10 Steps To Kickstart Your Web Application Security Career
For all who is getting started into the career with web application security, I consider these learning points which I have mentioned below will be exceedingly helpful for you to kickstart your career and become a web application security testing practitioner in no time.
Apparently, it needs the commitment from both sides i.e o time and effort, but trust me, if you have a plan set out in front of you of what you are going to learn and how you are going to learn, you are already a step ahead compared to the rest.
As the famous quote says, 'It’s not only about the hard work you put in, it’s the smart hard work that matters.'
With that, here are the 10 Steps to kickstart your web application security career:
1. Get Familiar and Comfortable With Linux:
I can’t emphasize this enough. If you are starting out in web application security testing, it’s highly suggested that you make yourself comfortable with Linux. This might mean dumping your Windows instance (if you want) and moving completely to Linux behaviour.
This is because, at the time of pen testing , you will frequently combat environments built on top of Linux. Yes, there are several Windows servers out there, but the popularity of Linux cannot be ignored.
As I also made switch from windows to Linux 2 years back as my fulltime environment, and it helped me both while using several tools & scripts, as well as when I have prospect a web application and I would need some additional exploitation to gain more control of the target
2. Find Mentors, Ask Questions, and Use the Online Resources:
I can perfectly realize the feeling and the rush that comes when you jump into security - you want to learn everything and then there are 100s and 1000s of blog posts mentioning how a particular “security researcher” compromised a given target.
Yes, you will want to learn all of that, but it needs to be in a program and not all at once, particularly when starting out.
Try to start from the basic principle of web application security testing centering on hunting for common security issues, applying that knowledge on insecure targets, and then move to taking on real world web applications as your target.
It is also suggested that you look for a mentor who has gone through the full journey themselves and can guide you on what type of things you concentrate to focus on.
There are several Youtube channels, blog posts and articles, & online educational resources to help you with this. You must also engage in online discussions and several forums in order to get comfy with the community and sharing what you’ve learned and learning from other people's experiences firsthand.
Remember, if you ask for help from a person at each and every time you get stuck, it will slow you down. Take things into your own hands and go out online to learn.
3. Learn Programming Languages:
If you want to become expert in web application security testing then you must have a good proficiency in programming languages. Even if you're not writing full-blown applications, you need to have enough knowledge of the languages that are used to build these apps to at least figure out what a particular code block is intended to do.
In pen testing, you might encounter situations where you have the source code of the application (a white box pen test) or you want to bypass the application whitelisting or break regex. All of this needs hands-on experience with the programming languages and a decent familiarity with them.
Programming experience can also come in handy later on once you want to write your own tools or scripts.
4. OWASP Top 10 and PTES:
As someone interested in learning about web application security, you might have come across the term OWASP Top 10 a number of times.
Based on my experience while starting out, I would highly suggest you go through both the OWASP top 10 and Penetration Testing Execution Standard (PTES) to give you a much clearer and more in-depth image of the what and how of web application security works in an effective manner.
I’ll also recommend that you join a local meetup group of OWASP or any similar and relevant security community and SHOW UP for the meetups. Once you feel that you have an interesting topic and experience to share, ask the meetup organizers to give you a speaking slot for the next event. You will receive tons of honest feedback, criticism and learning points, which will push you toward becoming a better web application security researcher.
5. Learn Security Tools but Don't Be Tool Dependent
As you might recall, I mentioned, in my very first point, that you could start your journey in web application security using Ubuntu and not necessarily Kali Linux.
The reason for this is that once you are on Ubuntu, you will get a better understanding of how various tools work and how you could fix bugs by yourself in case something doesn’t work on the first go.
You might later make a switch to Kali Linux once you feel you’re confident enough, but always keep in mind that it’s not about the tools, rather how you use the tools.
In the many pen tests I have conducted over the past couple of years, I never trust solely on tools. I use an approach where tools are just an aid of what I am working on.
6. Vulnerable Targets:
As someone who is just starting out in testing web application security, try out your skills with various web application security and exploitation techniques on vulnerable targets.
These days there are a number of vulnerable web applications which you can exploit in order to get familiar with web application security concepts. DVWA and bWAPP are good examples of what I would recommend to you for your early days as a web application security researcher.
Move from one vulnerable target to the other with tougher exercises.
7. Read, Read, Read:
Make sure you read a new piece of content every single day.
Subscribe to the various newsletters from security websites, follow all relevant blogs, follow Twitter accounts which tweet about web application security and refer to recently disclosed bugs, and most importantly, try to understand the thinking process which would have gone into finding those bugs.
8. Build Something of Your Own:
By the time you get to this step, you should have decent exposure to performing web application security assessments and penetration tests.
Here comes the next part, based on your experience, build something which you think would be useful for you. Just focus on what can you build in the next 10 or 20 days, which could help you in the bug discovery or exploitation process.
Once you're done, you could release your project as an open-source tool, or use it internally within your organization - it’s up to you.
Comments
Post a Comment