Christian Espinosa on Security and Penetration Testing

Welcome to Building Better Developers, the Developer Nord podcast, where we work on getting better step by step professionally and personally. Let's get started. Well hello and welcome back. We are into our final interview of this season. We've been going for a long time. We're over a hundred episodes of straight interviews and then, you know, a few of those special topics to sprinkle in along the way. But we are wrapping this up. This episode, next episode will be our last two in season 20 and then we'll come back in season 21 and we're going to change some things up a little bit. We're adjusting some things. Check out our newsletter, check out a few other things there. Check out developer.com to see what we're doing and where we're going. That being said, this, maybe we saved the best for last. We'll find out. We're speaking with Christian Espinosa and we're speaking with him on, we're going to talk about security. Particularly one of the things we're going to get into is a little bit more of a niche or side of security and then we're talking about penetration testing. Pen tests as they're often called. But first, we're going to get a little bit of his background and figure out how he got to where he is within his organization, how he started his company. And there's going to be a lot of entrepreneurial type things that we're going to hit on as well as the technical side. So you almost may want to have like a two column notebook that you're keeping track of to keep the notes that are more on that security and penetration testing side and a little bit different one that's like, hey, here's some cool ideas for building and advancing my organization. That being said, I probably said too much already. Let's get right into our conversation with Christian. Okay, welcome back. And today we're speaking with Christian Espinosa. This is going to be a fun one because he is a bestselling author of The Smartest Person in the Room. And I know that most of the people in the audience think you're the smartest person in the room. And I guess if you're alone in your office like I am, you do happen to be that person. If you have more than one person in the room, you may not be. But Chris is going to talk about that and we're going to just dive right into it. I think there's a lot of cool stuff here. Once again, it's one of those areas where it's like, hey, grab a pencil and paper or your favorite note taking device because I think you're going to get a lot of good little value bombs come out of this. So I want to welcome you, Christian, to the show. And why don't you give us, because it'll be much better than one I just did, why don't you give us a little bit of your background and tell us about yourself. So I grew up in Arkansas, extreme poverty, like on government welfare and cheese and powdered milk and with a drug addicted mother in a trailer. So it was pretty chaotic and I worked super hard. I decided that I wanted to get out of my environment. So I worked super hard to get scholarships. So I applied to all the military academies. I got accepted to all of them, but I chose to go to the Air Force Academy. So I went to the Air Force Academy. I escaped Arkansas in my childhood and I spent about six years in the military doing communications. And after that, I was a DOD contractor for a while where I did defense contracting and traveled the world, securing military installations from cyber criminals and nation states and optimizing their environments as well. Then I worked for a commercial company and that's where I had a kind of a defining moment. I had a run in with the CEO where we didn't see eye to eye and it was causing me a lot of stress and anxiety. And I decided that my mental health and my emotional state were more important than any amount of money my CEO or that company could provide me. So I just quit without having another job lined up. And that started me on my freelance or solopreneur career. I did that for about five years doing ethical hacking, traveling the world, teaching ethical hacking courses or hacking courses. And then I got bored with that. So I started my company Alpine Security in 2014. I sold that in 2020 to a publicly traded company and exited that company and started a new cybersecurity company, which is now Blue Goat Cyber. And while I was at Alpine Security, I wrote the book, you mentioned the smartest person in the room because 99% of my problems in my entrepreneurial journey with my company were not because someone lacked technical skills. They were because someone lacked people skills. So my book is really about infusing some people skills into already super highly rationally intelligent individuals. Well, and that's when you when you have an audience that's got a lot of developers and I think that's probably a common trait of IT people, particularly those on the outside would say that you you're you know, techno geeks, as you want to call them, are the people that are usually pretty smart, but don't have a lot of people skills. And I do think that's something that we that limits us sometimes is that we can be very technically skilled, but then there's there are positions that we can't take because or we can't move into or we struggle with because of those those people skills. So where was what are maybe some of the the guidelines or even some of the hints or something like that that you that you picked up that somebody look at in your book that they'll get to help them move to be have those like soft skills and improve their people skills. Yeah, I've got seven steps in the book and I'll just cover a couple things I think are stand out. The first one is from an awareness perspective. We're very programmatic. We're like a computer program and there's a trigger or stimulus and we automatically execute this program. And what we have to realize is that program may not be serving us and our brains are malleable and we can stop that program from running to like a control C if we're aware enough to catch it and then run a different program. As example, one of my engineers, my first company, whenever someone started asking him questions, he started getting defensive. So his program was I'm getting challenged about something that was his perception. So he started getting defensive. He started getting frustrated in the communication just kind of went south after that. So a better program for him to run would have been one out of curiosity. So someone's asking me a question. I'm curious. Like what is it about what I'm stating that they're not understanding, for instance, because at the other day at the program is not serving us. We need to install a new behavior. The other thing I want to mention is communication. I believe that the meaning or the purpose of communication is the response you get. So if you're not getting the response you want, you're not getting the budget you need, the users aren't understanding you, your boss isn't giving you the raise. It's up to you. The ownership is on you to change how you communicate. What we often do though, is just blame the other person and say, well, they don't get it. They don't understand. Nobody understands me versus taking ownership of how we show up and how we communicate. Yeah, that's the old saw of like, you know, there's more than one way to skin a cat or something along those lines is that I think sometimes we do get a little bit too caught up in that where it's, hey, this is the point I want to make and this is how I'm going to make it. And just sort of bull in a china shop. You just go running through it with that point as opposed to just stepping back. And maybe I'm wondering if you've looked at this in your book at all. When you think of IT people, computers don't, particularly programmers are a good example, computers don't, they're not squishy and wiggly and stuff like that. It's basically, it's like you need to talk to them in the direct way and that's going to get you the computer to do the thing you want it to do. Why do you think it's difficult for people who their life is changing the approach essentially and changing the code and tweaking the code and altering it to get the computer or the device or the system to do what they want it to do? Why is it so hard to do that with the rest of their life with people when it's in a conversation? I think there's a couple aspects to that. One of them is choice. I think a lot of people, I think the majority of people choose to decide to be good with computers or good with tech, but not good with people because in some fashion, as you mentioned, computers are more black and white. You do this input, you get this output. You do this input, you get this output. People are quite a bit more gray. You do this input, sometimes you get this output, sometimes you get a different output. So it's a lot more involved with dealing with people. I think some people are on a scale that we talk about neurodivergent people and they have a little bit challenge with reading the nuances from interpersonal perspective. I think there's that aspect as well because I think a lot of neurodivergent people are attracted to IT or programming or cybersecurity. But I think that's a small population because I believe a lot of people think they're super smart programmers, developers. And I think if you're super smart, how come it only applies to one aspect of your life? If you're super smart, I think you should be able to apply it to other aspects of your life. And just like you had to learn Java or C-sharp or some language, that is a skill you had to learn. There are things you can learn that will improve your interactions with people. And what I always like to say is tech skills have a finite shelf life because later on there's going to be a new technology. But people skills have an infinite shelf life because no matter where you go or what industry you're in, if you have better people skills, it's going to help you in your career because most of us have parents, most of us have a spouse, most of us have children. So it's not just going to help us at work. It's going to help us throughout our entire life. Yeah, that is a very good investment from that point of view. And I don't think that gets brought out enough. I say that I know there are some companies that do and some programs that do, but it seems generally it's more about learning that next language, learning that next technology and not the people skill side, which honestly is not the never-ending treadmill that the tech skills are. Because like you said, those things, you'll learn it and it fades and you learn it and it fades. You learn it and it fades. The people skills, not only do you have them, but that also means that you can always build on them. So there's a certain point where you pick some dead tech, a cobalt. You can be as good as you want, but it's sort of dead so it doesn't serve you any purpose. And there's no reason, and you don't have like a continuing improvement of that. It's like, okay, you're done with it versus the people skills. You can keep building on those and keep building on those and get better and better as you go through it. So you have this value that you're going to have one level at five years in of your professional career and your people skills. But if you keep growing those in 20 years from now, the technology may still only be five years or whatever your technologies are. But then you've got this 20 years of people skills that allow you to get the job done. Actually, I guess I don't want to prompt this too much, but really for this question, you see that that is something that applies even if they stay in the technical career path. Because you can always go and be management, stuff like that, but then you can also stay technical these days. So do you think that that's something where if somebody says, Hey, I'm an architect, I don't need people skills, would you, what would be your answer to that versus somebody say, Oh, okay, I'm going to, yes, I need that because I'm going to go be a manager. I usually try to turn the question around and say, well, what would your life be like if you developed people skills? You know, would your life improve or would it get worse? And typically they say, well, my life is going to improve. I mean, rarely is there a job where you sit in the closet and don't have to talk to anybody. Rarely is that someone just live at home without a spouse, without children. You know, they don't, they have parents, as I mentioned. So if you choose to get good with people skills, I think it's largely a choice. And I think we sort of just in programming, in tech industries, we've accepted this, this thing that it's like, it's like, okay, to not have people skills. We've just tolerated. I'm a believer that you get what you tolerate. So we've sort of like created this culture that has made it acceptable to not have people skills. But I think if people actually step back that are trying to consider considering developing people skills, just look at the benefit it's going to give them. I think one of the challenges though is like, where do you start? And that's probably the reason I wrote a book and try to like simplify it to seven steps. I mean, those are, it's a massive topic, people skills, but I just try to like give a framework of where to start. Cause I think a lot of people are like, where do I start? I start with empathy, do I start with emotional intelligence, or start communication? Do I look at body language? You know, there's a whole bunch of stuff to consider. It can be overwhelming, like anything else. Yeah. I think that, I think you really hit the nail on the head with that is I think it's one of those areas where you look at it and you say, I think it's such a big topic. I don't know where to start. And I think that's, and is that your, is that your, the seven steps, is that your secure methodology? Is that, can you tell us a little more about that and your sort of how those, those fit into, and I guess it is to give them a starting point and to grow? The seven steps I distilled from all the things I did in my company to try to infuse the people skills or emotional intelligence into my staff. The things that worked, I thought, okay, what is the common denominator for all these things? And what are like the high, like high level steps? And that's what I wrote about in the book. That's the secure methodology. I call it the secure methodology because I feel like a lot of challenges we have in life stem from insecurity internally, cause I believe that our outer world reflects our inner world. So I think if we become more secure with ourselves and a lot of that comes with confidence and some confidence can be developed interacting with people that will help those highly rationally intelligent people have a more fulfilling life because they'll no longer wonder why this person with less technical skills got promoted above them. They'll no longer wonder like why they're sort of stagnant in a specific job or all these other people around them are flourishing, you know, cause they'll have the awareness and the skills to navigate that better. That's excellent. And I think that's, again, you bring up a couple of those points that I think people get, at least wake people up to it or it frustrates them is when it's like, Hey, I'm sitting here and I'm great. I'm doing my job and getting stuff done and people are, get promoted and moved into places that I would rather be. And so I think if somebody's listening and they have that or they're running into that, then this may be a great place to start is check out the book, check out the methodology and see if that's something you can do to, cause again, it's like everything it's yes, it's a big problem, but if you start somewhere, then at least you're stepping forward into that. No, go ahead. The last step in my book is Kaizen, which is a Japanese word for continuous and never ended improvement. And I think you have to, or you should adopt the philosophy of Kaizen, which it gives you the courage to start because we're leaving anything new. You're not going to be instantly great at it. It's not like a light switch and you know, it's off and it's on, it's a journey. And sometimes you may have to unlearn things you already learned through that journey. So you may get worse at something for a little while. And I think it's important to adopt that mindset of just as long as I'm making incremental improvements, that's what matters. Cause we tend to overestimate what we could do in one year and underestimate what we could do in three. So if we're continuing to make any small steps after like three years, we will have massively improved our people skills or anything we try to improve on. Yeah, that's a good point. We talk about that a lot is that idea of almost like a momentum and continuous improvement is if you just take a step each day, the next thing you know, you've taken a lot of steps and you've gone a long way from where you started. And I love that analogy where people they do, you tend to think you do so much more in a year, but then it's amazing if you do something on a regular basis, how far you can get in a three year period. Now, were you, I mean, you're talking about, you did this in your company. Did you do it in both your companies, the one that you just sold and then you carried into this new one, or is it where sort of the first company you learned a lot of this and you've really sort of mastered it and implemented into this new company as you've built out your team? Yeah. And the first company, it was pretty challenging. Cause I had several people on my team that didn't want to change. They didn't want to develop people skills. They wanted to cling onto their identity. And one person in particular I wrote about in the book, he was super smart, but that's how he felt significant. We all want to feel significant. And he felt significant by being smarter than everybody else and making people feel stupid. And that, from my opinion, is not a good business model because if you're talking to a client and you're talking down to them, they're not going to feel understood or appreciated. They're probably going to go elsewhere for the next service they're going to buy. So I tried to get him, for instance, to embrace the secure methodology and these steps, and he just flat out refused. So he left the company. And what I realized is you have to enforce the culture as a owner of a company or leader of a company. And I started hiring people after that based on their core value alignment, their people skills, and if they fit that in our culture, only then would I look at their technical skills. Before that, though, I would hire people purely based on their technical skills. But it took me a while to realize that a lot of the problems, they're stemming from the lack of emotional intelligence. My new company, fortunately, a lot of people from my old company, my staff that already went through all this, has migrated over with me to my new company. And I'm much more cognizant if I bring somebody on, like I hired someone, I assess their people skills, their communication skills, and all that first, even though this person is a highly technical penetration tester or hacker, he still has to interface with clients. He has to explain the report to them. So it's important that he can do that and doesn't do it in a way that makes the client feel stupid. That's a good segue into the other thing. Cybersecurity is, again, one of those huge areas of knowledge, and there's so many things. And you've talked about ethical hackers and black hat hackers and all those kinds of things that, like, what is, just to sort of, to start this off, what do you think is the biggest challenge for cybersecurity, particularly, has it changed from several years ago when you started your first company to now what you're seeing, particularly after the 21, 22, everybody's at home and that kind of stuff? How have you seen that evolve? And is it the same, really the same challenge that you had years ago, just maybe in a different suit? I think with cybersecurity, we like to make it sound like the attack vectors are always changing. They're really not. It's poorly written code, and the time it takes to pass that code, and then it's some sort of social engineering component, like phishing. That's how people get in. So if they can get you to click on something and there's a vulnerability to your system because the code was not written securely, then they can get in. So it's still the same things, but I think the biggest challenge we have in cybersecurity, because I used to run a software development organization, is a lot of developers, they don't understand how to securely develop code. So that's one aspect. And then, like, even when I understood this, when I ran a software development organization, the CEO of my company was my boss, told, we had like a, let's say it was an eight month timeline to get the new release done. After five months, he's like, we sold this. So whatever you got done, just stop developing it, package it up, and get it out the door. And I'm like, we haven't done all of our security testing. And that's not just a problem unique to me. I think that's a problem common, where there's this rush to market, where we often don't have time to thoroughly test stuff from a security standpoint. That, in conjunction with most of the developers, don't understand cybersecurity. They understand how to write code that functions and operates properly and is optimized, but they don't understand how somebody can break into it. One of my best penetration testers on my team, he used to be a software developer. And when he learned cybersecurity and how to hack into all the code, he realized that most of the stuff he wrote was horribly written from a security standpoint. And he was a super awesome developer, but he just didn't look at it from that lens of someone trying to break into the code and how to do a buffer overflow attack, or the things that someone could do really. Now, do you think that's something that... This actually goes back to the QA versus development roles as well. Do you think this is something where developers are going to always need, or it's very helpful to have that extra set of eyes of sort of a security person on the team? Or is it something that developers can be taught, sort of like they're now being taught to test-driven development, some of these other things that are trying to get a higher quality of software? Do you think that's something that we can... Or are there tools out there that developers can use that are going to help them get those habits or at least build more secure, just sort of as they're going through stuff, build more secure code? I think we're headed in that direction, albeit slowly. We've got the software development lifecycle and there's a push to make it the secure software development lifecycle. We got DevOps, but we've also got DevSecOps. We're trying to add security to it. And I think if you have the right flow or process set up for software development, the right stages or gates, or however you want to do it, where you have things in there like static code analysis and dynamic code analysis, if you have those closer to the beginning and you've also got security requirements designed in to the software, I think the product that comes out will be much more secure. What I generally see is people develop software and they're like, kind of like at the very end, they're like, oh crap, we forgot about security. So they try to bolt on some stuff, but of course, that's not going to be as good as if it were developed into it and it was tested further upstream in the development process. And we will pause right there. Don't worry, we've got one more episode. We're going to wrap this one up, wrap up this season. Everything's coming together. We're going to continue our conversation with Christian. We're going to talk about pin tests and we're going to talk about what sorts of things you need to think about in doing that and what are the things that's going to show up because it is a little bit of a different, I think, from what a lot of people think it is when they go into a security audit or security assessment of any sort. But I will save that for the next episode. So as always, go out there and have yourself a great day, a great week, and we will talk to you next time. Amazon, anywhere that you can find podcasts, we are there. And remember, just a little bit of effort every day ends up adding into great momentum and great success. Please check out school.developaneur.com. That is where we are starting to pour a lot of our content. We've taken the lessons, the things that we've learned, all of the things that make you a better developer, and we're putting it there. We have a range of courses from free short courses up to full paid boot camps. All of these include a number of things to help you get better, including templates, quick references, and other things that make us all better developers.