How I Got My First Cyber Security Internship
Hello all! This is the beginning of a short blog series about my journey from college student to Offensive Security Engineer.
After experiencing the year that was 2020, I truly and passionately believe that it is important for EVERYONE to share their experiences, whether that is to look back on and see how far you’ve come. Whether you share your experiences to be someone others can relate to or you share with the intention of inspiring others.
I must admit I have been reluctant to share my story and that is probably because I am at the very beginning of it. I am just starting my career in security but everyone has their own journey and their own starting point. Oftentimes it can be challenging enough to find a place to start. I decided to share my experiences for anyone thinking about embarking on a similar journey.
My hope is that I can use this platform to share what I learn, to reinforce concepts for myself, and for anyone interested in learning along with me.
Application Season
During the fall semester of my third year of college, I found myself struggling to figure out what I truly wanted to do with my CS degree or with my life, once I finished school. I began applying for as many summer internships as I could. I wanted to gain any experience to help me find some sort of direction.
First gigs are a numbers game. The more applications you fill out, the more callbacks you will receive. I was willing to give anything a try!
During this application season, I attended a seminar on campus where a few cybersecurity professionals came to share their experiences with students. I was fascinated by the things that were shared. I was particularly interested in the way that the term “hackers” was used in the room. No negative connotation, but instead, it seemed to describe someone with a curious mind, a mind everyone in the room could appreciate.
I wanted to learn more about cybersecurity roles. I found one of the speakers later during the event and asked them about their job and their previous experience that led them into security. After the event, we connected on LinkedIn, we emailed back and forth for a couple of months.
This LinkedIn connection turned into a kind of mentorship situation, where they gave me suggestions and feedback on one of my projects. I wrote a “banking” web application, and I was encouraged to create a threat model for this application.
As a college student with zero security experience, I googled threat modeling. I stumbled upon frameworks like “STRIDE” and took my first stab at a simple banking application threat model. It wasn’t a perfect threat model, but it was the start of a new way of thinking for me.
Eventually, my mentor mentioned the security internship program at their workplace and recommended I apply.
* Silly Aside :* I would like to call attention to how much of a noob I was around this time (I still am, but a bit more of a self-aware noob now). I was base64 encoding the passwords in my database for my application because I believed that I was securely encrypting these passwords. Luckily no real data existed in there…
The Interview
Throughout that year, I had a few interview experiences, all of which varied in style. Some interviews followed screening assessments that could be anything from logic-based examinations to programming assignments; some led with behavioral reviews or behavioral interviews via video call. Of many of these, I failed miserably and attempted to learn as quickly as possible from those failures to apply such lessons to my next interview.
Prior to my interview for the security internship, I spent a day or two googling what kind of questions the interviewers might ask. I also spent some time going through some Golang programming challenges that I found online. I had heard that the team I hoped to work with mostly wrote their services in Go.
My interview was about 3.5 hours long, with a new person interviewing at each half-hour. Each interviewer had different questions or things to discuss, and none of the questions were even close to what I googled.
I assumed there would be questions about my attempted threat model or Golang. Instead, the first interviewer went through my resume, questioning my past experience. I felt as if they were making sure there was a reason for everything I put on my resume. It was nerve-wracking.
Not a single line of code was written during this interview -- not so surprising, though, considering it was not necessarily a developer internship I was applying for. But every interview I had up until this point required me to solve at least one programming challenge.
In the beginning, I could not tell how I was doing with my first interviewer. I found myself overthinking simple questions like “Why do I enjoy teaching others?” But this question sparked a fun conversation, and I felt that the interviewer and I got along well by the end of it. As they left, they assured me that my next interviewer was “very nice”.
They were.
The next interviewer asked questions about networking (I had not taken networking at school yet), but this interviewer was quick to reassure me that I did well on most of the questions asked. We discussed their internship program, and they shared their experience mentoring interns from the previous summers.
My last interviewer was an engineer I had met once before. They walked in with a backward baseball cap and a T-Shirt. We did not discuss a single thing related to security or anything technical.
We mostly shared experiences of college jobs we had unrelated to the industry. (At the time I was juggling three jobs.) We chatted about college and essays that we hated writing.
Towards the end of the time with this interviewer, I asked if they were going to ask me any technical questions. They replied, “I already know you, I am already a yes to you joining the team.”
The final part of the interview was a team lunch off-campus, where I had the opportunity to learn more about the interviewers and potential future teammates. I felt fairly confident about the interview at this point. I had not expected such a behavioral-based interview.
Two weeks later, I was informed that I got the job over the phone. A little over a month after that, I received the offer. I was asked to start early part-time in March rather than in June.
After I was hired, I learned that college students are not expected to have too much security experience. What was truly important to them, was that I was passionate about learning and I would be a good fit for the team.
My First Internship, Their First Intern…
Upon onboarding, I learned that the company I was interning at had never had security interns before! That year, I was one of the two first-ever security interns. While there was a well-established internship program at the company, the security internship did not operate the same way as the other programs.
Other interns received a single project which they would work on and present at the end of the summer. Instead, the security interns were given sprint items that correlated to many projects that were ongoing in the security program.
As an intern on the Application Security team, I was responsible for delivering automated solutions to scale product security across the organization. I was introduced to threat modeling and learned that my first one for my bank project was terrible. You live, and you learn.
I was introduced to the magic of the terminal. I learned how to use Golang. I learned about continuous integration and continuous deployment/delivery (CI/CD) solutions, and I developed a passion for pushing security to the left.
Each day I walked into my internship, I felt like I was looking at a journey up Mount Everest. I knew nothing but it excited me. I loved the feeling of “There is so much to learn.” I learned about test-driven development and was introduced to agile methodology. I got to contribute to a codebase that people will use. It was so exciting!
Though I was not on a development team, I learned to appreciate clean code. I was not in school anymore. Just because something worked did not mean it was an acceptable solution. My first Pull Request (PR) review had 27 comments requesting changes.
Despite this, I never really felt bad about receiving critical feedback; I learned from it, and I was excited to have so much opportunity to grow.
Growing and learning as an intern
In my very first week, I asked my mentor, “How can I measure my success in my current role?” I wanted to know how my performance was measured and what their expectations were. How could I do my very best?
His reply was probably some of the best advice I could’ve received at the time.
He replied, “I would measure your success by how much you learn. An internship is an opportunity to learn as much as you can. Look at this situation and those around you, and keep in mind what YOU can take away from this situation. Don’t worry so much about performing in this particular role. Worry about how it can help you grow outside of this position.”
This internship experience allowed me to go to conferences like Defcon and AppSec Cali. I learned so much, and I met many really awesome people during my internship, some of which I hope to keep as friends for a lifetime.
If you would like to read more about my journey from Comp Sci Student to Offensive Security Engineer, check out my next post where I share how I got my first Offensive Security Job.
Some Key Takeaways/and Stuff I Learned:
Approach every situation in life as an opportunity to learn and grow.
If you are looking for some direction, it may help just try something that interests you and go from there. It’s okay if you don’t know what exactly you want to do. (:
If you are a college student reading this, even if it’s your first year of college, apply to as many and do as many internships as possible! Don’t wait until you feel like you are qualified.
A little networking can go a long way.
A lot of the time, interviewers care more about team fit for entry-level positions. You don’t have to know everything. No one expects you to.