View Show Notes and Transcript

Episode Description

What We Discuss with Alannah Guo:

  • What’s the best way to get into pentesting?
  • Do you have to be a fan of gaming/star wars/mr robot to be connect with fellow cybersecurity people?
  • Is it important to technical as a women to be respected by male colleagues in cybersecurity
  • What are the advantages of working as a pentester, if a female audience member is in cloud and wants to get into web app pentesting, it is an advantage or not?
  • Are there any communities that our audience can be part of to network or learn more about PenTesting
  • What is 0xCC?
  • What was special about the 0xCC merchandise this year?
  • Value of Women in Cyber groups / seeking Mentorship
  • And much more…

THANKS, Alannah Guo:

If you enjoyed this session with Alannah Guo, let her know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Alannah Guo: on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at

Resources from This Episode:

Ashish Rajan: [00:00:00] Welcome to cloud security podcast as well. for those audience who are the Cloud security podcast members, and Welcome to the Virtual Coffee with Ashish show, we are talking about pentesting. And I have Alannah who is gonna really demystifies some of these things for us. So I’m going to start with the obvious, question for people who don’t know much about Atlanta, who is Atlanta and what is your spot?

What was your path into cyber security?

Alannah Guo: [00:00:29] Okay. who am I? I really like food. I think that can basically encompass 50% of it. My path into cyber security. I did a bachelor of software network engineering. I’m in about my third year. I think. I decided to explore more about what my, what options I had after my degree, I suppose.

So. I had to look around and I went to a bunch of local, computer related [00:01:00] meetups. So I went to a scholar meetup or functional programming meetup, some software dev meetups, web application meetups. and I got to security meetup. it was originally called Mon, but now it’s called Seasides by calling Sylvia who are the same people that run besides Canberra, which is the biggest.

Cyber security conference in Australia and New Zealand. they call it a happy con. It’s very, it’s technically focused. but it’s really great. So you should go to it. but anyways, so I went there and the first, talk they had, there was by OJ who, is a very well known,, Yeah, I guess he does a bit of everything like, research and pen testing and all that red taping and stuff.

and he was seeing talk on Metis Floyd, which is a very popular, tool for new starters to use before you get into a lot of the manual stuff. and I thought that was so cool. and I met a lot of the other people who introduced me to CTF and I was a big gamer at the time. And CTS are they’re called, [00:02:00] it’s called capture the flags.

And basically it’s just a whole bunch of like, Yes, hacking challenges., and the more you solve, the more points you get and you compete against other teams. And the like, and I thought that was just so much fun. I like competition. And so that’s kind of also, and a lot of people who do pen testing or sorry, also like CTS.

And that’s how, I guess I met those people and I decided that Ken Tessie was going to be my job. but how I got my job was, so my degree had an honor, I didn’t honors and I needed an internship as part of that. and the company that took me on, I originally asked for pen testing, but, they gave me a security, deaf role.

so they can give me a,, research project, which could also double as my research project honors, which was really nice with them. And then they offered me pen testing after my internship. So, yeah, that’s my way into pen testing. I guess [00:03:00] I was really lucky. I like, I don’t want to make it sound so easy because I had a friend who had been a dev for, I think, 10 years or so, really competent guy and he got his OCP.

He studied. so for anyone who doesn’t know, OCP is like your. Benchmark certificate, like, the assert that everyone recognizes and respects, in pen testing, he got that in his own time. It’s, it’s quite hard, for anyone who’s starting out. And then he, I think he, it took him about six months to a year to actually find a job in pen testing.

so it’s, I was really lucky. there are internships in graduate positions, in pen testing, but it’s. Sort of a right place, right time kind of thing,

Ashish Rajan: [00:03:53] to your point. It’s interesting. Right. I think how you mentioned the, about the fact that, you feel lucky that you had an interesting, [00:04:00] I guess, a quicker path compared to some of the other people and for people who are hearing about offensive security, that is a badass course.

Try harder. Oh my God. Hashtag try harder is like, it has a very different meaning to life after that.

Alannah Guo: [00:04:15] Pretty rough. I think it’s good because they develop, I guess it, the, the point of OCP is to develop your problem solving skills, and your way of thinking more than anything. like the, once you learn all the skills, you need to do the OCP.

It’s like you, you look back on it and you realize, Oh, That wasn’t so complicated, but it’s about like going through that process and understanding of like going through that process of learning, how to break things and like finding ways and also developing that patience of like looking through everything to find that one thing that will get you like protest or something like that.


Ashish Rajan: [00:04:57] yeah,

a hundred percent. and I [00:05:00] think because the audience that I have is. What we saw in the cloud space as well. So they either heard of public cloud or work in the cloud space. And as bent as yourself, do you come across public cloud quite often? And in what context.

Alannah Guo: [00:05:14] I come across like a lot of like, frameworks, I guess.

Like we, we test, web apps with like a zoo and stuff like that. so having a call background is definitely helpful. like any other background in competing to get into pen testing, because you need to understand something to be able to. I guess

Ashish Rajan: [00:05:35] talking about getting into pen testing, how for people who are listening, obviously I’ve got a mixed crowd of, there are people who are students or people who are transitioning into cyber security.

So keen to know what you recommend for people who I guess are seeking a role in pen testing. How can they approach it?

Alannah Guo: [00:05:51] Right. yeah, fantasy is really fun. Get it on it. But, so I guess there’s two different ways you can [00:06:00] do it, is like, if you are a students or someone that’s fairly new to it and I guess security and computing, that kind of thing, you can kind of pick it up in your own time.

and you know, just like to do what I do. I played CTS. there’s also heaps of all my resources, like, Like, over the wire. So Natis, and the bison are, they’re like the most basic, I guess labs and they’re really good. there’s also like Pico CTF, which runs every year and they have like really basic, wasn’t good challenges to really fairly advanced ones.

And you can just work your way through it and. People often do write-ups of them. So if you get stuck on something, you can go Google a write up and see how you could’ve gone. among other things like studying your own time. And then I guess you get an internship and graduate position. and that’s cool, but I guess for anyone in that position, I would recommend that you.

Understand that you’ll probably spend all of your free time in the next [00:07:00] year, learning about everything because I guess 10 tests, like I, I did a similar thing because pen testing is like, you don’t need a deep knowledge of everything, but you do need a knowledge of a lot of things to like, so you can break them.

Cause if you don’t understand, I guess how they work, you can’t. but the another part that is very popular, and a lot of my colleagues have taken, is that they go into like software developments or like, I guess cloud security or network security, CIS admin, you know, all those jobs as they get an, a deep understanding of those roles.

And then they can bring that information into security because they’ve already worked on things like that. And they’ve already configured make configurations and stuff and seeing what works and what doesn’t. They can also come back, take that knowledge and. Good break it, I guess. and then I guess you could start out if you’re a network engineer, you could start out with like infrastructure network, pen testing, and while you build knowledge on web apps and stuff like [00:08:00] that.

so yeah, that’s another way to get into pen testing, I suppose.

Ashish Rajan: [00:08:04] Well it’s and to your point, it seems to be quite a few various ways, but do you find, and, it’s one of those things, but hanging out with people it’s circular because there’s certain. Personality type, I guess you’re going to have to be on our personality.

That’s maybe more of a fan group, as you said, because there’s a common misunderstanding that you kind of have to be in love with mr. Robot or be a star Wars fan or gaming fan to be a fan tester. Is that true?

Alannah Guo: [00:08:33] I, I think like pentesters or like any other humans, we also have other interests. I’m a big gaming fan, but I haven’t watched the first six movies of sellers.

Don’t hate me. No, I think they were made before or like around the time I was born, like,

Ashish Rajan: [00:08:54] yeah. I mean, I haven’t watched all of the meters, so I mean, I’m like totally not dealing in with any [00:09:00] cyber security vehicle clearly. And here I am pushing media for totally not jelling with anyone in cyber security, I guess.

Alannah Guo: [00:09:06] No, it’s just this. So many people are like this. So many different types of people, like in any other part of society, like, all people are welcome.

Ashish Rajan: [00:09:15] Wait, so they’re not the normal people. Is that what they are? They’re normal people. They don’t have. I don’t have to have this special interest in most men.

Cause clearly I get messages on LinkedIn people saying, Oh, do I need to be a gamer to be hanging out with these? Cause to your point about, I guess network is an important part as well. When you’re trying to become a, I guess, get into any field, they don’t really pen testing, but I guess part of the thing, so again, getting messages on LinkedIn, some people like, Oh, I’m into this game.

And I’m like, I don’t care. I don’t have, I haven’t heard of that game before, but I don’t know. What is that? The relationship you are trying to build with this, and then I get it, get you a job or something, or anyway, it’s, that’s why I find that really fascinating. Although there is a, I guess a bit of a different side to this as well, because.

I’ve had a few [00:10:00] female guests before, and they’ve kind of mentioned that it is important to be technical, to get respect from your male colleagues. And obviously the female guests that I’ve had in the past, most of them have been from overseas, like United States and stuff. So curious to know your experience in Australia, if that has been different about this, or what are your thoughts on this?

Alannah Guo: [00:10:20] Right. I think, let me see how I can word this. I think like in any job to get respect from your peers, you need to be competent at your job. And if you’re in the technical side of security, then you, I guess you do need to be technical because that makes a competent for your job. But I think a part of security, There’s kind of this culture.

I mean, it’s very, it’s not very prevalent in Australia. I’m Australian cybersecurity culture is actually really good. but there’s a little bit of a, like, you know, Leeds, or like, [00:11:00] you know, super technical or GTF kind of thing. And I guess we were almost a little bit elite. some people, few people, elitist about, I guess if you’re nontechnical, then you’re not worth talking to, and you’re not worth acknowledging.

and that kind of thing. And I think that’s really unhealthy. And I think that like, jobs are there for a reason, right? There are people who do policy and that is there for a reason. And, there are people who do like admin stuff or accounting, or like, customer facing like. Yeah, that kind of thing.

And those are all important. Right. And I think while yes, you do need to be technical to be restricted if you’re in a technical role, I think, as a woman, or just as anyone insecurity, I think, there needs to be just slight change of attitudes towards, I guess. Understanding what people’s jobs are and respecting that they have different jobs, [00:12:00] rather than just, you know, cause like people always talk about in like business cases.

Sorry, I know I’m going a little bit off topic here, but people always talk about like, I talked to a lot of managers and stuff or like, directors and they always go on about like how technical people always want like the best, most perfect solution.

Ashish Rajan: [00:12:19] Okay.

There you go you’re back. Yes. You lost, lost you again. it came back and went again.

no, don’t worry. Maybe unplug your mic and book again, just to see how it goes.

We should be paying and praying harder demo gods.

[00:13:00] Oh yeah. He came up

Alannah Guo: [00:13:04] say something again.

Ashish Rajan: [00:13:05] Yeah, you can. Yeah. You’re there.

Alannah Guo: [00:13:09] That’s all right.

Ashish Rajan: [00:13:09] No, I’m just saying we need, we should pray harder demo guards. Cause my, my sunlight and, your mic at all, all acting up. But you were saying, so you speak to a lot of managers. Talk about

Alannah Guo: [00:13:23] folks. Yeah. Like, so, I mean, we always, like, we find out art’s beautiful.

Right. We find the perfect solution. Beautiful. But like, I guess managers sometimes have complained that, you know, there, there are other constraints, like budgets or like customer requirements or other things. and so I guess what I’m trying to say is like, everyone’s, you know, right. And everyone has their perspective and I guess.

The, the concept that you need to be technical to be respected should. Isn’t great because that, dismisses a lot of other roles in security that have they placed insecurity. anyways, that’s just my answer. [00:14:00] Sorry.

Ashish Rajan: [00:14:01] Right. I think it’s, it’s definitely, it’s, it’s the, it’s actually a good related tangent as well, because she went about, and the kind of was the origin of that gaming question as well.

Cause you almost. To forget that there’s another layer of society around you as well. Right. Where it’s great to be, I guess, into a particular application or something. But if it doesn’t bring value to someone else, like for example, it, it would not make, bring value for someone. If I’m not a star Wars fan, I’m trying to.

Focus on. I’m trying to pretend to be a star Wars person. I guess they say that there’s no point it comes across quite fake as well. You probably end up breaking a relationship and sort of making one. So you’re better off just saying, yep, this is how it works. This is what I am. But to what you said earlier, you feel it’s different.

being a child. I know you had an interesting journey yourself in Japan, Justin, but. through the work that you do for the community, do you find that, like, what are the common questions you get asked from [00:15:00] people or, or is there a difference in being a female and approaching bench testing?

Alannah Guo: [00:15:06] I, the only difference I can think of with pen testing with.

Women might have a benefit. I worked talk about the ethics of that, but, would be social engineering and retaining. that is definitely an advantage. It’s I dunno, society has license, right. and also men can’t pretend to be pregnant. I think I heard, Jack hide, if anyone doesn’t know, she’s a very well known red table.

She, did a talk once where she talks about how she presents me pregnant and she like walked around and she had an RFID, Cup in her purse or her bag. And she kind of plopped down, sat next to this woman who was on her smoke break and had the bag was right next to her RFID card or the employers. [00:16:00] And she was just complaining about how she needs a seat and you know, how sore legs were.

and then like during that time and they managed to climb the RFID and then she walked away and she got into the building. Whereas a man, I guess, approaching. A woman just sitting right now, next door and starting conversation is not like it’s just examples like that as much, but a pen testing, I think benefits like in general from all kinds of views, right?

Because it takes all kinds of people to make applications in networks and that kind of stuff. There’s like all sorts of people who. Like all sorts of trains of thoughts, I guess, in those fields. So we also need all kinds of trans thoughts in pen testing, to be able to understand those people and break those applications or networks or systems or whatever you’re testing.

I suppose

Ashish Rajan: [00:16:46] I just imagined a scenario where a guy just walks up and sits next to another guy. That guy recorded stuff away from you, man. But that’s your point about the society bias? If a [00:17:00] woman comes and sits next to another woman, it’s the, it’s the safety thing. Like it’s like, Oh, you’re, you’re part, you’re part of my group.

Whereas if you do that with another strange man, you’re like, dude, just maintain this students, man. What are you doing? Like, you’re just, this is my zone. You’re in my zone right now. He’s just like, Hmm. Okay. So it’s up to the point and I didn’t realize there was a bit of a bias in policing. In Japan, it does take a certain kind of person to do this as well.

is there, I guess in terms of, cause I think networking is earlier, it’s like an important thing as well. Do you find if people are like students and stuff, suits and stuff like anyone who’s trying to transition to cyber security or is it student is networking important for them? Like are there like, communities or things that they can be part of that.

and I guess to point, maybe even before we go into this, is there because specialty and then like networking dead, or how does that, how would that work?

Alannah Guo: [00:17:58] Oh, well, pet [00:18:00] testing is I guess, a speciality. so we’ll just talk about it in the context of, pen testing, because I think it works the same for everything personally.

I think networking is, I think making friends is, a better way of seeing it. but like, Oh, sorry. What was the question?

Ashish Rajan: [00:18:25] The communities that people should be part of, and to your point, networking is a dirty word, but you feel first, is it important? And if, and if, if are they communities or stuff that you recommend that people should be part of to make friends.

Alannah Guo: [00:18:39] Oh, yeah, absolutely. and also, I think you mentioned something about students, which I will cover later, in regards to, I guess, meetups and groups and places you can meet people. if you want to learn technical things, sec talks is really good. it’s run by patron in Sydney, and, but it’s all over all [00:19:00] across Australia and New Zealand in, and like around the world, I think there’s a few in, Europe as well.

and there. Technical meetups like the camera, every city’s a little bit different, but they follow the same train of thought where you kind of, you have a community member every month, come in and give a technical talk on a technique or vulnerability or something they’ve discovered recently I’ve found interesting.

And, in Canberra, at least you bring your laptop and you can practice whatever they’ve just taught. and get hands on experience. If you have any issues, you can also ask them and people kind of just take turns learning. they. Yet from, I think camera’s around 32, like really big, I think Melbourne, every month they fill up and you have to, there’s like a waiting list.

It’s, it’s insane. Getting into like Melbourne’s told us is odd as I think Sydney is similar as well, but that’s really good. if you’re in Canberra, Seaside’s is really good. they’re run by Kalene Silvio and you get about two talks every month. and they [00:20:00] just bring in people with like, from different technical areas insecurity and you get to learn about two technical areas, a month and then go out for drinks.

and then hats is really good. So how Moshay, who has a PhD? She is super awesome. I love her. Yeah. And she has, she also runs her own consultancy. If you’re a woman, she, runs a workshop. For women, I’m on pen testing and security. And she often brings in guest speakers. like I think Kim for binary exploitation and similar stuff like that.

there’s also stuff like that running around, but also the conferences are really good. like Australia has quite a few conferences, besides camera’s is definitely the biggest. But, and also Kobe con is quite big. AppSec is quite big. but also the local community, community conferences are really good as well.

Like cranky con and stuff. They bring people from all around Australia, but, it’s a bit smaller. So you get to meet a lot more people and make close to bonds. but there are really [00:21:00] good because a lot of them have at least student tickets if not travel grants. So, I helped run the hacker chicks. hacky chicks is a group run by Kali as well.

I ha helped run the travel grant for besides, so we, paid for accommodation and flights for a bunch of women to come to the conference. Either students or people tended to work and things like that. Unfortunately, COVID stopped that from actually

Ashish Rajan: [00:21:27] happening.

Alannah Guo: [00:21:34] Oh, sorry,

Ashish Rajan: [00:21:36] I didn’t want to, I don’t want to interrupt you. I was like, that sounds like an interesting offer for anyone listening in, but the gallbladder thing is, makes it really interesting. Although you’re in Australia, you can drive it. I don’t know. I guess borders was stoned open up.

Alannah Guo: [00:21:47] You’re in Australia.

Ashish Rajan: [00:21:51] You shouldn’t be able to drive to new South Wales or Victoria.

Alannah Guo: [00:21:54] Yeah. But like people coming from Perth, we also flew in people from New Zealand as well. [00:22:00] So New Zealand, Australia, we kind of like insecurity. We kind of just. Grouped together also con they, last year I, they had a bunch of training and security training gets quite expensive, like in the thousands.

And they kept like several seats free for students. So you all like people who couldn’t afford to, but like, you know, wanted to, as they offered like a whole bunch of people, free tickets to like really expensive training, which was really awesome. yeah, I guess in general, there’s. Everywhere conferences are the biggest place.

And if you’re into pen testing, I definitely recommend just taking laptop to a conference, sitting down and working on the challenges. And if you have issues or if you don’t can’t work out something, go talk to other people. and then like almost everyone I’ve talked to when I was starting out, helps me out, and was really kind about it.

And you also get to make friends and meet people that way. I think that’s about it

Ashish Rajan: [00:22:54] to your point about making friends. Is it important to make friends and Ben testing from conferences?

[00:23:00] Alannah Guo: [00:23:01] I’m

Ashish Rajan: [00:23:02] not going to use the word networking. So like

Alannah Guo: [00:23:06] depends what your goal is, but I mean, I guess friends are always good, right?

Ashish Rajan: [00:23:12] Yes. Your friends are always good, but then you kind of have to go seek out these. Right. So to your point about, I’m trying to reframe the network.

Alannah Guo: [00:23:22] I don’t think it’s just pen testing, friends.

You want, you want like people from everywhere insecurity because I often we often end up in like group chats where we just like, we just put in like, Oh, there’s this new, Development in like, I dunno, network engineering and then there’s like a new vulnerability someone found here or like, whatever else.

Right. And like, people talk about like, yeah, like you as a fantastic, you want to know about everything, right. Because you will probably eventually test a bit of everything. but it’s also. Fun to know if you’re a technical and you just want to learn everything, I guess.

[00:24:00] Ashish Rajan: [00:23:59] Yeah. That’s probably the, the curse of being a technical minded person.

You’re going to know everything as well anymore. Sometimes when I get into the details of things as well,

Alannah Guo: [00:24:08] and then you don’t get slick, but to ask you a question about networking it, unfortunately, a lot of places, hire by word of mouth., I mean like, cause people like security has a very, I’m sure a lot of.

Well, tech places have this now, but, security has, is very focused on culture as well. like the whole note dickhead, policies. So like, if you have someone that can like recommend you, when you put your resume forward as like, you know, he’s a solid guy, he’s not a dish bag, then you are more likely to get the job.

Ashish Rajan: [00:24:47] I guess.

So started making friends as you start doing offensive security courses. And as you go through them, find graduate roles probably is a good summary for, I guess, cause they are junior [00:25:00] roles as well. They don’t come that often, but if you’re at your point, if you do hang out, meet up for conferences and meet people out your point or make friends, I guess you can always let them know that you are.

I’m looking for our opportunity and more can you, and I think, I mean, that’s how I came across the first call, but that, cause it was really interesting for me to kind of tell people to do this, but I always find it difficult to show the value of it because it would take me six months before I got the job, got the job.

It wasn’t like I went in day one, met, met a guy and they do, I go to the job at night. It didn’t, it took a while, but. I had to kind of prove myself as being consistent and being really interested in cybersecurity, where to grow something in this space. And that’s kind of where. I guess the whole thing started, obviously it’s the award since then, and now I’ve got much bigger goals for cybersecurity and that, which is a good segue into my next question.

About zero CC. Oh, sorry.

Alannah Guo: [00:25:54] I just had one more thing to the end of that with the graduate programs and the internships. [00:26:00] There are a few of those going around. I definitely recommend you applying to, but also just apply to places with my current role. I worked for TSS who got bought out by cyber CX, and we’re currently in the process of integrating to them.

But when I applied there, they didn’t advertise. Anything, I just, I wrote her a letter to the CEO or the director, and I was like, Hey, I’m really interested in, pen testing. I do, I’ve done all these CTS. I came second this and, you know, I do X, Y, Z, and I’d really like an internship to learn, and, you know, et cetera, et cetera.

and yeah, he, he gave me a job. he didn’t even. Well, the testing, my qualifications

it’s like, wait, what? But apparently a few of the guys had seen me around playing the CCS as well. So they found me, but I only found out out like a year later. But [00:27:00] yeah. so like, don’t, don’t be afraid to just ask, like, I mean, you, you will get shot down, but like, you might find an opportunity as well. so

Ashish Rajan: [00:27:08] you have LinkedIn as well.

So you can do to your point, you can reach out to people on LinkedIn and, get to. Oh, I guess let them know that you are in the role. You’re looking for the role, or this is what you have by the way, a ballsy move and congrats on making that ballsy motion with the CEO and asking you for that.

Alannah Guo: [00:27:26] I just, I, I met some of the people from that co the TSS and like, they were just so passionate about, I guess the, yeah, that was just so passionate about CTS and just.

Doing well and CTO as well. It’s just like, Oh my God, that’s dedication. but I think, another thing I just want to add one more thing before we go into the next topic, to all the students. Cause I guess this question is targeted to them. you don’t need technical skills as a student. You like, I mean, everyone’s not somewhere, no one expects you to be perfect, but you do.

[00:28:00] Cause because pen testing is something, Job that you constantly need to be learning. you should aim to show like your initiatives. So show that you’ve done all these challenges and you have write-ups or you, you’ve competed in the CTS or, you know, that kind of thing. He goes conferences, et cetera, et cetera.

Right. to, I guess, demonstrate your keen and willing to learn. yeah,

Ashish Rajan: [00:28:26] that’s an important point.

How many people don’t talk about it enough as well as the consistent learning piece. And I think it’s probably difficult. Like when you’re in uni, all you’re doing is trying to learn and I went to you and you’re like, Oh my God, I still continue to learn after uni. Like, what is this? So I,

Alannah Guo: [00:28:45] unfortunately,

Ashish Rajan: [00:28:48] I mean, unfortunately the reality is I feel like everyone’s a constant learner, no matter what field you pick, after uni, you’re still learning.

Learning every day, it just doesn’t stop. [00:29:00] And I think it’s sort of bad thing. I make it sound as if it’s bad, but it’s actually not a bad thing to John’s point earlier about if you’re technical and you want to know the details of everything, it’s probably a good and a bad thing, but it that’s what helps you.

make better decisions for the company and give them right advice to be able as well. So it’s, it’s always beneficial and always helped you progress further. So I don’t think education that was stalled, but I guess it’s just about being in that mindset. Like when you’re in uni, all you’re doing is studying and like, Oh my God, I just have to keep studying every day.

Like, it’s one of those ones and I’ve had a few conversation with a couple of guys from uni and they’re all like, We’re asked to continue you studying. I thought once you finished uni, I started getting paid and that’s it. Like, I just I’ve learned everything in my life. My parents said, but clearly it’s not, it’s not true.

Alannah Guo: [00:29:46] Yeah. But I think the difference is that in uni, your you’re studying. And if you don’t always know how. Well, where you’re going to apply that, they kind of just do arbitrary things and you’re just like, do this, do that. And it’s just whatever at work, you, [00:30:00] you’re learning as you go and you can actually see in real time the application of what you’ve learned and the like, and I think that’s really rewarding and it makes the learning actually fun.

So you start a little bit about uni students.

Ashish Rajan: [00:30:13] I think, certainly for the industry I did want to add, and I think I look for this and be blind to view. And I don’t know if you come across this as, but like, if you’ve already done some work to your point, either parts of it in CTF or have some kind of a tool, like a security tool that you’ve created or achieved, which is good to have repo somewhere.

Like those are all like massive plus points. You may not have attended any conferences, but you have like a portfolio for yourself for stuff that you’ve been learning or even blogging about. People do look out for those things these days it’s not bad, or it’s only just mr. X is saying I’m an amazing guy, but also the fact that you’ve proven over time that you’ve learned so much.

I think, I don’t know if you feel that’s an advantage, but I kind of look for those things as well.

Alannah Guo: [00:30:57] Oh, absolutely. Like, you, [00:31:00] yeah. Would say showing initiative and a willingness and a keenness to learn in pen testing and I guess security in general, any job, is really important, I think.

Ashish Rajan: [00:31:11] Yup. Yup.

Perfect. Alright. The good time to move on to our bigger things in life. Zero ACCC, what is it? And I’m not going to screw it the second time round, so they’ll let you instead use this. So, what is it and why should people know about it?

Alannah Guo: [00:31:27] zero CC is a free training or free to attend it. It’s not to the sponsors.

well, yeah, but I don’t know. Just so that was funny, but a free training conference for women in or interested in cyber security. the names Zurich CC is I know it’s a mouthful. people keep telling me to change the conference name, but, it’s. it’s an upcode four in three. and it’s useful.

It’s about debugging and I loved it when I [00:32:00] was first learning how steep off overflows. and it was just life changing. Cause, it’s like a single bite, whereas like most of our codes are two bites. so yeah, anyways it was, it was just great. And I guess I hoped Xerox, ACCC would be like that as well.

Just like, you know, technically focused, no BS, and you know, useful to the attendees. And yeah, I guess, what

Ashish Rajan: [00:32:26] I had even a free

Alannah Guo: [00:32:33] it’s completely free to, so like we get the money from sponsors, but it’s completely free to the attendees. And we also provide, travel grants as well. So last year we flew six, students or students or women are looking to get into security or just unable to attend, due to their needs and stuff.

Then yeah, across Australia this year, obviously we couldn’t cause COVID and we ran online and next year we’ll [00:33:00] be offering travel grants. Again, I think it’s important to make it as accessible as possible because, like I think if you ask most women insecurity, they say you’d be lucky to have more than like, you’d be lucky to have another woman on your team.

I haven’t and I think. Like, like any, anyone, your more likely to stick to your own group of friends and people, you know, than to venture out and meet, go join other groups, as events. And so it becomes harder to meet women, I guess, other women. And I think it’s really like a lot of women say, or a lot of people say it’s hard to be what you can’t see.

And I think it’s really important for people to see that there are. Like really awesome women who are really technical and also like women that they can meet that will like they can grow together on their journey through cybersecurity and learn well, cause, so talking about that bias earlier with, Like social bias.

Yeah., I think there is like, [00:34:00] some people feel this need to compare women for some reason. I mean like people to have a tendency to, mop minorities together and where one person’s or something like other people are like, you know, they get compared. And I think that creates an unhealthy. Balance. And it also means that the women who are seen are generally the very successful ones and who do well, but like anyone like you or me, we all started somewhere.

Right. and I think it’s important to see that there are, you know, women in all like all stages of their career. And also that, like, there are women, all niches of their career, not just pen testing, but binary, exploitation, research, cloud security, whatever else. and I think. Yeah, I guess I just want to encourage them to keep going in the technical roles if they want to.

I guess, and I think it’s also a great way to bond and make friends. and by friends, I mean, actual friends don’t now because the training is hard and [00:35:00] very technical. And what better way is there to make friends than to like, Yeah, annoyed over a really hard lab that you’re trying to just gave me.

Ashish Rajan: [00:35:09] Is it only been testing training though?

Or what kind of training can they expect from the conference and how often is it

Alannah Guo: [00:35:15] held? no, it’s, it’s not pen testing, focus at all. It’s just technical security. because I think like pen testing and security all bleeds into each other, like they all take parts though and need parts from each other or little knowledge.

so last year we did have a pen testing course that was actually run by Pam O’Shea. she was very good. Yeah., but this year we had, binary, exploitation, exploiting network, sorry, network protocols and devices by, Carly McDevitt. she’s a very good network engineer. and we have like introduction, Oh, sorry, cloud.

Secure cloud network security by Franklin Maretta or I think she, you might know her she’s in Melbourne. [00:36:00] I would basically

Ashish Rajan: [00:36:03] follow her on Twitter. I need to bring her on the show with her one day, but,

Alannah Guo: [00:36:08] now we’re analysis, invest engineering and, security for software developers. wait, have I reached five crap? I think I have. I guess it’s just to encourage, cause like you want a broader perspective, right? It’s like Elliot was talking about how like some technical people might dismiss managers and slightly less technical people, policy makers, that kind of thing.

and I think that’s wrong. You need to understand all aspects of security to have a holistic. Like a purchase security. Right. and so it’s just them to build people’s technical skills. and yeah, eventually I do want to bring in hardware security. And, also for next year, I’m thinking of bringing in smaller network, workshops.

So like, cause security, technical security, we don’t. Get to build our [00:37:00] soft skills as much. So I want to bring in like speaking, workshops and, I guess physical security workshops, just like with low boss, but it gets people thinking. And then if people want to go get talks, it helps more. If people want to approach management positions, it might help with that as well.

and kind of small things like that.

Ashish Rajan: [00:37:21] I mean, I get, I get the, I’m just curious for more divinity to start. I mean, if it’s a long line, so maybe it’s a port for another time, but I’m just curious, like, cause you, you run it. You’ve been running it for two years now. So this was his second year

Alannah Guo: [00:37:34] and

Ashish Rajan: [00:37:35] is something had more divinity to start it?

Alannah Guo: [00:37:38] The short answer is I don’t want anyone to be treated the way I was treated and I don’t want anyone to feel the way I felt there is a much longer, but I think definitely some down to that,

Ashish Rajan: [00:37:52] I will leave that for people to reach out to you and hear, hear, hear straight from you. I did want to ask as well, is it only [00:38:00] for women and is it only for women trainers as well?

Alannah Guo: [00:38:03] Yes. So, the model currently is,, anyone who identifies partially or wholly as women, our bathrooms, for 2019, where or unisex, like, you know, we, people identify as how they identify. That’s. Yeah. and, all our trainers are women as well. and anyone who helps the conference, all speakers or, and our panelists last year, they were all women.

just because like, There, there are enough men, the trainers and speakers. It pretty well promoted, and I want to promote women and they want other women to see women, you know, do the same thing, right? Because there are enough, it’s just, some people might be shy or you need to go find some people to like dip them out and be like, Hey, come on.

Talk. I have to do a bit of begging with the speakers,

[00:39:00] I guess.

Ashish Rajan: [00:39:02] To your point? I think, something else that I wanted to bring up, about the conference is,, when this was going, I think it was last weekend. And as I was forwarding it on LinkedIn and litter and Twitter was lit with all the merchandise. Can you talk a bit about that?

Alannah Guo: [00:39:19] Oh, you get me excited.

So, I like learn how to run conferences from designing the as second merchandise, you know, or second the fiscal security. Yes it’s anyways. and, so our main merchandise, our conference badge, is a 90 by 90 centimeters, silk scarf. and I chose that size because, It’s like, if you boil it down, it’s like a, it’s just a square piece of fabric.

Right. But like people have decided that this square piece of fabric is a scuff and it should only be one as an exile, but, you know, you can wear it as so much more. And especially at that size, I designed it. So it was big enough to be worn as a hijab. it can also be worn as a [00:40:00] top. I will, my scuffle last year as a top.

you can wear it as a head side, and accessory has a bag and I think, I guess it just. Like, cause there is this, there is this somewhat bias. Like if you talk to women who goes to conferences, there’ll be like, you know, people would just assume go onto them and seeing them, they’re like a recruiter.

They’re not technical and they’re there with a partner or whatever. and I just want to. That’s who represents your ACCC as like, you know, with us tell, and we can’t do all this stuff. Don’t fricking pigeonhole us as just nontechnical or whatever stereotype you came up with. Oh actually, actually let me show you, sorry.

Yeah, give me two seconds. so this was this year. Yeah, it’s a bit like cyber, so I try and not make a Gilly. I just make it like a little bit tech and then it has all the speakers and training and trainers on this stuff as well.

[00:41:00] Thank you. I they’re actually free. so I give them to everywhere.

Ashish Rajan: [00:41:10] I would feel like I should have just been part of this conference as well. cause by the way, to your point about the stereotype, cause I do a lot of men’s session work myself as well and to stand out. Cause I think there’s a point about this year.

I, for women being considered as recruiters or, I guess, or if being with their partners in the conference, the bias and men as well, the funny bite, cause I usually wear suits at meetups and I just, because I just love being suits and that I, for me, it’s men’s fashion thing and I do other things as well, but every time I’ve gone to a meet them in a suit, they just is, I’m a recruiter.

Autonomous sales guy trying to plane I’m like, but I don’t want to take, he goes, I was security but said, but I kind of have to like prove it every time it’s almost have to go to the sprint that goes, all the people who are a hoot or automatically walk [00:42:00] over, they’re like, Oh, there’s another recruiter over here.

I’m going to get banned by him. I’m like, dude, I that’s why I feel like it’s really. Interesting that you pointed out the bias, and I’m glad that you’re trying to break the, I guess, the bias that exists for it. I, and one more thing on this, especially because we’re talking about women in pen testing, is it any value?

And I think mentorship is something that a lot of field Lord on Twitter for substitute students and women as well. Is there an element of that in this, or, I guess cyber security groups for women. Like they should be seeking mentorship. Is there any thoughts on that for me, mentorship? I guess they should be good.

Your point about ZACC being focused on bringing up that image for others. There’s a lot more of, I guess, women than just what you might see in the office, which is one or two people. There’s a lot more technical people. You get to hang out with them, get to know more than it all. Is it. Do you [00:43:00] have any thoughts on mentorship from a movement to another woman?

That makes sense.

Alannah Guo: [00:43:04] Yeah, absolutely. I get it. there, there are lots of groups. If there are any women in the chat, they’re looking to join security or just interested, hack a chicks. This one run by Kylie. hacks is the workshop one that pan runs. AWS is another really big one in Australia. and they have a more holistic, Group of people like, they, they have everyone from policymakers and fiscal security to like technical women.

so yeah. and, so my company, cyber CX is actually developing a women in cyber, initiative, which includes like scholarships and grants and internships and among other things, which is really cool. But I think the importance of, I think everyone should get a helping hand when they start out just to like how things work and.

You know, you always want to make things easier for the people coming up behind you. Right. and not pull [00:44:00] up the ladder as people say. But I think like, especially as the minority, like I’ll speak for women because I am a woman and not anyone else, that like things can be hard. Like you there’s sexual harassment is definitely an issue.

and also just like, I guess how to deal with biases and like other situations that you might not. Quite understand. Cause sometimes people don’t always mean to be sexist, right. Or like just treat you differently. But they, there might be like a social conditioning that does, and then like, you might not understand why it’s wrong, but you’re like, that doesn’t feel quite right.

But if you talk to someone, then they might be able to help you understand why, because they’ve already experienced it. And then you can deal with that situation a lot better than if you dealt with it by yourself. I suppose. like I did. And, I guess it also helps to, I don’t know. I, again, it goes back to the, you can’t really, it’s hard to be what you can’t see.

and if you have like [00:45:00] someone to aspire to be, you can like. Well towards that, I guess, rather than being like, Oh, there’s no one like me around here. I will, I succeed kind of thing

Ashish Rajan: [00:45:13] to help out basically seek them out.

Alannah Guo: [00:45:16] But I just, I know we’re a bit short on time, but just. One last thing, regarding that was,, I guess a good example was when I first started my internship.

so our cohort with everyone doing honors, how to get an internship, there were only two people who ended up getting paid, internships. And I was one of them. And I consistently got told that I was, I only got paid because I was a woman that I was definitely higher, I guess. And that really, that really broke down my confidence.

Ashish Rajan: [00:45:45] and I guess.

Have I done paid internship in Australia.

Alannah Guo: [00:45:51] Oh, there were a lot of onsite internships

there’s rules around it. Like if they get more [00:46:00] benefit than they have to pay you, but if you give a benefit, then you have, they don’t have to pay you, but like it’s, that’s hard to measure. Yeah.


but, I guess I, the part of that mentorship, I think, I would have really just liked a coffee with like, eh, Women will established in the industry like Kylie McDevitt. She writes really good blog posts, just articulating perfectly like issues. It’s just, it’s insane. You guys need to read it, but, yeah, like I just, I, it would’ve been really nice to like, have.

Had some guidance and encouragement then about like, you know, that’s wrong rather than finding, like working it out in my head, like four or five years later that like, you know, I’m worth myself. Yeah. And so I guess that’s why I think mentorship is really important. that, and on top of like [00:47:00] all the technical skills, you get to learn off them, but that’s a good one.

Ashish Rajan: [00:47:03] Perfect. And I think that people should definitely be charged to you like any women listening in, who would want to know a bit more about it. They can definitely reach out to you as well. It’ll be definitely interesting conversation for based on your personal experience as well. I do want to switch gears and we’ve been talking about careers and see the things I do have a fun section, which I didn’t tell you about, which is three questions.

Don’t worry. It’s hard. It’s not too technical. It just moves a lot of kind of questions. The first one is what do you spend most time on when you’re not working on say pen testing or technology?

Alannah Guo: [00:47:35] Oh God. Oh actually, nothing, nothing, to be honest.

Ashish Rajan: [00:47:43] I know you’re like,

Alannah Guo: [00:47:46] I guess I didn’t spend a significant time.

I don’t like cooking. I, my mom always had these general things, so I refused to cook. but I spend, for the last like three or four [00:48:00] months, I spent half my time at work and then half my time doing see CC. and then I kind of have this role where I spent about. Now I spend about six or seven months on Sierra ACCC and I’ll spend about five or six months on just studying and developing my technical skills.

Cause it’s really hard to, I don’t get much spare time, while I’m developing CRX, Stacey to study. So I kind of found the study and then I kind of crammed the OCC side of things.

Ashish Rajan: [00:48:27] that’s where you spend most of your time. And then I guess.

Alannah Guo: [00:48:30] Yeah,

Ashish Rajan: [00:48:31] that’s the moment. But until I bring you again and you think this has changed, you have a big stuff and everything.

So it was talked about more about in the future episode as well. And the next question, what is something that you’re proud of, but it’s not on your social media?


Alannah Guo: [00:48:50] know it’s

Ashish Rajan: [00:48:52] fun.

Alannah Guo: [00:48:53] That is a tough one. I don’t post that much on social media and I’m not the, Oh actually [00:49:00] actually, our pen test room. they made it, they knocked down the room next to us to make it larger so we can fit more pentesters in. because that team at one point group really large in Cambra, and now we’re down to two people.

But like our Brisbane office is scrambled anyway, it doesn’t really matter. But, the, when they knocked the wall down, the next room next to us had this really ugly blue wall. And every day I like my desk, like the way I was sitting, I would be facing it. It’d be like, Seven meters that way. And I hated it.

So I ran, I went to the director and I was like, I can be my 1200. I did, like, I did the design. I brought in the design and I was like, I need $1,200 for this. Can I do this? and he was like, yeah. So I spent two weekends and five weeknights, renovating that wall and I turned this like ugly blue wall with like, Just rubbish and boxes [00:50:00] and like hardware stuff all over the ground into like cabinets.

And, I wasn’t pulling a Blackboard with like leaves around it as like bookshelves and stuff like that, which was really good. Then he realized. Yeah, but he realized that I did in my own time, he was like, why didn’t you do it in time? I’m like, I don’t think anyone wants me standing. Cause it’s toxic given time.

I’ll take it from,

Ashish Rajan: [00:50:33] I will take it from me cause I’m pretty sure we will be interested. So I’m going to put it in the blog though. I think it would be pretty amazing to put that in. last question. What’s your favorite cuisine or restaurant that you can share?

Alannah Guo: [00:50:45] Ooh. Ooh, that’s hard, but it depends on the city of Canberra.


Ashish Rajan: [00:50:53] mean, you can go about out any city. I just, I just gave you an, a suggestion for camera. Cause I don’t know that many of it’s in Canberra, but I would love to be, Oh no [00:51:00] Canberra and Melbourne, if you have any.

Alannah Guo: [00:51:02] Right. so for Melbourne, I, we already talked about Maha. I kinda love the place. It’s amazing.

and also sick. Have you been to Zeke?

Ashish Rajan: [00:51:13] Wait. No, I had

Alannah Guo: [00:51:14] said, Oh, UK, it’s like a Turkish place. They do really good brussel sprouts and they have these traditional Turkish dumplings that are like really tiny, but they’re not that big. They, I guess they kind of just like folded in about that big and cook it.

It’s so small. It’s delicious though. they have really good cocktails as well. and also, Oh, I’m not I’m kitchen. Have you been there?

Ashish Rajan: [00:51:36] Yes, I have. That’s pretty good.

Alannah Guo: [00:51:37] Yeah. It’s a funny one. He doesn’t know it’s a restaurant that just does desserts and cocktails. Absolutely phenomenal. Oh my God. and yeah, in Canberra, Raku.

I like that they did really good desserts. And the use issue is absolutely phenomenal. the food is [00:52:00] average. Don’t get the steak, they have like this, like, nine plus smoggy sake. And the time that I got it, they just completely over cooked it. And I was talking and I was like, and also a little bit of pretentious.

Like I’ve made two restaurants in Sydney because I grew up in Sydney where. They like, you know, you wouldn’t go leave the place without like painful Hunter to head. And like Roku, I guess is probably half that, if not even that, and like the ones who own those one time I walked in and it was like two thirds empty and they will, I was like, ah, do you have a table for two?

And they were like, Oh, we’ll just check if we have any tables. And they also mansplained what NMR Mae was. But other than that, Microsoft Vegas out of the world, they make it in house and it is so good. It’s like, cause a lot of macho ice games, kind of the flavors weakened because of the dairy. This is a small Bay.

The Marsha flavor is really strong, but it’s still really [00:53:00] refreshing. It’s great. and also city, it’s a gin bar, mixed with a restaurant that’s really good. It was really good, really good pork belly.

Ashish Rajan: [00:53:12] you love your food. I suffice to say that

like hashtag my belly is like, by the way, we only had time for that, but this is really good. And I’m definitely gonna take some notes. I’m going to take some notes on the important, food pieces as well. For me, this is really amazing. Thank you for that. Do want to read to you, where can they find you and you, what are your socials?

Alannah Guo: [00:53:42] I mainly, Oh, I get notifications from all my socials, but I prefer Twitter. So at a lot of grow, one word, no dashes, no underscores, no anything. LinkedIn I’m also a long ago. and, you can reach out [00:54:00] over the OCC website as well. so, the zero CC website is zero X CC dot S H HTTPS. Yeah,

Ashish Rajan: [00:54:13] for sure.

So it’s about, so people can reach out to you, but this was really amazing, Alana, but this thank you so much for spending your time on this.

Alannah Guo: [00:54:21] Thank you so much for having me. You’ve been so lovely. You

Ashish Rajan: [00:54:25] have an amazing thank you for sharing all the gem and keep doing the awesome work. So you don’t actually see.

So we definitely need a lot more of that.