We all got our start in security at some point, how did you get started? What originally piqued your interest or got you started on the path toward information security?
Bonus Question - Do you have any advice for others that are getting started? What’s the best path to take in the early days?
I got started in security out of curiosity, and necessity. I’ve been a developer for quite a number of years now, and as such have seen my skill set grow. In the past few years, I’ve been focusing on administrative duties, including server maintenance / monitoring, incident response, all the way to analysis of code bases for clients. This widened perspective has given me the opportunity to not only observe attacks, but also learn about how they are performed, and the possible methods of mitigation.
Over the past year, I decided to take a more active role of perusing knowledge and skills relating to the field of security, with a focus primarily on Web Applications and Server Hardening. This has led me to become rather active in releasing WordPress vulnerability reports for plugins (ok - not the most challenging field, but we all start somewhere), as well as taking part in CTFs, and writing the occasional blog post.
I still see my self as a hobbyist, but I feel like I’ve learnt a hell of a lot over the past few years, and look forward to continuing to grow my knowledge base.
Advice for others
- Don’t be intimidated
- Read as much as you can from valuable resources, such as OWASP
- Take part in CTFs and intentionally vulnerable VM images (check out VulnHub), and read write-ups if you get really stuck
- Build up a list of people to follow on Twitter - there are so many great people on there that post useful information. They’re an invaluable resource
- Test platforms known to you, either through black-box or white-box testing
- Perform code reviews and static analysis
- Take courses on sites like Coursera and Cybrary. Read!
- Don’t give up, but don’t be afraid to ask. A lot of people are happy to help, or give advice
JaysonStreet just started a video blog and he answered this same question. Watch Jayson and ioCassie talk about how they got into InfoSec: