Curious, creative problem-solvers required – and ‘the 10,000-hour rule does not skip security’

Offensive Security's Ning Wang on nurturing the next generation of infosec pros

“We train people with things they will see in the real world,” says Ning Wang, CEO of infosec and pen test training firm Offensive Security (‘Offsec’).

Almost a year on since we spoke to Wang about her first year at the helm, The Daily Swig caught up with the former Hacker One COO/CFO again to discuss Offsec’s recent revamp of much of its course library in response to community feedback and technological changes.

In this wide-ranging interview, she also discusses creating viable career paths for security novices, the acquisition of VulnHub, and ramping up the development of Kali Linux, the popular Debian-based Linux distribution designed for digital forensics and pen testers.

How has your second year as CEO gone, and how has the pandemic affected your modus operandi?

The first year was just getting some basic things in place, and the second year was about really building the muscle to scale, whether on the people, processes or system side.

The pandemic did not hurt us from a demand perspective, especially on the consumer side. And most of our training is self-paced, so we’re already a perfect fit for remote learning.

We can’t obviously do our in-person training, so we introduced a new product called Offsec Academy, a 13-week, instructor-led, synchronous training course with self-learning in between lectures, demos, and one-on-one time.

It’s had tremendous feedback and is here to stay post-pandemic.

And [our workforce was] already more than half ‘distributed’ before the pandemic, so it was almost business as usual, and we had toolkits ready to deploy to help employees with the additional mental stress, the lack of normalcy.

Why do you think your training and certification programs have become so widely adopted – now buy up to more than 4,000 companies worldwide, including more than 90% of the Fortune 100?

The support from the community, the fact we listen to the community, and the fact the quality is optimized for learning things you need to do your day-to-day job is paying off.

We are not just building CTF machines; we train people with things they will see in the real world.

I think more companies recognize it’s really hard to find, train, and retain good security professionals. Those skills you can’t get easily just by reading a book; you really have to do it hands-on and [the fact that] our certification is increasingly required for jobs is a testament to that.

It’s not about how to use this tool or that scanner. It’s about being able to think creatively and critically, about solving problems – and in security, every time the problem is different.

We recently launched an ETBD advanced pen test course and Windows exploit [and reverse engineering] course.

We completely rewrote our flagship course, penetration testing with Kali Linux [PWK], which hadn’t been upgraded for several years. We added an Active Directory and our PWK labs grew from around 40 machines to more than 70.

Read more interviews with leading security pros

The overwhelming community feedback was: “you guys actually addressed all my complaints”.

[Our approach] is very much bottom-up: we came from the community, the community really loves us, and they tell each other that the best way [to get trained] is go get an OSCP [Offensive Security Certified Professional].

We launched the AWAE [Advanced Web Attacks and Exploitation] based on community demand.

A user recently posted a YouTube video about getting his ETBD certification – you could not pay for such a good testimonial.

We want our training to evolve with the technology. We came out with a pretty major refresh of AWE in 2020, and [replaced the] CTP course with three courses because defense has gotten so much better.

And when I joined, Offsec didn’t even have a dedicated sales and marketing team, so we really stepped up our sales and marketing effort.

Have you made any progress in providing viable career paths for aspiring infosec professionals with little to no technical knowledge?

When Offsec first started, it was targeted at people who were already doing the job and had quite a bit of prerequisite needed to do the PWK.

As OSCP became more famous, we saw more people who were still in school [who wanted to do the course]. But you need sufficient prerequisites – whether on Linux, networking or scripting – to take PWK sufficiently well to earn your OSCP.

So last year we launched a lab-only product called ‘Proving Grounds [PG] Play and Practice’, which makes it easier for people to get into security, [but is also] another way [experienced] people can keep their skills sharp and current.

Offensive Security funds and maintains the Kali Linux project

Have you noticed any recent progress on shrinking the cybersecurity skills gap globally?

All the numbers I see, it [the skills gap] is roughly the same. Depending on which source you look at, it may even be bigger.

The demand for security talent is increasing and training people takes time. Many [organizations] want somebody who is already very skilled with lots of experience – but there’s a very limited number of people like that.

So last year I took on two speaking opportunities and tried to promote a different approach: if we don’t have people already in security with everything we need, we should look in adjacent spaces, whether it’s a software developer, network engineer or system admin.

To be a successful cybersecurity professional you need curiosity, creativity, and to be a problem solver, and you have to put in the time – the 10,000-hour rule does not skip security.

RECOMMENDED ‘Train the basics’ – Bug bounty hunter ‘Xel’ on forging a lucrative career in ethical hacking

We have talent at Offsec who studied philosophy, or worked in the mail room, or were system admins, and after going through the OSCP journey they are [among the] best security talent [around].

My own journey is where I realized that there is another way to fill the talent gap.

I did a PhD in physics and transitioned to doing business at McKinsey. They put me through a mini-MBA. So I tell people not to be too narrow-minded.

Anything to say on the latest Kali Linux developments?

We formed a dedicated Kali team when I joined, and we are investing more in that team in 2021.

We have had quarterly releases since 2019. We are partnering with some open source tool developers who will release their latest tools exclusively on Kali for a period of time.

Whether it’s the Python 2 [end-of-life] or ZSH [becoming the default shell], not everything is very popular. People are used to how Kali had been before, but it’s necessary to position Kali into the future.

We’re not slowing down [Kali’s development]; if anything, we’re going to accelerate.

Last summer you acquired VulnHub, a provider of offline, open source, virtual machines for sharpening hacking skills. How do you plan to develop and, alongside your Exploit Database, leverage this?

One of the first things we did was leverage the VulnHub submissions and made some of them free machines on our ‘PG Play’ tier.

To practice with those machines, you had to download it onto your hardware. To make it easier, we hosted them on our servers, so all you need is a browser to practice. We also supplied hints and walkthroughs.

VulnHub and Exploit Database, another open source project that has the most publicly disclosed exploits, are great resources and we'll continue to invest in both.

What's on the agenda for the rest of 2021?

You’re going to see new content in a variety of different ways. We will continue to scale and reach more students, [with a wider range of] backgrounds and learning preferences.

And we continue to innovate on how to work well as a 100% distributed company during a tough time – just last week we had a sleep expert talk to us about the importance of sleep [for instance].

You really have to trust your employees and give them the flexibility to allow life and work to commingle. When they are happy with their life, everything else takes care of itself.

READ MORE Censys: How a university project became a major commercial security platform