How I Became a Security Consultant: AbsoluteAppsec Interview

Every so often, podcasts and such will invite me to speak on a variety of topics. And this week, I was very excited to join the Absolute AppSec podcast. One of the topics we discussed was how I became a security consultant. It got me thinking: How can we make sure that as many people as possible have access to the information needed to get started down this career path. Here are some ideas and topics that came to mind. These are all either free or inexpensive resources, so anyone can check them out today.

General Security

The Certified Information Systems Security Professional (CISSP) is the de facto standard certification for security professionals. This makes any CISSP prep class a great way to get started in the field even if you aren't ready for the certification exam. And if you are coming from an IT job (including entry-level ones), there is a good chance you meet the experience requirements from ISC2. If you are looking for self-study, Eric Conrad and Seth Misenar's CISSP Study Guide is excellent. Another option that I like is our own Professionally Evil CISSP Mentorship. This program is a hybrid approach between self-study and instructor-led.

Network Security

Network security is a much bigger topic, but there are some great places to get started on it. For one, I try to follow several people on Twitter continually. Some of my favorites are (in no particular order and leaving off Secure Ideas people):

• Rob Fuller
• Tom Eston
• Hal Pomeranz
• Sean Muller
• Ian Coldwater
• Amelie Koran
• Chris Sanders
• Teri Radichel
• John Strand
• Dragos Ruiu
• Katie Moussouris

Several of these security professionals are also involved in podcasts or YouTube channels.

You also need to think about understanding the basics behind the attacks and testing techniques. For me, one of the best ways to do this is to understand both network mechanisms and how organizations are able to log and gather this network data. For the first, Chris Sanders has an excellent class available online to help understand networking by analyzing the raw packets themselves. For the second, I recommend that people try out Security Onion. The ISO is a great way to get started with log management and network security monitoring with a completely open source Security Incident and Event Monitoring (SIEM) system to practice within.

Web Application Security

If you know me, then you know that web application security is a significant focus of my career. There are lots of places where you can start by figuring out how various vulnerabilities work and how you can test for the issue.

First, I have to point you to SamuraiWTF. SamuraiWTF is a virtual environment designed for providing a safe practice and learning environment. It comes with several purposefully vulnerable target applications and a variety of pre-installed tools to test with. The target applications include Mutillidae, Samurai-Dojo, Damn Vulnerable Web Application (DVWA), and OWASP Juice Shop, each with their own set of challenges to provide semi-realistic practice areas designed for increasing web testing skill sets. SamuraiWTF is an open source project and is regularly evolving to include new targets.

Having mentioned two projects from OWASP (Mutillidae and Juice Shop), it seems like the right place to suggest this organization and its chapter meetings as a great source of information. There is a ton of information, freely available, throughout the OWASP website and I always suggest to those that want to become involved in web application security to become a member of this organization.

One of the people that I think is a great person to follow regarding web security is Tim Tomes. He is the author of Recon-NG and offers a course on web penetration testing. Another wonderful person to follow is Jeremy Druin. He is the author of Mutillidae and has numerous YouTube videos explaining security topics. And you can always visit PortSwigger's Web Security Academy, who are best known as the maintainers of Burp, the de facto commercial web application penetration testing tool.

Before I close this out, I would like to add that the above is solely based on my own experience. There are many other aspects to information security. Some professionals dig physical security and social engineering. Others are passionate about IoT, or cloud. There are a wide range of security roles, from risk management, to operational security, to penetration testing, to business continuity and disaster recovery experts.

I hope that this article is helpful as you start or enhance your career in information security.