Breaking into the Industry
Information Security is hiring. It’s not only major security companies looking for talented and experienced people but large organizations are starting to build out their own internal security teams. This is causing a major talent gap in the industry, everybody is competing for the same small group of people and the demand is much higher than the supply. If you are somebody who has always been a tinkerer and breaker of things, Information Security might be a great career path for you. Many security companies and even the U.S. Government have been resorting to training up people to help fill that gap.
Here at Security Compass we have been in full hiring mode for the last few months and we have been interviewing a lot of people looking to break into the industry. The question of “How do I get started in Information Security?” comes up often.
The first thing to know is that security is a massive topic, if you try to dive into it all at once it can be pretty overwhelming. There are countless different security domains that you can specialize in; prominent examples of these include web application security, infrastructure security, mobile application security, etc.
If you are a developer who has worked on web or mobile applications before those domains would be a natural area to start. Having a good understanding on how things are built is very important when you are trying to break them and being able to leverage previous work experiences will make understanding the security concepts much easier. Similarly, if you are from a systems administration background then you may be able to leverage your understanding of networking, firewalls, and configuration/patch management very quickly in a security setting. One of the best things about information security is the plethora of free resources out there for people use. It’s not just books and documents, there are plenty of interactive activities you can use to learn and test your skills. We’ve put together a list of resources you can look at and some activities you can do to help prepare you for your first job in Information Security. It is roughly split up into two major learning paths, application security for developers and infrastructure security for system administrators. While you should not limit yourselves to any of these, focusing on a learning path can help you get the most value out of your time early on.
Application Security Learning Path:
- OWASP Top 10 — OWASP is a community driven open source project that is focused on web application security. OWASP’s flagship project is the Top 10, which outlines the top categories for web application vulnerabilities and provides information both for people who are building applications and people who are testing them. Understanding what these categories are, and how to test for them is fundamental if you are interested in getting stared in security.
- You can check out our free OWASP Top 10 CBT which provides detailed explanations for all of the top issues:
- OWASP also provides guides on testing methodology and testing tools.
- Most cities have a local OWASP chapter which holds meetings that you can attend and connect with people in the industry.
- Vulnerable Applications — Once you understand high level vulnerability classes you can try exploiting these issues on actual applications. Testing on applications which you do not have permission to test is illegal, thankfully there are plenty of free vulnerable applications which are hosted specifically for the purpose of allowing people to test tools or learn testing techniques.
- Vulnerable Code — If you are coming into InfoSec from a development background then a natural progression for you may be looking at secure coding practices and code review.
- A lot of the vulnerable applications noted above have public source code, try working your way back from the runtime vulnerability to its location in the source code. Some projects such as WebGoat comment their source to outline where vulnerable code is located.
- Perform some research on the language you work with and its history with security vulnerabilities. For example if you are a ruby developer, check out the major YAML vulnerability from a few years ago. If you follow an open source project that had a vulnerability disclosed, check out the diffs in code to see where the issue was and how it was fixed.
- Look into secure coding guidelines for the languages you work with, review your old projects to see if there are any improvements you can make.
Infrastructure Security Learning Path:
- Infrastructure Security — On the other hand if you are coming in from a non-developer but IT background network pentesting and infrastructure security may be a better place to start.
- Download and install Kali — a linux distributed dedicated to network pentesting.
- Read the nmap book. Knowing how to run a port scanning using nmap is fundamental, understanding how nmap works under the hood beyond what the flags do is a great skill to have.
- Check out some vulnerability scanners — OpenVAS is an open source project which is free to use, it is not nearly as in-depth as professional scanners however it can still be used to get a feel for what types of issues scanners find, and what types they don’t.
- Learn how to use Metasploit, which is the industry standard for exploitation.
- Vulnerable Servers — Similar to above, there are plenty of sample vulnerable systems from a network and configuration level which you can test your skills against.
- Metasploitable2 is a purpose built VM with multiple services which can be exploited.
- Do some of the activities on VulnHub. The Kioptrix exercises in particular are excellent.
- Offensive Security offers the industry standard for network pen testing certification and practical labs. If you are willing to make the investment the labs provide an unbeatable experience.
- Capture the Flag’s and other hacking games — One of the coolest things about InfoSec are the constant capture the flag events that are going on. These are games where teams of people compete to be the first to exploit vulnerability and score points. Most of these challenges are fairly difficult and require a lot of out-of-the box thinking but that feeling when you finally get a flag makes it all worth it. Most CTF’s have at least a couple of challenges aimed at beginners.
- CTFTime is a website which tracks when CTF’s are going on and maintains scores for teams.
- Captf is an excellent site which hosts previous information about previous CTF’s as well as information regarding practice CTFs.
- If you can get a team together and travel there are a bunch of amazing onsite CTF’s as well, a personal favorite of ours is Hackfest which takes place in Quebec City. These types of events are great ways to learn about security and meet people in this industry.
- This github repo contains write-ups for past challenges — which are a great read.
- Microcorruption is an excellent online game which teaches you can use to learn about exploit development.
- Community — Keeping up to date in information security is a difficult task, even people with years of industry experience have to keep reading, experimenting and researching to keep up their game.
- Twitter is the main social media network where Information Security people hang out. Most of the big names in the industry are very active and often that is the first place you will hear about new bugs and research.
- /r/netsec is one of many interesting subreddits which collect interesting posts. The sidebar also has links to other more specific domains (such as Reverse Engineering).
- SecurityTube.net offers a great selection of videos on various security topics.
- Videos of talks from major conferences (Defcon, Derbycon, etc) are normally listed on their sites.
This list is by no means exhaustive, information security is a massive topic and it’s always changing. If you were looking to get into different domains such as malware analysis or incident response the types of resources you would look at might be completely different. However these can provide you with a good starting point which will help you stand out in an interview. It’s at this point I should mention that we are hiring, if this kind of stuff interests you please head over to our careers page.
Originally published at labs.securitycompass.com.