Safeguarding Fundamentals: Jasmin Landry’s Journey of Sheer Dedication 

Jasmin Landry
Jasmin Landry, Senior Director of Information Security, Nasdaq

Shining in the spotlight with a reputation for consistent dedication and a proven track record of enabling advancements in safeguarding digital fortresses, Jasmin Landry has risen through the ranks to become a prominent figure in the information security niche. His journey is a demonstration of his commitment to safeguarding financial markets.

Landry’s leadership in the field is nothing short of extraordinary. As a Senior Director of Information Security, Jasmin’s sheer determination to stay one step ahead of malicious factors has transformed Nasdaq into a fortress of trust for investors and listed companies alike. From his early foray into the world of cybersecurity to his current role as the Senior Director, he faces new challenges and strives to solve them with a strong pledge.

Jasmin Landry’s story is not just about safeguarding digital fortresses but about inspiring a new generation of cybersecurity professionals, fostering a culture of resilience and redefining the future of protecting critical data in an advancing business arena.

The Days and The Dreams

When Jasmin started doing bug bounty, he knew he’d love it; it quickly developed into his passion. What he didn’t know back then was he was doing it with perfection. After about a year of doing bug bounty, he got invited to his first live hacking event in Las Vegas. That’s where he was like, “Woah, this is really cool; I want to do this forever!”

It was originally more of a hobby or a side-gig, but it eventually became Jasmin’s primary source of income, and even he did it around the clock for a few months. But now that Jasmin has a family and getting older, he decided to do it again as more of a hobby in his free time. At that hacking event, Jasmin had so much fun. He met a ton of people who loved hacking along with people who were Jasmin’s target audience for the event.

It was nice collaborating with other hackers and learn from each other as well as getting to know how it works from a company side receiving all these reports from bug bounty hunters. That first event definitely increased his passion for hacking as he wanted to get invited to all future live hacking events!

The biggest lesson that he learned while participating at these live hacking events is that collaborating and working as a team is usually more beneficial learning-wise. He shares, “You get to brainstorm on ideas, learn new techniques from others, learn new technologies and how to approach them in order to find vulnerabilities, so on and so forth.”

He adds, “This allows me to share knowledge with colleagues, of course, while respecting the NDAs that we have at those events and also to better protect and secure the products that I work with at Nasdaq.”

Putting Your Skills at the Test

Understanding the technical details of a vulnerability is normally easy for an experienced penetration tester. What is harder to grasp is the impact and risk that the vulnerability has on the business. Early in his penetration testing career, Jasmin reported a critical vulnerability to a client; he knew it was bad.

What Jasmin learned later that day is that it was extremely bad since it affected approximately 80M of his customers. He ended up having to stay on calls all night until the early hours of the morning to help the incident response team check whether this had been exploited in the past, help the developers fix the vulnerability, and help other teams that were involved in making sure everything was sorted properly.

Jasmin realized that if he had just gone a step further and explained in his report the impact, if he had shown how to fix it permanently or explained how to temporarily block it on the WAF, it probably would’ve been easier for everybody involved and it maybe would’ve avoided those late-night meetings that he had. After this incident, he added many more details to his reports after that day!

Wisdom of the Professional

Jasmin shares, “Doing bug bounty often pushes your skills to the limit; it’s quite common. You’ll often stumble on a new technology or framework that you’re not familiar with, a theoretical vulnerability or even an easily exploitable vulnerability. The challenge with that is we often need to spend a lot of time researching a different subject, putting pieces together like a puzzle in order to exploit what we thought was a theoretical vulnerability or show a high impact to the target company on the easily exploitable vulnerability.”

One case in particular that Jasmin remembers is where he found a simple vulnerability with a medium severity. He typically tries to increase the impact on those with hopes of getting a larger bounty.

He spent roughly two more days on it and chained that vulnerability with three more lower-severity vulnerabilities or misconfigurations. All of them combined together resulted in a critical severity report.

Jasmin learned a lot about the technology the company was using, and they also understood that with the original vulnerability, a skilled attacker could exploit them badly by using other low-severity vulnerabilities they originally didn’t really care about.

Shaping Success Perpetually

Public speaking has definitely enhanced Jasmin’s ability to convey complex concepts to non-technical stakeholders, but it’s still not easy to do. But with time and practice, it becomes easier to do. When he speaks at infosec conferences, he normally assumes that the audience is technical so he can dive deep into diverse topics. However, a presentation at a university or simply communicating a vulnerability or a risk at work is totally different.

People don’t have the same skills and experience as Jasmin in cybersecurity, so he tries to communicate with them in a way they can understand, depending on their expertise, area of work, etc.

As a professional, he says, “I think that people leading a team of cybersecurity professionals should be passionate about their work and in the field they work in. When you’re passionate, and you show that you care about your team and the work they do, your team will also care and do great work!

On top of that, when you’re passionate about your job, you tend also to be a great leader even if you don’t have management experience or are not a natural leader. You’ll more likely lead by example and the team will follow you, and, in the end, everyone benefits from it.”

Stepping Up Towards New Horizons

In Jasmin’s opinion, one of the best ways to build a good culture of cybersecurity awareness is to show real-life examples. We all have gone through cybersecurity awareness and phishing training. We all know we have to be cautious before opening an email and clicking on the link; we all know it’s a bad idea to leave with our passwords written on these websites or links.

However, we still get caught in phishing campaigns, and some still do things against best practices. People learn but quickly forget if it’s not a topic they’re normally interested in. If we instead approach it with a real-life example to show how it can affect them and not just their job but life in general, they’ll think about it a lot more and be extra cautious before clicking a link on the email.

For example, suppose we show that with a phishing email, the attacker can steal their Facebook credentials and use those same credentials to access their email account, which can result in accessing their PII and, in the end, stealing their identity. In that case, they’ll realize that this is no joke. People will eventually develop that consciousness not to do things that are not suggested or not click on the email, all without really thinking about it.

Upgrading the Fundamentals

Jasmin mainly uses social networks such as X, formerly Twitter, and LinkedIn to stay up to date with changes that are happening in the industry. He has also subscribed to a few RSS feeds and newsletters to receive updates on emerging threats, important news in the industry, new 0-days or N-days, etc.

He schedules time on his calendar every week to read up on what’s happening in infosec and cybersecurity. It allows Jasmin to better prepare for upcoming changes, develop expertise in new areas, and so on and so forth.

Learning how to hack is not easy, you need to have the basics covered. You need to first learn networking, the internals of how an Operating System works, a bit of coding helps as well, so on and so forth.

You need to understand how things work before being able to break into it. One expression that we say to aspiring cybersecurity professionals who are interested in penetration testing or bug bounty is “learn to build it, then break it.” For example, if you know how a web application is built and how all of its components work, you’ll have an easier time finding flaws in it,” concludes Jasmin.