A friend and fellow geek recently reached out for some career advice. He’s currently working as an app developer, and he was wondering what steps he could take to steer his career more toward application security.
Since I’m a geek with a degree in music education now working as an information security consultant who also teaches infosec classes all over the world, he thought I might have a tip or two I could share.
Turns out, he was right. 😉
I’ll tell you the first thing I told him: Check out my blog post on how to land a job in information security. While the post isn’t specific to app developers, it does contain some foundational knowledge for anyone debating a move. (Considering how starved the industry is for full-time infosec professionals, I’d appreciate it if you could share that post with anyone you might know who might be interested.)
The next thing I told him was that he should start attending the local OWASP chapter meeting. If you want a career in application security, you need to talk to other security-minded developers, find out what they’re doing in their day-to-day work. Side note: if your city doesn’t have a local OWASP chapter, start one.
I also told him to download some free appsec tools like Burp Suite or Samurai WTF and just start playing around. Another tool I use frequently is OWASP Mantra, a tricked-out version of Firefox that gives you an incredible amount of control over (and ability to interact with) web applications and the infrastructure they reside on.
There are also a TON of hackable practice apps available for you to practice on, including:
If you’re interested in the appsec tool space, NIST’s SAMATE site has an extensive list tools, broken down by a taxonomy designed to help you find the right tool(s) for your organization . I dig this list because it includes source code security analysis tools as well as web application vulnerability scanners.
Running tools is one thing, but developers who are familiar with the OWASP Testing Guide can dive so much deeper than those who react to only the vulnerabilities that an automated scanner identifies. If you want to test your application security skills, pick a site (that you’ve been authorized to test) and walk through the entire testing guide. Eye-opening…
I also sent him a copy of a presentation I’ve been working on for integrating application security into the software development lifecycle (SDLC). As of this writing, I haven’t posted the presentation to my SlideShare account, but feel free to drop me a line if you want a copy.
If you’re hungry for more application security knowledge, you can also hit up your local library for a few excellent books, including:
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
- Web Application Defender’s Cookbook: Battling Hackers and Protecting Users
- The Tangled Web: A Guide to Securing Modern Web Applications
- Hacking Exposed – Web Applications, 3rd Edition
- Web Application Security, A Beginner’s Guide
Finally, I told him he should ultimately apply that book and lab knowledge toward some real world work. Growing security companies (like the one I work for) are always on the lookout for security talent, and the sooner he (and you) can join in the fight to help these companies secure their web apps, the better.
Your planet needs you. Would you like to know more?