Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!
Looking for resources (books/blogs/videos) on how to get started with getting into cyber security. I’ve got 13 years of work experience of which 10 as a Linux sysadmin/SRE/DevOps (it’s a culture, not a role) and 3 years as a software developer. I understand the field is wide and there’s many positions I could look getting into.
I get along with people well and have worked as a consultant before, so I could see doing that at some point as a contractor once I’ve got more experiencing in the field. Generally I’m not a big fan of working at big companies, but don’t mind doing gigs for them.
I guess familiarizing myself with pentest and other tooling would be a good start?
I wrote this up a few years ago on the topic of breaking into the field. Maybe it could be useful to you! https://shellsharks.com/getting-into-information-security
I feel like I’m a bit lacking when it comes to finding race condition vulnerabilities. Any tips on that?
General question but how do y’all actually find a mentor? I feel like there’s probably a local group nearby me or something that I could look into but are there places/people that are more likely to say “yes, I will mentor you” in y’all’s experience?
Tanya Janca (https://infosec.exchange/@SheHacksPurple) has a thread for mentoring on her Mastodon weekly (https://infosec.exchange/@SheHacksPurple/110690887324427507). There’s a ton of communities (https://shellsharks.com/getting-into-information-security#online-communities) to ask around too. What type of mentorship are you looking for?
@shellsharks@infosec.pub Sorry, was offline for a few days! Not really sure what I’m looking for, honestly? Mostly someone to kind of push me for doing more/exploring more? I’d like to focus in on AI security as well as container security and I know I can start that work on my own – I just know it’s easier/more likely for me to do things if I have someone filling in the blanks on things I don’t know that I don’t know. I’ll start with those there (been following She Hacks Purple and InfoSec Sherpa for a bit) and see if any long hanging fruit shakes lose from the tree, thanks again!
For free? Youre probably best finding help on forums like this. Hacker news is decent also
If you’re willing to pay, well then obviously there’s a market for it
That makes sense, thanks! Have you ever hired a mentor before? I imagine it’d be a lot like hiring a coach but how would you know that they’re not just being kind of a “yes man” or at the very least kind of reputable?
Yeah, check out David Bombal on YouTube. He interviews hackers. I recommend looking at those and the channels of people he interviews
I pay @three_cubed AKA master OTW [occupy the web]. It’s good information, but what’s your academic background like? I came in with an advanced degree and felt the tier that was right for me was the most expensive (subscriber pro)
My day job isn’t infosec related, but when I do find time to better those skills I’ve found this loop pretty fun:
Vulnerability scan websites (like with owasp zap) Find a most severe vulnerabilities I haven’t done before (XSS for example)
Play capture the flag targeting that vulnerability.
Similar process works with nmap or shodan to get information about what services are running on an IPs port. Then using metasploit to try and run scans/fuzz inputs, deliver payload, run exploit, and perform post exploitation activities (typically data infiltration/exfoliation)
Eventually I’m gonna try and get into reverse engineering malware
Having minimal professional IT experience, yet an IT degree, what should I focus on to get into the cybersecurity field?
Got your 3 C’s right here --> Code, Cloud, Collection (and by collection I mean document what you learn in a blog or GitHub or something). For coding, I’d say go with Python and for cloud, get a free AWS account and learn the basics.
I am hosting multiple services, but my application/web security knowledge is lacking. Is there a guide or framework to check for common or risky mistakes? Is there a list of things I should check every application for, or guide on how to harden hosted applications? That is a topic that I am going to tackle in the near future, and would appreciate some tips in advance.
There’s a browser extension you can use by owasp, I think it’s “Penetration Tool Kit” or ptk
I stopped using it because it was slow (being a browser extension and all) but I do like how easy it was to use while needing to be logged in or get past captchas
Owasp zap is good for reconnaissance scanning
I really like burp suite for reverse engineering a web app. You can use the proxy to intercept http packets and see what every change illicits
OWASP is arguably the standard for web application assessments. They cover most of the areas and testing guidance. Burp Suite web academy offers labs that cover many web application security issues. For secure coding, you’d need to look for references aligned with your language of choice.
