CyberNews Interview “skilful ethical hackers don’t have to hold college degrees”
Since the digital transformation and remote work phenomenon, the attack surface for cyber felons grew. For this reason, the need for ethical hackers only increased.
The very first association with the word “hacker” that comes to mind for most people is probably a cybercriminal. However, not all hackers have bad intentions. Ethical hackers, for instance, are people who legally help companies find vulnerabilities and protect themselves from cyber threats.
And according to Zaid Sabih, “more and more companies believe that skillful hackers don’t necessarily have to hold college degrees” if they have a passion for hacking. There are many learning resources, including hacking courses, that can pave the way to success.
That’s why Cybernews invited Zaid Sabih, the CEO of zSecurity – a company that provides various courses, pentesting, training, code review, consulting, and other services. Our guest shared his knowledge about hacking training, career paths, and cybersecurity topics.
How did the idea of zSecurity come about? What has your journey been like?
Hacking has been my passion since I was 12. Ever since I knew that I can earn money legally working as an ethical hacker I knew that’s what I want to do for the rest of my life.
I never had the intention of starting my own cybersecurity company. During college, I worked part-time in iSecur1ty (a middle-eastern cyber security company) as a pentester and instructor. The CEO of iSecur1ty advised me to make a recorded course (as we only taught courses live in iSecur1ty), so in my second year of college, I decided to make my first ethical hacking course. Fast forward two years later, I already had a really good job offer at graduation!
Coming out of college I had two options: A – Accept a dream job as a pentester in Fidelity or B – Employ what I learned so far in college and iSecur1ty and start my own cybersecurity company.
This was a very tough decision as option A is what I always wanted. But I thought if I was going to take a risk, then this is the best time to do so, especially since my expenses were still very low as I was still living like a college student, and the course that I published during college was enough to help the bills.
Can you introduce us to what you do? What makes your courses stand out?
When I first started zSecurity, initially we provided very basic cybersecurity services. All we did was pentesting and online courses. As time went by, we worked gradually on expanding our services and course catalog. Currently, we provide a wide range of cybersecurity services, such as pentesting, code review, consulting, teaching, a VPN service, and managed bug bounty programs through bug-bounty.com.
I think my courses stand out because of the hands-on approach. Everything that is covered in my courses is relevant, I don’t neglect the theory, but at the same time, I don’t teach any useless theory that tends to be boring and just confuse learners instead of helping them.
Hacking is not easy, a lot of the time a number of things have to be configured exactly right, one small change and everything would fail silently or without informative errors. This could be extremely frustrating to some new learners, therefore we provide 24/7 support with all of our courses and direct access to all of our team through the VIP membership.
Besides hacking training, you also specialize in penetration testing. Why is this practice so important?
We never did a pentest without discovering any threats or weaknesses! Imagine creating or launching an application without testing its security, even if it was developed by the best developers in the world, we all know humans make mistakes, and even average applications these days rely on a number of sources and contain a lot of code, allowing for more attack surface which will eventually be exploited by malicious hackers, especially if the application handles user data.
When you get a pentest, the team will approach the application like black-hat hackers, try to discover security weaknesses, and see how far they can exploit them. In the end, you get a report of all of their findings so you can fix the issues they found and protect the application and your users from hackers.
Have you noticed an increased interest in hacking courses as a result of the recent global events?
Yes, especially because of Covid-19, lots of businesses switched to cyberspace, which increased the need for ethical hackers to help pentest these new features that are being pushed so quickly. This actually was the motivation for bug-bounty.com; the platform that we launched last year. Bug-bounty.com is a managed crowd-source vulnerability disclosure platform in which we act as the middleman between hackers and people that want to improve the security of their platforms, helping ethical hackers earn money by discovering and reporting bugs to the platform owners, and helping the platform owners secure their platforms from blackhat hackers.
What career paths are available for a person who is interested in hacking?
There are many exciting career paths for ethical hackers. The most obvious is pentesting, where you get hired to test the security of systems. You can also work as a consultant, trainer, or security researcher. There are also lots of freelance opportunities for ethical hackers, from pentesting to consulting or everyone’s favorite these days – bug hunting. Bug hunting has become very popular because of the freedom it offers, as hackers are not tied to specific working hours or companies while being quite lucrative if you are skilled.
What tips would you give to someone looking to break into the cybersecurity industry?
These days there are so many ways to break into the industry, especially because more and more companies believe that skillful hackers don’t necessarily have to hold college degrees. Becoming a hacker boils down to three main steps:
- Obtain the skills – you can’t work as a hacker if you don’t know how to hack. Luckily, this has become very easy and obtainable to everybody, from online courses or free resources to full college courses.
- Practice the skills – this used to be very difficult but thanks to all the online labs and bug bounty platforms, you can legally practice hacking and even possibly earn money if you discover bugs in bug bounty programs.
- Prove that you have the skills – this is only needed to pass the HR barrier. These days, showing your abilities is much easier as you can build a good reputation and experience through bug bounty programs or/and by completing cybersecurity certifications.
Unfortunately, many organizations take action only after an incident occurs. Why do you think people are reluctant to keep up with cybersecurity?
Simple, the goal of most businesses is to increase revenue. Cybersecurity is expensive and unfortunately, if it’s done right, the benefits are invisible! You simply won’t get hacked, which is misinterpreted a lot of the time as “we probably didn’t need this, should have spent that money on marketing which would have resulted in more profits!”
Another issue is a lot of the time businesses think they are secure because they haven’t been breached, which is false. In many cases, they haven’t been breached because they have not been targeted yet.
In your opinion, what cybersecurity practices are a must these days, both for individuals and for businesses?
Education is vital for both individuals and businesses, especially since lots of breaches involve an element of human interaction or social engineering.
Businesses should also at least get a pentest done whenever new features or major updates are done. Ideally, they should get a pentest, get the code reviewed and have an ongoing bug-bounty program. This way, even if anything is missed after the pentest or the code review, the bug hunters around the world will find it and report it.
Having a bug bounty program is extra useful because unlike pentesting and code review when the work is only done once or periodically, in a bug bounty program, the system will always be tested by ethical hackers around the world helping you stay on top of new discoveries or vulnerabilities that might not have existed at the time of the pentest or the code review.
Would you like to share what’s next for zSecurity?
The plan is to continue to grow all the platforms and services that we offer. I’m really excited to grow our latest platform bug-bounty.com to help bridge the gap between hackers and business owners, ultimately making the Internet a safer place.