Re: [WEB SECURITY] Getting into the security industry

["Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>]

1. Get a job as a web programmer and work your way over to the
security team from within the company.

2. Get a degree and go work for a big consulting firm (Andersen, D&T,
KPMG, etc.) and they can put you on a team to do this sort of thing.

3. Find a small security product reseller that does low-end
penetration testing (or, more likely, what we call Scanner-Jockey
work) and start at the bottom, but don't *stay* there.

4. Similar to #1 -- Find a progressive employer that realizes that a
good programmer can easily be turned into a good hacker (where not all
network security & network pen testing folks will ever make good
software hackers). If you are a good web programmer that groks
hacking, you will get hired.

5. Go to security conferences and network yourself. This is incredibly
valuable if you want to build your career, and/or find out how much or
little you really know.

OWASP and WASC events are good things to attend. Even an ISACA or ISSA
event might have a CSO or similar type looking for an internal web
application security resource.

Good luck. It is very possible.

I did this very thing from Kansas back before there were ANY books or
whitepapers written on the subject, but I got very lucky in that I had
the help, encouragement, and inspiration of some very smart people
from the hacker community that noticed a paper I wrote.

For learning resources today, sheesh, you have a rich world to learn
from both online and in books.

All I had was Rain Forest Puppy rambling about SQL injection and
ranting about all our IIS servers
http://archives.neohapsis.com/archives/win2ksecadvice/1999-q4/0051.html.
(For the record -- I had already gutted the data factory stuff from my
IIS severs, though we were still grossly vulnerable to SQL
Injection.).

I will also add that my time in ecommerce and working with web
software development was essential. I actually got to see attacks
against our software assets developing in real-time, and see poorly
written code get broken, and understand how and why it got to be that
way, and learn how and why it is sometimes damn near impossible to fix
bad code, etc. etc. etc..

That experience made everything else in webappsec easier to grok.

I assure you that a year or two in web software development will make
you a much better security professional in the long run, on multiple
levels. At a bare minimum, you'll understand your clients' pains more
intimately, and by proxy, empathetically.

Cheers,

-ae


On Tue, Mar 4, 2008 at 1:01 PM, Tassi <Tassi@xxxxxxxxxxxxx> wrote:
> Hi
>
>  I am trying to get into the security industry and have been reading web
>  application security books and using any resources I can find to get
>  some hands-on experience by using resources such as Foundstone's Hackme
>  bank/books/casion, Webgoat and buggybank but am finding it difficult to
>  get an real world commerical experience hence am unable to get any
>  Junior penetration testing roles because of this.  What is the best way
>  to go about trying to get into the security arena or is it just a lucky
>  break I have to try and get?
>
>  Any assistance would be appreciated.
>
>  Thanks
>
>  T
>
>
>  ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>



-- 
Arian Evans
software security stuff

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]