How to become a Web Security Researcher?

sinxLoud
sinxLoud
Sep 6, 2018 · 6 min read
Web Security Researcher

In essence, cybersecurity is all about discovering non-default uses of everyday technology to cause unintended behavior.

We live in an era where online safety is not always guaranteed as every little blip of information sent out across the internet is subject to attack. Security professionals have identified that most of the security vulnerabilities stem from poor coding practice.

This article is aimed at beginning a career in web application security which has been continuously emerging as one of the most financially viable professions in Information Technology.

I would like to start with an example; There is a torch used by people to navigate through dark areas and also used by police when trying to investigate a house without lights. Same object, just different use case. As a security researcher you need to see this torch as an unknown object like you don’t know what it is and question;

  • What does it do? Turns on Light.
  • What do people use it for? To navigate through dark places.
  • What is the most common use of it? Police or consumers use it when the lights go off or need to navigate through dark areas.
Something that we must do!

Then you think if this is the regular use of the torch. What could be a use of it that is not intended? A thief can use this navigate dark area similar to how the cop will use but with wrong intentions.

Same goes for a kitchen knife. You see this as an unknown sharp object and ask;

  • What is this sharp object? It’s a kitchen knife.
  • What do you do with it? Chop vegetables.
  • What is the most common use of this Knife? Chopping Vegetables.

And you think what if this knife gets into wrong hands. The answer is quite simple, an Evil person could do some potential chopping with it.

As a cybersecurity researcher, you take regular everyday things and think of malicious ways of using those things. Sounds simple, but you might say that you don’t have a burning intellect or scientific thought process. You also don’t have a mathematical background, you know nothing about discrete mathematics or dark sciences. Hence how can you be good at cybersecurity? This is a myth. You don’t need to have any of those things to be good at cybersecurity. Sometimes we like to think what we are thinking is quite unique but it’s not. In fact, most of the people have the same questions because human psychology is more or less similar.

What is truly required to become a Web Security Researcher?

There is much abstraction in technology that you don’t need a mathematical background or a scientific thought process. There are people who never had a formal education and are still excellent security researchers. Let’s dive into the post and suggest some ways that you can get ahead in web security.

1. Insatiable Curiosity. 🤔

One thing required of you to survive in security for years is genuinely being curious about it. There is no difference between a web developer and a web security guy. If you want to be an excellent web security professional, you need to know everything that’s happening in the web development world. You’ll have to understand what is JavaScript, PHP, HTML, CSS and learn as a passionate developer but question everything as you learn and imagine other uses of it. You don’t want to feel intimidated by the words like JavaScript, PHP or Node.js.

It’s important for you to know;

  • Where is web development headed?
  • What is the best framework used in the world used today?
  • What is the most used framework?
When solving problems, dig at the roots instead of just hacking at the leaves. — Anthony J. D’Angelo

In cybersecurity, people lose passion when they are not able to find bugs. You need to burn the midnight oil and nurture genuine curiosity about web security so that you don’t outgrow your passion for it. You don’t want to look at the website from a bird’s eye view and find low hanging fruit i.e, security vulnerabilities without any serious impact. If you want to be an above average web security researcher, you have to take a closer and deeper look at how the different technologies used by the website come together.

2. Learn by doing it. 🧐

Like, I said there is no difference between a web developer and a web security guy. You only make a distinction by pushing yourself to know beyond the default use while learning.

Start building simple and small websites with PHP or HTML.

Get familiar with database and web server, try making tiny pages that take input from a user like login credentials or contact details and learn to do some penetration testing. I have curated a list of helpful resources for Beginners to get started with Web Development and Penetration Testing.

Practice common security vulnerabilities in an ethical hacking environment.

With the help of ready-made vulnerable applications, you actually get a good enhancement of your skills because you can learn in a safe environment. Here are few resources to legally practice your hacking skills.

Most importantly, Take the OWASP — Free Testing Guide to practice security.

OWASP has created lots of resources for strengthening the relationships between security and development. You can read about almost 70–80% of vulnerabilities on Web and how to find bugs. OWASP aims to help web security researchers understand the What, Why, When, Where, and How of testing Web Applications. If you are getting started with Web Application Security Testing, here are OWASP Resources that will help you get ahead in Security Testing.

3. Go after Bug Bounties 💰

If you want to be an excellent web application security researcher, Go after bug bounties. You can sign-up with hackrone and bugcrowd. You will see public programs that have running a bug bounty programs. For example, Google is running a bug bounty program, you can go ahead and try to find the issues you have learned. Don’t ever procrastinate by thinking that you don’t have enough skills to find a bug for big companies. You should try to find vulnerabilities in products that you even use and take some real challenges to financially bootstrap your career in web application security.

The common problem in bug bounty hunters is that once you find a bug, you get over excited. You want to get paid for it quickly, your focus redirects to money and you stop logical thinking at $200 bounty. And as a result, sometimes your bug will have much more impact. Only if you think more, you can make it to $2000 or even $20000 bounty.

Here are some resources that will help you get ahead in Bug hunting;

Bug Bounty Platforms

Recommended Reads

Once you find a couple of Bugs through Bug Bounty programs. You will get a job in most companies.

Before you go…

Always keep in mind that the devil is in the detail. And when it comes to security, engaging curiosity will create capacity for patience while trying to find bugs. Be Curious and Patient

I hope this article puts you in the fast lane and wish you the best with your career in Web Application Security. Cheers!

📜 If you enjoyed this post, do share it with your friends. Please leave a comment below, and let me know what you think!

Tags: Web Application Security Beginners, How to start a career in Web Security, Web Security for Beginners, Web Application Security for Beginner, Learn Web Application Security, Web Application Security for Beginners, Web Security Beginner, Beginner Web Security, Beginner Web Application Security, How to learn Web Security, How to become web security researcher

Originally published at sinxloud.com on September 6, 2018.

Data Driven Investor

from confusion to clarity, not insanity

sinxLoud

Written by

sinxLoud

💻 https://sinxloud.com // managed by @sakimjan

Data Driven Investor

from confusion to clarity, not insanity

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade