. So they have a project now that you can put PMD right into VS code, and basically run it on your computer as you go.

Kyle Tobener:
That’s awesome.

Josh Birk:
It’s really, really cool. So highly recommended. And I also all of this stuff will save you time and money when you’re trying to get your security review done, right?

Kyle Tobener:
Yes. There are also ESLint rules for working with Lightning that I think do a very similar thing. And I would totally suggest any developers working on Lightning use those ESLint rules from Salesforce as well.

Josh Birk:
Got it. Now you have a TikTok channel.

Kyle Tobener:
Segway.

Josh Birk:
Is that right? Is it a channel in TikTok? I don’t even know what that noun’s supposed to be.

Kyle Tobener:
I just tell people I have a TikTok. I don’t consider it a channel. It’s just a place where I dump my stupid ideas.

Josh Birk:
Why TikTok?

Kyle Tobener:
So I had an unfortunate health experience last year, where I was diagnosed with cancer right around the start of the pandemic. And so I spent a good portion of last year going through chemotherapy and surgery. And I’m all clear now. So the cancer is gone. But the amount of time I spent in bed was significant. And TikTok was a hilarious little thing that I could enjoy during the pandemic where, you know, bring some cheer into my life. And there were a couple of things I resolved to do when I was cancer-free and got my strength back. And one of them was, I’m going to make some TikTok content. I’m going to contribute back. Because this seems fun.

Josh Birk:
Nice. Well, first of all, congratulations on your health.

Kyle Tobener:
Thank you.

Josh Birk:
Second of all, I feel like you have a tendency to be modest about this. How many followers exactly do you have, sir?

Kyle Tobener:
Yes. I just refer to it as my little TikTok account, but I have broken 200,000.

Josh Birk:
I believe you’ve broken 225,000. See, even when I’m asking you not to be modest, you’re modest about it. No, it’s really, really good stuff. It was fun to dig into that. And you talk a lot about bug bounties, and some of them are really fascinating. And one of the things you talk about, and I think this goes back to this philosophy of shifting left and things like that. Why is one bounty from Google worth $500, and another bounty from Instagram worth… And I’m making up these names, by the way. I’m not saying these people have had security problems. But from Instagram, that’s like $50,000.

Kyle Tobener:
So if you’re not familiar with bug bounties… I think a lot of people are, but you may not be. So bug bounties are a place where security researchers can report security vulnerabilities that they find, and be rewarded by the company that they report them to. It’s an incentive to do the right thing, and report to companies issues that you’re finding, rather than selling them on to some malicious actor or something, doing something a little bit shady. So it’s a marketplace for security issues. Every company gets to set their rate of what they will pay. And oftentimes the bigger the company, the more they’ll pay. But one of the key factors that decides the payout, even at the smallest of companies, is impact. So if your vulnerability that you have is very impactful, could harm a lot of customers, the security team tends to recognize that impact and reward you more handsomely.

Josh Birk:
Got it, got it. And what’s the craziest security breach that you think you’ve seen?

Kyle Tobener:
So I talk a lot about different bugs. And there are really crazy ones out there. I tend not to think that the craziest ones are the most complicated, multi vulnerability kill chains. The things that I love are the vulnerabilities that are just super simple, just straight forward. There was one mistake made, and the impact was massive. So I was just talking about a Snapchat bug the other day. And this is a perfect example of this, where the mistake that they made was not adding an authorization check to an authentication function. So that if you just swapped a user ID… Which is a publicly available value in Snapchat. You just swapped it to somebody else’s, you would get the authentication token for that user. It’s just so simple, and yet so horrible. Those are my favorite bugs. Because you get into the mind of the developer, and you’re like, “What were they doing where they just missed this?” But every of us who’s developed code has been in that place where you’re like, “How did I make that stupid mistake?”

Josh Birk:
Right. Right, exactly. And for the record, I was a Data Security Engineer for a few years at a large insurance company which I won’t name. But people could probably figure it out if they would look at my resume. Anyway, I left because I was afraid of turning into that person. That was my contribution to the security world. Josh is going to go back to normal web development, and just think about security, and not try to actually practice it. And there’s another one in there that I think is actually interesting and good information for just people in general. And I’ve seen this. I’ve heard this before. I’m trying to get through my accounts and fix this. If I’m doing two factor authentication, I feel like I’m safe. But a lot of people set up SMS based 2FA. What’s the vulnerability there?

Kyle Tobener:
So there is something out in the world called SIM swapping, where you can bribe someone at a telco to essentially swap your SIM card for the SIM card of someone very famous, let’s say. And then you can go to that famous person’s Instagram account, or their Twitter, or whatever, and kick off an authentication attempt. And the 2FA token will get sent to your SIM card instead of theirs. And so this approach to compromising to 2FA has actually been used against Brazilian politicians, or something. Bolsonaro fell victim to this. It has had very major impact out in the world. And so most companies are moving towards 2FA models that are either little tokens, little hardware things that you touch, or authenticator apps where it’s got that rotating code that you have to put in. Because these can’t be swapped away from you against your will.

Josh Birk:
Right. And to clarify, when you say SIM card swap, there’s no physical thing there. My phone just gets a new phone number and somebody gets mine.

Kyle Tobener:
Exactly.

Josh Birk:
Yeah. Yeah.

Kyle Tobener:
Basically there’s a process at these phone companies where you can say, “Oh, I lost my SIM card. I need to port my number over.” And they’ll do it for you as long as you can prove who you are. Sometimes they don’t always prove who you are.

Josh Birk:
Got it. So let’s talk a little bit about learning security in general. And you talked about this on your TikTok channel as well. And I ran into this from an old friend of mine, but I’ve never actually seen one in action. But when people are learning InfoSec, they have a tendency to get involved in CTF or capture the flag. Walk me through that. What is capture the flag when I say that to an InfoSec person?

Kyle Tobener:
So capture the flag is something that’s ever present to InfoSec people. We have security conferences, and basically every security conference has a capture the flag. You can think of it like a security game where there’s a vulnerable web application of some kind, or vulnerable something. And then there’ll be various flags about that web application that you can find through security means either… A common one would be compromising someone’s account. And then if you’re able to compromise that account, their user ID is actually the flag, for example. So you get into their account, you get the flag. That’s one of them. And so it’s usually a repository of a bunch of different security techniques, and it’s a great way to practice your practical skills.

Kyle Tobener:
And what I saw with my time at Salesforce, the reason why I talk about capture the flag so much is college programs tend to be very broad, and aren’t always super applicable when you get to the interview phase for a company like Salesforce. Let’s say you wanted to get an internship at Salesforce. You have a master’s program in cybersecurity from wherever. You may not be prepared with the right technical skills. But everyone that I interviewed for Salesforce who had been on their capture the flag team at their college, or done a bunch of them through conferences were super prepared for those interviews, and had fantastic skills. And so that kind of hands-on experience really is important when you’re coming, trying to transition into the cybersecurity field.

Josh Birk:
So that’s fascinating to me as a longterm web developer who’s been on both sides of the recruiting fence. Because it solves that chicken and egg problem for junior level devs. Because junior level devs like, “How can I show you experience on building websites if you won’t hire me and build a website?” But here you’ve got a real sharpening the knives exercise that you can jump into at any time.

Kyle Tobener:
Exactly. When I started in security these didn’t really exist. Now there are quite a few more of them. Vulnerable application services where you pay them a monthly fee. They give you a bunch of vulnerable applications, and you can test your skills. It’s kind of a sandbox for training. And I think those are really great.

Josh Birk:
Got it. And are there other resources, websites, other stuff you’ve talked about on your TikTok channel that you’d want to point people to, if they want to ditch to zoology and become an InfoSec expert?

Kyle Tobener:
So here’s a free plug. I am not sponsored by this company, but tryhackme.com is one that I tell people about a lot. Because they do have a free offering that you can transition into a monthly subscription. And they have a bunch of really cool challenges there, and a leaderboard where you can see how you’re stacking up against other people. And I’ve heard a lot of great things about people who have used TryHackMe as a way to leverage themselves into a cyber security job.

Josh Birk:
And that’s our show. Now, before we go, I did ask after Kyle’s favorite non-technical hobby. And I have to say it’s one of the most specific ones I think I’ve ever gotten on the show.

Kyle Tobener:
My favorite non-technical hobby is collecting cyber punk art from the 90’s, which is a very weird, specific thing to do. But yes, I was deeply inspired to move into the cybersecurity field as well by these 90’s cyberpunk movies, like Johnny Mnemonic. William Gibson books of the 80’s. There was a card game in the 90’s called Netrunner. And so I go around trying to track down art from these card games, and role-playing games, and books. And I have a massive collection. Yeah.

Josh Birk:
I want to thank Kyle for the great conversation and information. And as always, I want to thank you for listening. Now if you want to learn more about the show, head on over to developer.salesforce.com/podcast, where you can hear old episodes, see the show notes, and uplinks to your favorite podcast service. Thanks everybody. I’ll talk to you next week.