How do you get started in infosec? It’s a question that gets asked a lot and there’s often a talk about it at every conference. Someone’s got advice on how they got started and how it could help someone else. Heck, I even did one myself at BSides Rhode Island (link).
I organize my local OWASP chapter in Rhode Island and I get speakers each month on the various web application security topics. In August 2012, I had a friend in the profession, Paul “pauldotcom” Asadoorian come speak at the monthly meeting. During the normal course of conversation, I mentioned to Paul how that I was trying to make a full conversion from an application developer to a web application security professional. I’d been to a couple SANS classes, I attend conferences when I can and I tinker on the side trying to learn. However, without a mentor or having someone nearby to bounce ideas off of or ask questions or push me to learn new things. How do you learn when you don’t know *what* to learn?
I had also been tinkering with an idea with my employer to create a “staff sabbatical” where professional staff could go off and do some hands-on learning for a period of time. My suggestion was the equivalent of three months, full time. That could be spread out over a longer period or just go do it, cold-turkey and then return to the job. I told Paul that if I got my employer to agree to this kind of arrangement that I’d then be looking for a company to mentor with. Paul immediately perked right up, “How about with me!” I thought the idea was perfect. I brought the idea to my employer and they agreed, but it would only be for the equivalent of two months. I would work with Paul for 2-3 days a week and keep track of the days. I’d work for 30 days as an intern to Paul but then another 10 days, I would still work with Paul but I had to work on something related to web security for my employer. Done deal.
I started with at beginning of the new year, 2013.
On day one, Paul gave me my first two assignments. One was to “learn everything about CSRF (cross-site request forgery), build a demo and create a presentation for the PaulDotCom Security Weekly podcast.”
The second was to catalog every show he had ever done, into a wiki, specifically the technical segments and the guest interviews. At that point, he had done about 315 episodes. With not really knowing what CSRF was exactly and with that much grunt work ahead, I knew I’d be busy. But I’d learn a lot.
I alternated between the tasks as I thought the cataloging would be pretty mindless. Just going through the show notes, finding the guest interviewed, finding a copy of the video, if that was available and making a new entry in the wiki. In addition for each show that had a technical segment, I’d make an entry in the wiki for the person doing the segment, the topic and link to the video and slides, if those were available. As I started going through the interviews and especially the technical segments, I was amazed at how much was there. It seemed the show had talked to every well-respected expert in the field and it also seemed every topic had a technical segment on it done as well. Instead of simply cataloging all the segments, I started watching them. And learning! That wiki is an amazing treasure trove of information.
It didn’t take long to complete the catalog and dig deep into CSRF. First figuring out how it works, then setting up and playing with a vulnerable app (I chose a 5+ year old version of Drupal, 4.7.0) and then start writing my own attack for it. I got to figure out how it worked from trial and error and got to do the happy dance when it did. I wrote it up and presented a “CSRF Primer” for the podcast.
When I was looking for my next task, I would watch Twitter for various tips and came across Adrian Crenshaw’s Irongeek web site. It contains videos from the many conferences, meetups and training sessions that he has attended. I watched a video by Jeremy Druin, on sqlmap and saw just how easy it is to use. From there, I started simply digging into the various switches/flags that can be used with it and decided to dig deep into one of those.
Rinse, lather repeat.
My interest is mainly in application security. So I use the OWASP Top 10 as my checklist. Try to become proficient at one and then move on to the next. I also have a philosophy of learning that it helps to “learn, do, teach.” Each time I learn something new and think I have a solid understanding of it, I look for an opportunity to present it to someone else or a group. A local OWASP meeting group is great for this as meeting organizers are always looking for presenters.
What I’ve tried to do here is just explain one experience toward getting started in the field of infosec. Because in the end, it worked. I did make the full conversion from a programmer to being offered a job on a major technology company’s incident response team, focusing on web application attacks. It was everything I’d been working toward for years.
If you’re looking to get started in infosec or looking for advice to give others, some of the best that I got included to do it yourself, start a blog and focus. I hear people say they want to “do security stuff” but it’s not in their job description. I tell them to do it at home, at night, in their own labs. If it’s something you really want to do, you’ll find a way to make this happen. Then as you’re learning, document it all in a blog. This helps you to really think things through and may point out holes in your understanding, and serve as a place for you to go back months later when confronting a similar situation. Even better, when you’re looking for a job you can point them to your blog to show the work you’ve done. Lastly, people think they want to simply “work in security.” That’s great but it’s also like saying you want to be a doctor. When someone says they’re a doctor, usually the next question is what they specialize in. It’s the same thing with infosec. The field is way too big to know about everything. So specialize. Figure out what you like and what you want to be an expert on. Don’t get distracted by shiny objects in other areas outside of your interest.
That’s about it. If you want to get into the field, just do it, and even better if you can find a way to do an internship with a security company. Do everything they want you to do, even if it isn’t exactly what you’re interested in, as you never know where it could lead.
760 total views