Geeking Out with Adriana Villela

About our guest:

Michael Levan is a seasoned engineer and consultant in the Kubernetes and Platform Engineering space who spends his time working with startups and enterprises around the globe on Kubernetes consulting, training, and content creation. He is a trainer, 4x published author, podcast host, international public speaker, CNCF Ambassador, and was part of the Kubernetes v1.28 and v1.31 Release Team.

Find our guest on:

• LinkedIn
• Bluesky
• X (formerly Twitter)

Find us on:

• All of our social channels are on bento.me/geekingout
• All of Adriana's social channels are on bento.me/adrianamvillela

Show notes:

• Windows Phone
• VulnHub
• Amazon Machine Image (AMI)
• Type 1 Hypervisor
• Kali Linux
• Penetration (pen) testing
• Blue team (security)
• Red team (security)
• Microsoft Azure Resource Manager (ARM) Templates
• Microsoft Bicep
• CompTIA Certifications
• PenTest+ Study Guide (CompTIA)
• Tanya Janca (@SheHacksPurple)
• Alice and Bob Learn Application Security
• Black Hat Python
• Burp Suite
• Metasploit
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Security Content Automation Protocol (SCAP)
• Every Microsoft Employee is Now Being Judged on Security (The Verge)

Transcript:
ADRIANA: Hey, fellow geeks. Welcome to Geeking Out, the podcast about all geeky aspects of software delivery, DevOps, Observability, reliability, and everything in between. I'm your host, Adriana Villela, coming to you from Toronto, Canada. And geeking out with me today, I have Michael Levine. Welcome, Michael.

MICHAEL: Thank you so much for having me. Appreciate it.

ADRIANA: Yeah, really excited to have you on. Where are you calling from today?

MICHAEL: I am in New Jersey.

ADRIANA: Ooh, fellow east coaster. Yay.

MICHAEL: I know. Yeah, I'm. I'm actually. I'm in the process of thinking about getting out of here.

ADRIANA: Oh. Yeah.

MICHAEL: So, yeah, maybe Tampa or Austin. Those have been.

ADRIANA: Oh, so somewhere warm.

MICHAEL: Yeah, yeah, those have been the two spots that I've been really thinking about lately.

ADRIANA: Cool. I've never been to Austin, but I always hear good things about Austin, especially the food scene.

MICHAEL: Yes. Yeah, I feel like I hear that a lot, especially like podcasts and stuff. Like, I'll be listening to just random podcasts. People will talk. Be talking about how great the food is out there. A lot of barbecue, obviously. 'Murca, and. And all that good stuff. So there's. There's a lot of barbecue and that type of food.

ADRIANA: I am down for the barbecue.

MICHAEL: Exactly.

ADRIANA: Cool. Well, we will be starting off with our lightning round questions. Are you ready?

MICHAEL: I'm ready.

ADRIANA: Hey, first question. Are you a lefty or a righty?

MICHAEL: Righty.

ADRIANA: Okay. Do you prefer iPhone or Android?

MICHAEL: I think iPhone, because I've just been using it for so long. But I would argue, though, that will argue with myself that about twice a year I think about switching to Android.

ADRIANA: Oh, yeah.

MICHAEL: But it's just. I feel like I'm just so used to the ecosystem at this point, and despite being an engineer, I'm not, like, super interested in consumer technology. I just want stuff that just works. And I feel like, at least back in the day with Android, it was like you had to kind of play around with things to make it work in a particular way. Whereas with iPhone, it's just I open it up and I can use the stuff that I need to use and that's it. So.

ADRIANA: So, yeah, I'm. I'm with you on that as well. I. I do like the. Everything works, Everything's nicely integrated, it plays well. Nice. And, you know, the. The folks who love Android, I think one of the reasons they love it is, oh, you can configure everything.

ADRIANA: And my. My thought is like, but I don't want to.

MICHAEL: Like, no, yeah, I'm doing that 90% of my day. I just don't want to do it in my personal time either.

ADRIANA: Yeah, it's not fun to me. It was fun, like, I don't know...

MICHAEL: Years ago.

ADRIANA: Yeah, exactly. When I was younger.

MICHAEL: Exactly. Yeah. Like, I remember, like, I had Android phones and I was jailbreaking them, and then I had like the Windows phones when they were popular for three minutes and then, you know. Yeah. And then it was like, eventually I just had to switch back and just. I just wanted something that just worked, you know?

ADRIANA: Yes, I am with you on that. Okay. Similar vein, do you prefer Mac, Linux, or Windows?

MICHAEL: Mac. But there are certain things that are irritating me that I'm thinking about going back to Windows. Like, you know, like, for example, I can't tell you how many times I build a Docker image, then I try to deploy it to a particular place, and I'm like, why isn't this working? And then I'm like, oh, that's right, because I'm building on ARM. Yeah, and then there's. Yeah, and then there's even, like. So I'm really into the security realm and stuff, and there are certain things that I can't do. So for example, there's this website called VulnHub, which is awesome. It's literally just a whole bunch of AMIs that are built with vulnerability.

So let's say you want to test or practice something from a pen testing perspective. You can download these AMIs and then you can spin them up in VMware Player, VirtualBox or whatever you're using for your Type 1 hypervisor. But they're not ARM based.

ADRIANA: Yes.

MICHAEL: Like, I can't use them on my Mac and I have like my Windows box back there, which I can do it on, but I'm like, it's just a pain, you know? Or like, let's say like I'm speaking at a conference or something. It's like, I want to demo something, but I can't because of this. I just. Yeah. So I've been thinking about going back to Mac, which would be the first. Er. Mac Windows, which will be the first time in like six, seven years.

ADRIANA: Oh, damn. Yeah, you make a very good point with the, with the Docker images and ARM. Like, that has caused me so much grief recently.

MICHAEL: It's a pain.

ADRIANA: Like, I can't even tell you. And. And then also, like, I don't know if this is still true. I haven't checked for a while, but I think, like, you can run VirtualBox on M1 Macs.

MICHAEL: Yeah, yeah. No, you totally can. Yeah. Like, even, like, I have. Yeah. I have VMware Fusion even on it right now because I'll like, I have a Kali VM, but Kali is like a pen testing distro that I'll run locally and stuff because it's not my daily driver. But like I can run those VMs. But if anything is built with AMD base 64 or whatever, it's all about the architecture.

So even whatever the extension is for VMs, right, that AMI. You can exist, you could download it and stuff, but then it'll say, oh, you can't run it because your architecture. And you're like, yeah. Apple should have given an option like go Intel or go ARM. But yeah, so.

ADRIANA: I definitely feel your frustration on that one. Okay, next question. What's your favorite programming language?

MICHAEL: I'm comfortable and Go, but it depends on the use case. Right. So like programming languages to me are, are really nothing more than a tool to get a job done. Yeah. So like I'll use Go just because I, I enjoy it and I'm comfy in it. But from like a security perspective, a lot of Python and PowerShell, because those are like the two primary like scripting based languages. And from a security perspective, the majority, whether you're doing blue teaming, red teaming, purple AppSec, cloud sec, whatever, the majority of the time writing automation with your code. So it kind of makes sense to go the Python or the PowerShell route. I could do it in Go, but it's like nobody else is really doing it. So then it won't work in certain scenarios or people won't be comfortable with it in certain scenarios, so.

ADRIANA: Oh, cool. That's. That's really interesting.

MICHAEL: Yeah, Yeah, I love Go. I, I started out PowerShell, Python. I moved to Go years ago. I teach like Go training. So like I'll, I'll teach live trainings, teaching people Go. So I'm, I'm super comfy in that realm.

ADRIANA: Yeah.

MICHAEL: Yeah. Python or PowerShell, it's pretty much the way to go from a security standpoint.

ADRIANA: Good to know. All right, next question. Do you prefer Dev or Ops?

MICHAEL: Which one? I don't know. I, I'm, I think because of the way that my brain works, if I had to choose to just do one, it would be development because I'm very logistical, left side of the brain. Like, I like, I like research and I like logistical based jobs. So I think programming gives me more of that and I've done both. Like, I started out my career in systems administration and help desk and all that. Around the middle of my career I moved to software development. And then I just found myself somewhere in the middle. Right. Yeah, whatever you want to call it. Platform, SRE, DevOps, whatever. Whatever title is catchy nowadays. So, like, I've done kind of a little bit of everything and I've played with all different pieces of technology. But what I will say is, like, I don't think I can do one without the other anymore. Like, I wouldn't be a good developer if I didn't understand infrastructure. And I wouldn't be good at infrastructure and systems and networks and containerization and Kubernetes if I didn't understand development. So I. There's. I feel like the, the lines are so blurred in today's world that you really need both. But yeah, if I had to choose, like, what I was going to do, probably, like, writing code.

ADRIANA: Awesome. And, you know, I love what you said there about, like, really the lines blurring and having to understand both. Because I so agree with you. And I've had, I've had arguments with people over this because in the past, like, when I was managing teams and I was hiring folks for my team, like, I was hiring developers for my team, but I needed them to, like, have an understanding also of, like, the infrastructure side of things, like how to containerize your applications. And I was really surprised by the number of, like, resumes that I got or even like, you know, if they made it to the interview process of people who had no experience containerizing their, their own applications. And I'm like. But aren't you, like, remotely curious as to how that works? I don't know.

MICHAEL: That's the problem.

ADRIANA: Yeah, it's just so surprising because for me it's like, of course you're going to learn how to do that.

MICHAEL: Yeah. Yeah. And it's. That curiosity is drastically important, especially in today's world. So, like, we've. Tech is weird. Like, it has gone from being this, like, really particular career for, for nerdy people. Right.

And then it kind of went mainstream. Like, tech now is very much like, tech is buzzy and it's trendy and it's like, people like it because it's cool and like, I don't know when tech became cool, but it's. It's cool now. But what ended up happening was so many people, so many people got into it because it was cool and because it was trendy and all this stuff. Right. Which is okay. But the problem is, is that those people very rarely are putting in the same amount of work and effort that like, engineers were putting in before it was cool. And trendy and, and the interest isn't there.

And that's why, you know, and hot, hot take. You know, people may be irritated about how to. People may get irritated because I'm saying this, but like, I think that's also a big problem with like why people are having such hard time finding and getting jobs. And look, I'm not, I, I understand there's been like over 300, 000 layoffs between, you know, the large tech companies. I'm not dismissing that. But what I also do know is like, I have friends recently that have gotten laid off and within three to four weeks they had four job offers because they're very, very good at what they do. And, and it's not because they're geniuses, but it's because they are very interested and like, they want to know the way things work and how they work and how they come together. And if you don't have that, it's very difficult to find a job.

ADRIANA: Yeah, I so agree with you because I honestly think that's like the heart and soul of tech is being curious. And curious enough to learn new things because tech moves so fast that if you don't learn new things then you're, you're like outdated.

MICHAEL: One hundred percent. Yeah, yeah. And it, it makes things really weird when you're self employed. Like I'm self employed and you kind of have to like pick a direction. I think at this point where it's like, are you going to be trendy or are you going to be more educational based? Like, my content is very educational based. It's very like, I'm gonna show you how to do a thing. Yeah, I'm it. This is just not my personality. I'm just not the guy that's like putting on the YouTube voice and like doing the camera angles and this.

MICHAEL: It's not me. It's never been me. If I did it, it would be disingenuous.

ADRIANA: Yeah, yeah.

MICHAEL: But in that realm, if you take that route, you know, and you're doing like vendor content and stuff, which I do vendor content. I just don't do that type of vendor content. You could pull in 5, 400, 500,000 a year USD. Like it's very manageable and reasonable to do that. But then you got to take a certain. But then if you do the educational route, like I, I backed off from that and I went the educational route. And you're not making that in the educational route, but that education. The reason why I'm saying all this is because that educational route if you keep that level of engineering mindset, it will make your life easier to get jobs because you'll be curious and because you'll be interested in what you're kind of doing, you know, versus the people that if you're just turning on the camera and just talking about stuff, it's fine and there's a place for that. But it's also going to be very, very difficult to find a job in tech now because of that.

ADRIANA: Yeah. Yeah, absolutely. Okay, next question. Do you prefer JSON or YAML?

MICHAEL: Oh, neither. Is that an option?

ADRIANA: I mean, it's an option.

MICHAEL: So I guess.

ADRIANA: Tell me why you like neither.

MICHAEL: Yeah, so I, I guess I would, you know, go with YAML because so in the Kubernetes realm, when I'm like, just so invested in. Embedded in the Kubernetes realm at this point out of the box, you can use JSON and YAML natively with Kubernetes, but you just 1000% of the time you're always going to see examples in YAML. You're never going to see them in JSON, but natively you can use both. I think in, in all seriousness, I think I would choose probably YAML. I think JSON is like, the more you add to it, the more convoluted it is. Hence why, you know, Microsoft switched from ARM templates to Bicep. Because it was just. People were looking at ARM templates and it was like, this is a. There's a lot happening here. And this is, it's really easy to misconfigure. I think that's why I would choose YAML. I think with JSON it's just far easier to misconfigure your environment with JSON as it gets longer than with YAML.

ADRIANA: Yeah, I agree. I find YAML a lot more legible. I know, like, people get really, like annoyed by the spaces thing. I mean, me too. But I. It's so much more legible compared to JSON. It's like just a blob of characters when I look at.

MICHAEL: Yeah.

ADRIANA: JASON and I, I, yeah.

MICHAEL: Yeah, 100%. It's always funny to like the tabs and spaces thing. I don't know if, like, if you ever, if you watch the show Silicon Valley.

ADRIANA: Oh, yes. Actually, that's my next question.

MICHAEL: Yeah, I love when Richard, like, I forget, I forget the chick that he was dating, but like using space and he's freaks out and has to leave. Oh, so freaking funny.

ADRIANA: Oh yeah, yeah, I love that. Like, that one little, like, you know, scene is Just like, just magic. Magic.

MICHAEL: So funny. So funny.

ADRIANA: And that's perfect because my next question is, do you prefer tabs or spaces?

MICHAEL: You know what I prefer? I prefer clicking option shift F in VS code because it just does it for me. I don't have to like worry about like the tabs and spaces with like the auto formatting and VS code anymore. Um, but yeah, I think spaces. Cause sometimes with YAML it's like. So a tab is four spaces, I think. Right. But with YAML, like, sometimes you. You can only do two, like two spaces. So like, then it like screws up the formatting and. But even if the formatting is messed up anyways, it's just like command shift after or option shift F, whatever it is. And then it like formats everything. So. So it's less of a hassle nowadays. But I think spaces.

ADRIANA: There you go. Hot tip on formatting. Yeah, I actually switched from spaces. Sorry, from tabs to spaces because of that, with the formatting in YAML where I think it defaulted to the tab, as you said, being four spaces. And then I open YAML documents. That was two. I'm like.

MICHAEL: The nice thing too with VS code and pretty much any IDE at this point is when if I'm on a line and if I hit enter, like it will put me where I should be going.

ADRIANA: Yeah.

MICHAEL: And so. So it's kind of like you really don't have to think about it anymore at this point. Which is nice. Yeah. Because that's. And, and. But it was more important like years ago, like there were languages, like whether you were using garbage collection or not, that it was like spaces would take up more memory once you were compiled. So. Yeah, I mean, I don't think that really. I don't know if it matters anymore. I haven't ran a benchmark against that in like 10 years, so I wouldn't know if it still matter. Yeah. So fun to talk about though.

ADRIANA: Yeah, totally. It always, it always provides for some like, very interesting conversation every time.

MICHAEL: 100%.

ADRIANA: Okay, next question. Do you prefer to consume content through video or text?

MICHAEL: If I'm trying to do something quick video. But I like reading. So one of one of my, you know, mental health things is 30 minutes a day. I. At least 30 minutes a day I carve out to read. And it's always a technical base book. Like I'm always reading something about a new practice or a new something in a language or a certification thing or whatever. Like I'm always reading stuff.

ADRIANA: So what are you currently reading then?

MICHAEL: What am I currently. Let me, Let me. Let me pull up my Kindle app because I'm reading like, four different things at the moment and I want to make sure I have the titles correct. So one thing that I'm reading, because for like, security based contracts, like government based contracts and DoD based contracts, I need certain CompTIA certifications. So Pentest plus by CompTIA, currently going through that. Again, it's needed for, like, DOD contracts and stuff. This is a really awesome book. Tanya Janca, if you're familiar with her, SheHacksPurple. She. She has, like, some really awesome content. She wrote a book called Alice and Bob Learn Application Security. Oh, yeah, It's a really cool one. Yeah. Yeah. And then Black Hat Python is another really good one. But I'm always bouncing back and forth, honestly.

So one thing that I do as well, and I. I do this because I apparently enjoy pain, where I'll read like three to five books at a time and then I'll forget like 70% of it. So then I just keep going back and reading the same thing over and over again. So, yeah, it's fun. So that's a good. Yeah.

ADRIANA: Okay, final question. What is your superpower?

MICHAEL: Oh, God. Getting annoyed? No, I think that I am really. I'm. I'm open to more and more information, and I think that's. That's what I've always been really good at. Like, even, like in the beginning and in the middle of my career, like, I have gone. I've walked into job interviews where I didn't know 90% of what they were talking about, but I let them know, like, I'll figure it out. And they're like, all right, can you figure it out in two weeks before the job starts? And I'm like, yep. And I'll just. I'll sit there and like, throw myself into things for weeks and weeks and weeks to figure out how stuff works again. Maybe it goes back to the enjoyment of pain or just the enjoyment of learning. I don't really know exactly what it is, but, yeah, I'm just. I'm. I'm. I'm not, like, out of the box smart, right? Like, I wasn't, like, an A student in school and stuff. And, you know, I don't have a fancy degree or anything, but I'm just really good at, like, taking a problem and figuring it out. It may take me longer than. Than other times. It may throw me down, you know, a bottle of bourbon. But at some point, I will figure it out because I'll just keep kind of hammering it out until I fully understand what's happening.

ADRIANA: That is such a great superpower, and I think it's such an important one for working in tech is just like the perseverance and, and as you said, like the openness. Because I think one thing that I, I've experienced in the workplace in the past is being on a team and, and folks being asked to, like, do something and they're like, but I don't know how to do that. And, you know, passing the buck to someone else because they didn't want to be bothered rather than, oh, this is like a really cool learning experience and you might get something out of it.

MICHAEL: One hundred percent. Yeah. I mean, there's, there's this curiosity aspect of it as well, but then there's also like, the life aspect. Like, I, I'm a firm believer that, like, what you've gone through in life will kind of dictate how much pain you're able to take. Right. And that's, and that's why people don't, like, want to go out and learn this and that and this and that. Because they, people like to be comfortable, right? Yeah, they don't like to not be, you know, they don't like to be comfortable being uncomfortable. And that's always been something that I've been able to be decent enough at where, like, I'm okay with being uncomfortable.

ADRIANA: Yeah. Yeah, that's, that's definitely a really good, good skill to have. And it, you know, it makes me think too, to like, especially like in so many organizations when they're doing, you know, digital transformations, agile transformations, DevOps transformations, where you're basically asking your employees to, like, change the way that they work. And you see so much resistance. Like, I, I worked at a bank for many years and I was part of a massive, like, DevOps transformation. And it was funny that we had, I feel like we had the dev part figured out. Like, we had the really good CI/CD pipelines, but the hardest part was actually getting the delivery to really embrace those DevOps principles. So it was more like we got the CI. It was the CD that was really holding us back because the folks who worked in ops were, eh, I don't want to learn this new thing.

MICHAEL: Yeah.

ADRIANA: And it was a detriment to them, but also to the organization because they couldn't move forward.

MICHAEL: And that's still how it is. I mean, that's why if you're a good engineer, you can pretty much go and name your price at an organization, you know, like, depending on where you're. Well, I would argue that this shouldn't even matter, but it does. For whatever reason, like depending on where you are in the world, like you should be able to name your price, right?

ADRIANA: Yeah.

MICHAEL: Like, if you're like, hey, I should be making 220 a year and you know, you're that good. Yeah, you could go and you can name that price.

ADRIANA: Yeah.

MICHAEL: You know, but yeah, I mean I think that's the big. Again going back to what we were talking about before, like, that's the differentiator right between like, are you going to get a job or are you going to be laid off for three, four years?

ADRIANA: Yeah, yeah, yeah, absolutely. Well, that brings us to the conclusion of our lightning round question. So thank you for playing. And I wanted to get now into, you know, the, the meaty bits and before we, we started recording, we were talking about how you do a bunch of security work, which you alluded to also in the, in the lightning round questions. So first question is, what got you interested in security in the first place?

MICHAEL: Yeah. So I've been really. And for any, anybody that like takes a look at my content or sees what I've been doing over the years, I've been always really focused in the Kubernetes realm. I have written books on Kubernetes, I've spoken at conferences on Kubernetes, hundreds of blogs, hundreds of videos, podcasts, everything. And I kind of reached a point where so the way that my for better force, the way that my brain works is if I feel like I don't have a purpose. And my purpose is always career related. It always has been. Just because the way I was raised and my life and all these different things, if I'm not doing something that's really hard, I'm like drastically depressed.

Like I've had, you know, mental health issues and all these different things and it usually comes back to because I'm not challenged.

ADRIANA: Mm.

MICHAEL: So I chose security because after I like stayed in Kubernetes for years and the thing was in the Kubernetes realm now, like you could give me any topic to talk about to go speak at a conference to write a book on and like I don't really have to do any research. Like I don't really have to do any prep. Like I've walked into conference talks with zero prep. Like, because I just know it. Like I just. Because I was focused in it for so long. So I wanted to. My next challenge I wanted to think about what can I do that's incredibly hard. That not a lot of people can do really well, and that is a constant, growing pain. And I came across security.

ADRIANA: Ah.

MICHAEL: Yeah. So I just. I just. I was like, what's the most painful thing I can work on right now? And that's what I came up with, yeah. Yep, yep. Yeah. And then for me, it wasn't even like, let me go blue team or red team. It was like, let me go application security. Because application security is arguably the one that, like, it seems like nobody can get right. So I was like, all right, let's do the thing that nobody can figure out. I'll go down that route. So, yeah.

ADRIANA: There you are.

MICHAEL: Here I am.

ADRIANA: I actually wanted to go back to something that you mentioned because I can so relate to it, where you said not feeling challenged lead led to you having, like, mental health issues. Because it was. And I can so relate because I have found that. So I've gone between manager and IC roles in. In the past, and I realize that every time I'm in a management role, I'm depressed because I feel like I'm not doing something, like, cool and engaging.

MICHAEL: Right.

ADRIANA: And it's so interesting to meet someone else who has experienced something like that and that. It, like, you know, it. It. It's. It's validating in a way. You know, like, it's. Yeah.

MICHAEL: So. It's so I can, you know, I don't know how. How deep you want. You want me to go here with it with these answers, but I've seen a lot of mental health issues, like, throughout my life. Like, I grew up incredibly poor. Both of my parents were drug addicts and alcoholics. You know, we were in apartments with bedbugs. We were in apartments where there were no bedrooms. It was a studio. Like, I. I went through a good, nice chunk of my life where, like, I didn't have my own bedroom. I've. I've. I've been, like, through, like, really bad times. And then I've been to the point where I own my home and I drive the car that I want to drive. And, you know, I'm. I'm. You know, the. The money that I can make is more than I ever even thought possible. Right. I didn't go to college. None of it. Like, I could. College wasn't even an option because I just needed to start working. So, like, I've seen. And I've seen everything that comes with growing up like that.

ADRIANA: Yeah.

MICHAEL: You know, I've had a lot of mental health issues where I had a stroke due to depression. Like, a lot of big things. Yeah. So, like, I'VE seen, like, I've gone down the. Down the, the deepest, darkest mental health issues that you could possibly imagine. And the one thing that I found. And I. I did the yoga and the meditation and the medication and the several. Talking to several therapists and psychiatrists, and it's always fun to talk to psychiatrists and therapists when they're like, we don't know what's wrong. And you're like, oh, I. I guess I. I won the game of therapy when you, when you have to. When you stump the therapist. Right.

ADRIANA: Yeah.

MICHAEL: So I've done all of this and what I found that brings me out of it. And this is. Again, this is just my personal opinion. This is going through again, everything that I went through in my life, being in such a dark place where my body literally tried to shut itself down.

ADRIANA: Yeah.

MICHAEL: Medication, therapy, all this stuff. It is. It's great to sprinkle on top.

ADRIANA: Yeah.

MICHAEL: But the only thing that's going to actually bring you out of it is figuring out what the underlying issue is. And the majority of the time, the underlying issue is purpose. It's finding purpose in life.

ADRIANA: Yeah.

MICHAEL: And driving that purpose. That's why you look at people like Bill Gates and Jeff Bezos and, And Elon Musk and Joe Rogan and whoever, all these people. And look, I'm not. I don't want, you know, that there's the conversation of, well, what about these people's personalities? They suc. I don't care about that. What I'm. What I more care about is, like, how people are and how they move through life and how they navigate. And all these people, you know, and tons of others.

ADRIANA: Yeah.

MICHAEL: They're multimillionaires and multi billionaires.

ADRIANA: Yeah.

MICHAEL: They don't have to work anymore, nor do the 20 generations after them. What keeps them going is not financial. What keeps them going is purpose. They have a particular purpose in life, and that's what drives them. So I'm a firm believer that purpose in life is what takes you out of dark places. And for me, it's always been career, you know, So I totally understand and agree with you. Where it's like, you can't be in something that you're bored because then you're going to be depressed and you're going to be drinking and you're not going to be working out and you're going to be eating crappy food all the time just because you need some type of escape and it just. It brings you down this, like.

ADRIANA: Yeah, yeah.

MICHAEL: Really bad hole.

ADRIANA: Yeah, I agree it's like, you. You need to give yourself a mission, a meaningful mission. Like, whenever I feel like I've got, like, okay, I have a goal, I'm like, I'm all in. Even if it sounds, like, ridiculous and, like, I have no idea how I'm gonna achieve it, but I'm like, I think it's achievable. And. And I think that's the other thing. Like, if you think it's achievable, even if it's hard, I think on the most part, it gets achieved.

MICHAEL: One hundred percent. One hundred percent. And I mean that. I think that's the same for anybody. Right?

ADRIANA: Yeah.

MICHAEL: So to your point, it's like, if you have a purpose, if you have a dri-...if you have drive, if you have any of these things, you could sleep three hours a night and get up and go. Right. Your life could be however it is. But if you have this thing that you're driving towards, it will be exceptionally better for you than anything else. Any medication, any therapy, any. Anything. And I'm not telling everybody, stop doing all that stuff. What I'm saying is you're not going to find the underlying cause of your. Your issues with that. Right? I didn't. Right. Nobody that I know that's gone through it has. Everybody's got to find purpose. That's. It's such a. It's. It's the most important. And your purpose could be your kids. Your purpose could be making sure you have a clean home. Your purpose could be being a digital nomad. Right. And living in different places every year, every six months. Whatever your per.

MICHAEL: I don't care what it is. Find it. That's going to be the thing that's going to help you in life the most.

ADRIANA: Yeah. It's the thing that gets you out of bed, basically.

MICHAEL: Yeah.

ADRIANA: You're, like, excited to tackle the day. Like, I. I find, like, especially when I'm in the midst of solving a gnarly problem, if, like, the previous day I made some sort of breakthrough and, you know, the. The next day I wake up all excited because I'm like, I get to work on this some more. And I'll even, like, wake up before my alarm because, like, I can't stop thinking about it. And it so excites me and it so drives me.

MICHAEL: Yeah, 100%. Yeah. Yeah. And usually it. No, not usually. I mean, 100% of the time, it really. It's no financial gain. It's no. It's nothing external. Right. It's all intrinsic factors that make you get out of bed in the morning and go do what you want to do. And again, it goes back to, you know, that's why all of these millionaires and billionaires, like, they don't have to do anything.

ADRIANA: Yep, yep, anything.

MICHAEL: They could sit there in front of their TV and drink bourbon and eat pizza for the rest of their lives and do it incredibly comfortably.

ADRIANA: Oh, yeah.

MICHAEL: In a, in, In a smooth 70 degree house like this, life could be freaking awesome.

ADRIANA: Cushy.

MICHAEL: Yeah. And, but they don't do it like that because, like, they have to have some type of purpose because that's, that's what drives you in life.

ADRIANA: Yeah, totally agree. Now, I wanted to switch gears back to the security topic because there's a couple of things that I want to ask. First of all, you know, you know, you mentioned that you got into application security because as you said, seldom, like, people get it right. What do you like specifically? What is, what is it that you think that people don't usually get right when it comes to application security?

MICHAEL: The number one thing is you don't fully understand the underlying system. So, and I always say this security is pretty easy. Like the act of securing something is relatively straightforward. Right. The hard part is understanding where you're securing. It's the same thing with writing code. I can teach any. I can, I can take anybody off the street and teach them how to write a function and a method and a class. What I can't do is take anybody and teach them how to properly architect an application stack and get it done right and get it deployed right. Same thing with security. I can teach anybody how to go use Burp Suite and how to spin up a Kali Linux box and play around with Metasploit and use code scanning and SAST tools and DAST tools and SCAP tools, and I can teach anybody how to do any of this stuff. But what I can't teach them is, okay, I'm going to go and I'm going to run these tools and I'm going to use these tools. Now what? Oh, I found a vulnerability. Now what? Oh, there's an issue in a library. Now what? What's the fix? How do I implement change? You can't, you can't teach everybody that. And I think that's why.

And even if you go, you, you know, you look on Reddit or you look on other forums, the number one question I would say and like, said the cyber security arena right now is, hey, I just graduated college and I want to go and do cyber security. No, you don't need to know what you're securing, you can't literally by definition you cannot secure what you do not know. And I think that's the hardest part. The hardest part is not security. The hardest part is understanding the underlying system, network, application, container, whatever. So well, yeah, that you know what it, how it works inside and out. That's the really hard part of security.

ADRIANA: Do you think that's one of those things that would come with experience?

MICHAEL: 100%. Yeah. That's why you know, you have like SOC style roles, security operations center. Right. Where pretty much their job is just like, oh, vulnerability come in, came in, let me triage it and send it to where it needs to go. Yeah, you could do stuff like that.

ADRIANA: Yeah.

MICHAEL: But anything more defending systems, pen testing, red teaming, application security, like you cannot do this unless you understand what you are securing. So if you have experience like anybody that has 10, 20 years of infrastructure experience can go do system security. Anybody that's been a software engineer for 10, 20 years can go do AppSec. You just need to like learn the tools and the terminology and there's a lot of terminology in security space. I don't know why it's worse than cloud native. There's so much terminology and I'm like, oh, why are we called like, can we just name these five things the way that they are and leave it at that? Yeah, it's so strange to me, but yeah, it's. Yeah. So yeah, like if you, if you know something very, very well, like if you know the underlying platform very, very well, security is, is relatively straightforward.

ADRIANA: Right, right. Yeah, that makes a lot of sense. Now another question I want to ask. I remember when the DevOps movement started gaining traction and everyone's like, shift left, shift left and then shift left on security. Do you think that organizations are truly shifting left on security? And if not, why like, why do you suspect that they might not be?

MICHAEL: No, I mean there are so many breaches all the time that like they're clearly not. Even like, you know, like the, the like people only. So it, security is very comparable to life. Right. You only make a change in life if things go wrong.

ADRIANA: Oh my God.

MICHAEL: Nobody, like very rarely do people do like preventative maintenance in life.

ADRIANA: Yeah, yeah, right, like, absolutely.

MICHAEL: If you go to the gym five days a week and you eat decently healthy, where let's say you eat, you know, three meals a day and you know, two to three of those meals per week or just whatever you want, it's pretty good preventative maintenance. Yeah. But the majority of people don't do preventative maintenance in life and they, nor do they insecurity until something goes wrong. That's why like Microsoft now, like Microsoft has been releasing all this stuff where their, their engineers now supposedly, who knows if this is true, but they're not going to be judged just based on like code quality and stuff. Like they're going to be judged based on security posture.

ADRIANA: Oh good.

MICHAEL: That's interesting stuff. Yeah, yeah, really interesting stuff. So I think the shift left. So the shift left thing, right, like if we break this down and because it's so buzzy, but if we, if we break it down, what's application security? What's AppSec? AppSec is securing the entire SDLC process.

ADRIANA: Yeah.

MICHAEL: From the thought of this is going to be a thing to the idea, to the libraries we're using, to the language we're using, to the deployment process. Shift left is around this whole DevSecOps thing, right?

ADRIANA: Yeah, yeah.

MICHAEL: So if you ask somebody what's DevSecOps securing the entire SDLC process. Why do we have three names for this? I have no idea. We have three names for the same exact thing. It's the same. There's no difference. If you take shift left, SDL-, AppSec and DevSecOps, it's literally all the same thing. There's no differentiation between these three things. So we unfortunately like have a lot of buzz because, you know, look, look, I'm. Vendors got to make money, right. They got to make it somehow. Right? And so they got to make stuff up that sounds cool. So they can sell their products. I get it. Yeah, we all, we all got to make money, but it just causes a lot of confusion, I think, unfortunately.

ADRIANA: Yeah, I agree. I, I gotta say I always found the term DevSec Ops a little cringe. Only because my thought is like, isn't security supposed to be baked into DevOps in the first place? So yeah, every time I hear that I'm like, yeah.

MICHAEL: And it's, it's, it's tough too. Right. So it's like you could go and look at my LinkedIn posts and, and, and I always like, I don't, I, I don't know why. This is just society, I suppose. But like I'll create LinkedIn posts that are like really, like have a lot of really good stuff in there. Yeah, yeah, but I'll use terminology that people don't know maybe like perfect timing and pen testing and AppSec and stuff. And they don't, they don't get what I'm saying. So it doesn't it doesn't really go anywhere.

ADRIANA: Yeah.

MICHAEL: But then if I throw something and I've, I've, I've, I've tested this out and unfortunately proven it to be true. If I put DevSecOps in.

ADRIANA: Yeah.

MICHAEL: Gets a lot of traction. So it's the unfortunate reality of, you know, what the, the world that we live in right now because that's just what people know. And, and these aren't people that are just marketing people. Like I talked to really, really solid engineers and they say DevSecOps. And the reason why they say it is because they're hearing it. The reason that they're hearing is because marketing is incredible. In, in today's tech world, it's really good. Like some of these vendors are really solid with their marketing.

ADRIANA: Yeah.

MICHAEL: And that's just what people know now. So it's like, you know, you gotta, you gotta do it. It's weird, but is what it is.

ADRIANA: I, I agree.

MICHAEL: Yeah.

ADRIANA: Yeah, it is funny. The, the LinkedIn algorithm is always, always an interesting one to wrangle.

MICHAEL: Yeah, it's, and you know what's so funny about it too? Like getting solid content out in the world, it sucks. But it's not about how good you are at something. No, it's really just about how good you are at phrasing things. Um, and, and luckily I've just been a writer for so long now that it's like I've just kind of hit the nail on the head with it. Yeah. But like, I remember when I first became self employed, I was like, I'm a good engineer, everybody's gonna hire me. Yeah. I, I, I found out the, the quick and hard way that that's not the way things work. So yeah, it's, it's really all about, you know, that verbiage for people.

ADRIANA: Yeah, it's true. And, and seeming approachable and, and whatnot to folks. The, the other thing, it's funny, I've had a couple conversations with folks, especially around LinkedIn posts. And actually my, so my friend Hazel Weekly and I were talking about like, why is it that when I just, you know, I have these nice thought out LinkedIn posts, like, they get like, so, so traction and then when I post something out of like, you know, emotional rage or shitpost, it gets traction. And then Hazel, like, I think later that day wrote a shitpost about shitposting and, and she's like, I got so much traction on this, more so than the other stuff. And it's like, oh my God. It just like proved what we were discussing.

MICHAEL: I, I so I'll give you an example right as we're, I'll, I'll, I'll take a look at this live. So I'm looking at my LinkedIn post as we speak now. I put something together two hours ago. It literally did not get any likes and any comments. 379 impressions. That is awful. But it was, it was a carousel explaining certain AppSec tools, why you would use them and where to find them. Right. It got no traction. None. But then if I scroll down to where is this one? Oh, here we go. I wrote, "Networking is ridiculously important in Kubernetes. It's one of the core skills that all engineers need. There are a ton of different components. Pod IPs, container IPs, DNS, firewalls, and a lot more. I highly recommend learning these things."

MICHAEL: This is pretty much nothing, right? Like I pretty much just said nothing in my post. 111 likes, 10,000 impressions. It doesn't make any sense.

ADRIANA: Holy crap.

MICHAEL: Yeah, so it's, it's a really like weird world that we live in where it's like you pretty much just say nothing and people are like, "Sick!" and then you say stuff that's important and people are like, don't like that at all.

ADRIANA: Yeah, yeah, it's so bizarre. And then especially like when you have like this lovely, well crafted post and there's like, you know, hardly any impressions, hardly any likes and it's like nobody loves me now. Another question that I wanted to ask you around security is, you know, there's, there's the age old battle between InfoSec and developers. What kind of, what kinds of things are you seeing out in the wild with regards to this? Like do you think it's getting any better or what do you, what do you think think is kind of the main cause of this?

MICHAEL: You know what's so ironic about this question too. I'm so happy that you brought this up because I so oftentimes I argue with myself, right? For better or for worse. I just. Multiple personalities in here and I have a lot of arguments and disagreements with everybody that's in here. And a lot of the developer security issues, right, are really all about this. It's everything that we know. This security person told me I have to change this and it's going to break this and it doesn't work with this. Right? This is the security thing that we all know.

Why does this happen? Well, very straightforward. The security person is running a vulnerability assessment. These vulnerability assessments say this thingy over here is broken. Go fix that thingy and then they throw it over the wall. The reason why the security person is doing that is because, and I'm not trying to sound rude or anything, this is just open honestness. They don't know what they're talking about. If you have any security measure that you are recommending and it is going to break something, that means you do not understand the underlying application, the understand. The underlying libraries, understanding packages, and how this application stack is created. There is no security issue that should ever break a system when it's integrated.

The only time that you may have an issue is when you're doing a vulnerability assessment that has a third, that's scanning a third party package or library that has a security vulnerability inside of it. Because you essentially have three options. You become an open source maintainer for that library package and you fix it. You accept what it is, or you take it out and you find another way to write that piece of your code. That's really the only time that something could break your application stack. But what ends up happening is a lot of security folks, they'll say, this thingy is broken over here, go take out that thingy. Because we have something, something compliance and something something need and something something management and something something something something. But they don't really know the why.

And that really just goes back to what we were talking about before, where it's like you need to understand what you are securing. If you do not understand the way these things work underneath the hood, you will piss everybody off. That's what it comes down to. And again, this isn't like me trying to. I'm just really passionate about this and I'm like this right now because it gets me kind of going. And I'm like, this is why we have so many. And this is why we have problems in tech in general thinking about security. This is, this is why we have so many problems.

ADRIANA: Yeah, yeah, yeah, that makes a lot of sense. Yeah, thanks for shedding some light on that. We are coming up on time and I'm sad because I could just keep asking me so many questions around this. But before we go, do you have any either hot takes or words of wisdom that you want to share with folks?

MICHAEL: Yeah, I mean if I could give anybody in tech regard, regardless of what direction you go in engineering help desk, systems administration, virtualization, cloud, DevOps software, whatever it is, just get really good at what you're trying to do. And this is something that's going to take years, but if you're really good at it, if you're really good at one thing. What you you'll learn two things. Number one, you'll be able to name your price at any job. Number two, you're going to begin to understand that a lot of this stuff overlaps. And then you'll realize, oh, because I got really good at this one thing, I think I actually understand a little bit of everything, and it's going to help you tremendously throughout your career.

ADRIANA: Yeah. That is such great advice. Well, that's awesome. Well, thank you so much, Michael, for geeking out with me today. And y'all, don't forget to subscribe and be sure to check the show notes for additional resources and to connect with us and our guests on social media. Until next time...

MICHAEL: Peace out and geek out.

ADRIANA: Geeking Out is hosted and produced by me, Adriana Villela. I also compose and perform the theme music on my trusty clarinet. Geeking Out is also produced by my daughter, Hannah Maxwell, who incidentally designed all of the cool graphics. Be sure to follow us on all the socials by going to bento.me/geekingout.