Every so often, podcasts and such will invite me to speak on a variety of topics. And this week, I was very excited to join @cktricky and @sethlaw on the Absolute AppSec podcast. I have known Ken for years, and he is one of the people that I admire. So not only was it cool that he asked me, but an honor as well.
One of the topics we discussed (and you can check out the podcast when it is published here: https://absoluteappsec.com/) was how I became a security consultant. While I won’t ruin the podcast by posting this here, it got me thinking: How can we make sure that as many people as possible have access to the information needed to get started down this career path. Here are some ideas and topics that came to mind. These are all either free or inexpensive resources, so anyone can check them out today:.
I will split this up by topics:
The Certified Information Systems Security Professional (CISSP) is the de facto standard certification for security professionals. This makes any CISSP prep class a great way to get started in the field even if you aren’t ready for the certification exam. And if you are coming from an IT job (including entry-level ones), there is a good chance you meet the requirements from (ISC)2. If you are looking for self-study, Eric Conrad and Seth Misenar’s CISSP Study Guide is excellent. Another option that I like is our own Professionally Evil CISSP Mentorship. This program is a hybrid approach between self-study and instructor-led. (Our next run is June 2, and there are some great discounts available.).
Network security is a much bigger topic, but there are some great places to get started on it. For one, I try to follow several people on Twitter continually. Some of my favorites are (in no particular order and leaving off Secure Ideas people):
- Rob Fuller
- Tom Eston
- Hal Pomeranz
- Sean Muller
- Ian Coldwater
- Amelie Koran
- Chris Sanders
- Teri Radichel
- John Strand
- Dragos Ruiu
- Katie Moussouris
Several of these security professionals are also involved in podcasts or YouTube channels.
You also need to think about understanding the basics behind the attacks and testing techniques. For me, one of the best ways to do this is to understand both network mechanisms and how organizations are able to log and gather this network data. For the first, Chris Sanders has an excellent class available online to help understand networking by analyzing the raw packets themselves. For the second, I recommend that people try out Security Onion. The ISO is a great way to get started with log management and network security monitoring with a completely open source Security Incident and Event Monitoring (SIEM) system to practice within.
Now, if you are interested in learning about being a penetration tester or would like to understand attack techniques to defend from them, our upcoming Professionally Evil Network Testing course is a relatively inexpensive training option. We are launching our live virtual class this summer, and you can register on our training site.
Web Application Security:
If you know me, then you know that web application security is a significant focus of my career. There are lots of places where you can start by figuring out how various vulnerabilities work and how you can test for the issue.
First, I have to point you to SamuraiWTF. SamuraiWTF is a virtual environment designed for providing a safe practice and learning environment. It comes with several purposefully vulnerable target applications and a variety of pre-installed tools to test with. The target applications include Mutillidae, Samurai-Dojo, Damn Vulnerable Web Application (DVWA), and OWASP Juice Shop, each with their own set of challenges to provide semi-realistic practice areas designed for increasing web testing skill sets. SamuraiWTF is an open source project and is regularly evolving to include new targets.
Having mentioned two projects from OWASP (Mutillidae and Juice Shop), it seems like the right place to suggest this organization and its chapter meetings as a great source of information. There is a ton of information, freely available, throughout the OWASP website and I always suggest to those that want to become involved in web application security, to become a member of this organization.
One of the people that I think is a great person to follow on Twitter regarding web security is Tim Tomes. He is the author of Recon-NG and offers a course on web penetration testing. Another wonderful person to follow is Jeremy Druin. He is the author of Mutillidae and has numerous YouTube videos explaining security topics. And you can always visit PortSwigger’s Web Academy, who are best known as the maintainers of Burp, the de facto commercial web application penetration testing tool.
Secure Ideas is also offering our Professionally Evil Application Security class, which will be a live class and hosted online. This three-day course is focused solely on learning web application security. Keep in mind that veterans get a discount on all of our courses. We have also open-sourced a six-day course from 2014 and is called the Professionally Evil Web App PenTesting 101 course. Unlike PEAS, this course is very tool-focused instead of technique-focused but is useful as you practice and learn, the Professionally Evil way.
Before I close this out, I would like to add that the above is solely based on my own experience. There are many other aspects to information security. Some professionals dig physical security and social engineering. Others are passionate about IoT, or cloud. There are a wide range of security roles, from risk management, to operational security, to penetration testing, to business continuity and disaster recovery experts.
I hope that this article is helpful as you start or enhance your career Information Security. If you have any other questions, feel free to reach out via email or on our Professionally Evil Slack workspace.