TL;DR: I’m utterly overwhelmed. The security field is huge, learning resources are abundant, and the community is surprisingly welcoming.
As soon as I decided I wanted to familiarize myself more with the security world, I focused on three things: searching for learning resources, better understanding career opportunities in security, and surrounding myself with field experts.
By searching around, I quickly realized that the amount of resources out there is overwhelming. I decided to stick with the following three resources for now:
PentesterLab is a hands-on platform that focuses on web hacking. Topics are split in a number of small activities that you have to complete in order to earn the correspond badge for that topic. There are three things that I really like about this platform:
- Activities are short and focused on a particular way of exploiting a vulnerability
- Instructions clearly explain the expected outcome of an activity, but are vague enough that you will find yourself having to search extra info. If you can’t solve an activity, they provide a step-by-step video on how to solve it. Use only in case of emergency!
- The way the activities and topics are organized makes it very seamless to transition from basic stuff to more advanced content
Real-World Bug Hunting
I started reading Real-World Bug Hunting, by Peter Yaworski. The book focuses on web security, and goes over a number of potential vulnerabilities, along with corresponding ways to exploit them. It’s proven to be a great resource thanks to the friendly tone of the author, and the way the content is structured.
Having a web development background, it has provided fun moments of retrospection where I end up thinking “uhm…maybe I shouldn’t have done that”.
Cybrary is a very complete learning platform that includes video content, hands-on labs, practice tests for industry-recognized certifications. The content catalog is pretty impressive, and the format ranges from short videos and labs, to full-on career paths. By getting their Insider Pro subscription, you also get access to their Slack community, and mentorship from different subject matter experts.
Even if you don’t intend to start a career in security, it’s useful to understand the different paths one could take. This also helps understand the dynamics between the different actors and teams that take part on the security space.
SANS’ training roadmap can be really useful to get a high-level overview of the options. In general, these are: defensive security (blue team), offensive security (red team), forensics, and management. Depending on your role, you can end up combining a number of those disciplines, or getting a deep-dive focus in a particular one. Due to the increased need for security professionals, there’s diverse opportunities that can adapt to what you like and are better suited to do.
One advantage of pursuing a career in security, compared to other fields in the technology world, is that there’s a number of well-known certifications that provide a good foundation of knowledge, and a way to prove how much you know of a particular domain. Examples are:
- EC-Council’s Certified Ethical Hacker
- CompTIA Security+
- SANS’ GIAC certifications
- ELearnSecurity’s certifications
Surprisingly, there’s a bunch of security experts hanging out in Twitter. Check Rey Bango’s thread and Twitter list to get a sample of people worth following. Additionally, I’ve been stalking /r/netsec to get my daily dose of security-related news.
Here’s a more comprehensive list of forums, magazines, and communities related to security.
Overall, it’s been very fun to dive deeper into security. There’s still so much more to learn, and I’m very thrilled about it!