There’s something special about one’s most memorable experience with computers. My most memorable experience was when I was a child was using a dial up modem to play Starcraft II multiplayer mode. I remember being glued to the screen for hours and sometimes days with my brother, plotting strategies on how I planned to infiltrate an enemy’s base, disable their resource mining capabilities and take out enemy networks. Initially, our internet connection was a dial up modem which severely limited our conquest for cyber world domination, but eventually, we upgraded to a DSL modem. We could now play all day and night without interference; nothing held us back.

I look back on those days and felt that life was simple. The thrill of invading an enemy base and acquiring their assets was just as much fun as defending a full blown attack. Now it’s 2017, we might not be playing Starcraft, but we sure are playing a similar type of game. Turn on the news and I guarantee you’ll hear about recent cyber attacks like the wannaCry ransomware, Russian hacking of the DNC email servers or the cyber attacks on the Ukrainian power infrastructure. The bad guys are real and cyber attacks happen. They happen a lot more frequently now than ever before. Cyber war is upon us and we need skilled security engineers to protect critical technology infrastructures.

Check out this article on 2017’s most recent cyber attacks:

How does one get into the field of cyber security, specifically as a web app pen tester? What skills do I need to acquire for an entry level job?

This article addresses two of the many routes you can take to break into the cyber security industry without previous experience. Below is a template that I’ve created that will assist you in making a transition into web application security without having previous technical experience in developing web applications.

Disclaimer: This is my analysis on how to break into the industry by choosing the web application penetration testing route. I do not have any experience as a software security professional. Take my recommendations as face value. Do your own research and come up with a plan. Use my resources as a guide, not as a definite. If you have additional recommendations on the web application penetration route, please be kind and add them in the comments below.

Self-Study Route:

Below is a list of projects, books and labs that will help you acquire the necessary skills for an entry level web application penetration tester.

1. Build web applications using these computer languages: Ruby (Ruby on Rails), Python, Java, C, C++, SQL, HTML/CSS, JavaScript

2. Exploit your web application.

3. Patch your security flaws.

4. Write a report of your exploits.

5. Repeat.

1. Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

2. Penetration Testing from No Starch Press (chapter 14)

1. OWASP Web Goat Projects (Summarize the OWASP Top 10 Projects)

2. Pentesters for Web Apps (Finish the course)

Boot Camp Route:

I’ve been watching the progression of boot camps in SF from 2012 to now and it has been a rollercoaster. I’ve watched the massive growth, acquisition and consolidation of the industry over the past years. While I couldn’t find any boot camps specifically designed for web application penetration testing in San Francisco, I do think a few of them stand and will prepare you for the job. If you live outside of San Francisco, you can find a list of cyber security boot camps here.

After researching the technical skills needed for a web app pentesters and having conversations with a current web app pentesters, Kristin Parke, I was quickly convinced to find a boot camp that taught multiple languages, frameworks, soft skills and a deeper understanding of computer science.

If there is one school in SF that would be most applicable for the web app pentesting route, it would be the Holberton School. Here’s why:

  1. Diversity amongst students.
  2. Breadth and length of technical curriculum vs. other boot camps. When did we start believing we can become a professional software developer with no previous experience in 16 weeks? Como’n people.
  3. The technical curriculum is more geared towards web application pentesting vs. other boot camp curriculums.
  4. A network of other highly motivated and diverse students.
  5. A highly technical mentor group.

Regardless if you go to a boot camp or not, if you are interested in web app pentesting, you should go through the materials of the self-study assessment above.

Closing Remarks

I’ve been asked a few times, “Why do I want to become a software engineer?”

I want to become a software engineer because I enjoy building technical products, while protecting people’s information and giving people peace of mind. Plus, who doesn’t like a good Red team vs. Blue team skirmish?

If you are in San Francisco and want to connect with me, you can find me at one of the security meetup groups or hopefully at the Holberton School in 2018.