10 Steps To Kickstart Your Web Application Security Career

For all who is getting started into the career with web application security, I consider these learning points which I have mentioned below will be exceedingly helpful for you to kickstart your career and become a web application security testing practitioner in no time.
Apparently, it needs the commitment from both sides i.e o time and effort, but trust me, if you have a plan set out in front of you of what you are going to learn and how you are going to learn, you are already a step ahead compared to the rest.
As the famous quote says, 'Its not only about the hard work you put in, its the smart hard work that matters.'

With that, here are the 10 Steps to kickstart your web application security career:

1. Get Familiar and Comfortable With Linux:

I cant emphasize this enough. If you are starting out in web application security testing, its highly suggested that you make yourself comfortable with Linux. This might mean dumping your Windows instance (if you want) and moving completely to Linux behaviour.
This is because, at the time of pen testing , you will frequently combat environments built on top of Linux. Yes, there are several Windows servers out there, but the popularity of Linux cannot be ignored.
As I also made switch from windows to Linux 2 years back as my fulltime environment, and it helped me both while using several tools & scripts, as well as when I have prospect a web application and I would need some additional exploitation to gain more control of the target
2. Find Mentors, Ask Questions, and Use the Online Resources:
I can perfectly realize the feeling and the rush that comes when you jump into security - you want to learn everything and then there are 100s and 1000s of blog posts mentioning how a particular security researchercompromised a given target.
Yes, you will want to learn all of that, but it needs to be in a program and not all at once, particularly when starting out.
Try to start from the basic principle of web application security testing centering on hunting for common security issues, applying that knowledge on insecure targets, and then move to taking on real world web applications as your target.
It is also suggested that you look for a mentor who has gone through the full journey themselves and can guide you on what type of things you concentrate to focus on.
There are several Youtube channels, blog posts and articles, & online educational resources to help you with this. You must also engage in online discussions and several forums in order to get comfy with the community and sharing what youve learned and learning from other people's experiences firsthand.
Remember, if you ask for help from a person at each and every time you get stuck, it will slow you down. Take things into your own hands and go out online to learn.
3. Learn Programming Languages:
If you want to become expert in web application security testing then you must have a good proficiency in programming languages. Even if you're not writing full-blown applications, you need to have enough knowledge of the languages that are used to build these apps to at least figure out what a particular code block is intended to do.
In pen testing, you might encounter situations where you have the source code of the application (a white box pen test) or you want to bypass the application whitelisting or break regex. All of this needs hands-on experience with the programming languages and a decent familiarity with them.
Programming experience can also come in handy later on once you want to write your own tools or scripts.
4. OWASP Top 10 and PTES:
As someone interested in learning about web application security, you might have come across the term OWASP Top 10 a number of times.
Based on my experience while starting out, I would highly suggest you go through both the OWASP top 10 and Penetration Testing Execution Standard (PTES) to give you a much clearer and more in-depth image of the what and how of web application security works in an effective manner.
Ill also recommend that you join a local meetup group of OWASP or any similar and relevant security community and SHOW UP for the meetups. Once you feel that you have an interesting topic and experience to share, ask the meetup organizers to give you a speaking slot for the next event. You will receive tons of honest feedback, criticism and learning points, which will push you toward becoming a better web application security researcher.
5. Learn Security Tools but Don't Be Tool Dependent
As you might recall, I mentioned, in my very first point, that you could start your journey in web application security using Ubuntu and not necessarily Kali Linux.
The reason for this is that once you are on Ubuntu, you will get a better understanding of how various tools work and how you could fix bugs by yourself in case something doesnt work on the first go.
You might later make a switch to Kali Linux once you feel youre confident enough, but always keep in mind that its not about the tools, rather how you use the tools.
In the many pen tests I have conducted over the past couple of years, I never trust solely on tools. I use an approach where tools are just an aid of what I am working on.
6. Vulnerable Targets:
As someone who is just starting out in testing web application security, try out your skills with various web application security and exploitation techniques on vulnerable targets.
These days there are a number of vulnerable web applications which you can exploit in order to get familiar with web application security concepts. DVWA and bWAPP are good examples of what I would recommend to you for your early days as a web application security researcher.
Move from one vulnerable target to the other with tougher exercises.
7. Read, Read, Read:
Make sure you read a new piece of content every single day.
Subscribe to the various newsletters from security websites, follow all relevant blogs, follow Twitter accounts which tweet about web application security and refer to recently disclosed bugs, and most importantly, try to understand the thinking process which would have gone into finding those bugs.
8. Build Something of Your Own:
By the time you get to this step, you should have decent exposure to performing web application security assessments and penetration tests.
Here comes the next part, based on your experience, build something which you think would be useful for you. Just focus on what can you build in the next 10 or 20 days, which could help you in the bug discovery or exploitation process.
Once you're done, you could release your project as an open-source tool, or use it internally within your organization - its up to you.

Comments

Post a Comment

Popular posts from this blog

What's the Advantage of Test Automation & Why Should We Rely on Software Testing Companies?

Image
Software testing companies test products, which is yet to be delivered to its intended audience. Web applications or mobile applications always have flaws. Test engineers strive to grab them before they are released; however they still creep into, and they frequently reappear, in spite of the very best manual testing processes. Test Automation software is the perfect way to raise the effectiveness, efficiency and coverage of an application's testing. Manual software testing is done manually going through program screens, trying various input and usage mixtures, comparing the results to the expected behaviour and recording their observations. An automated testing tool may playback pre-recorded and predefined actions, compare the results to the expected behaviour and report the failure or success of these manual tests to a test engineer. Once automatic evaluations are created, they can readily be replicated, and they can be extended to do jobs impossible with manual testi
Read more

Web Performance Testing Tips – How to Test Web Applications

Image
Web Performance Testing is diverse to work area application testing. In Web Application Testing, we are commonly utilizing a program (the customer) to ask for a site from a web server by speaking with the server over HTTP or HTTPS. It is vital that, as analyzers, when we are associated with Web Testing, we ought to be comfortable with the fundamentals of HTTP to get a decent comprehension of how web applications work. In Web Testing, aside from practical testing of individual and incorporated parts, a portion of the testing types, for example, Performance, Security, Cross-program and Responsiveness which are not really required in work area application testing, happen to high significance in Web Application Testing. This is on the grounds that Web Applications are available to a great deal of crowd so execution must be represented. Likewise, Web Applications are increasingly defenseless to security assaults, for example, DDos and SQL Injection, and if a site is focuse
Read more

A Beginner's Guide to Web Application Testing Using Selenium

Image
Manual web application testing has become old these days because it leads to more number of resources per task and increases the cost per project. Automating regression and functional suites and tests with the help of Selenium and the WebDriver API is an excellent option to reduce manual intervention and the cost associated. Selenium supports multiple programming languages like Java, Python, and Ruby and C # Selenium has the backing of probably the biggest program handlers like Google Chrome, Internet Explorer and Safari. In this way, Selenium is considered as a standout amongst the most favored open source apparatuses for mechanization testing. Presently, let us dive into more detail how the site and web applications can be robotized utilizing Selenium.  The most effective method to start web application testing with Selenium  To begin with, you have to break down the application you need to mechanize. Next, you should know whether you need to do it with the record and
Read more