How can I transition to an AppSec or security engineer?
I'm currently working for an application security tool company and my day to day job is to deploy our solutions (and perform architectural design) to my customers. I was a c/c++ dev but then I realized that I'm not good at design that's why I no longer want to be a dev. The job gives me a lot of visibility to my customers' code and review variety of security risks in many different programming languages. However, I've never taken any "cybersecurity" or other security related course in school, and all of my security knowledges that I learned are mostly from the documentation of our tools and from my daily tasks, which I think are not thorough and systematic. I'm eager to transition to be an AppSec and would like to listen to your advice. I believe many of you have talked with someone like me from a security tool company. What skills do I need so that you will hire me as your peer? #security #cybersecurity
Absolutely. And this is the best way to get into AppSec, from the development. And you can benefit from working at security company and being able to learn from real world examples. Start with OWASP top 10, learnt how to spot vulnerabilities in the code and how to fix them (generic advice). Read about Threat Modeling and practice a little bit so you could provide some input later during the interview. It’s a common question. Learn some tools. The top standard for web app pentesting is Burp suite. You can play with the free version and do labs from portSwigger. Adversarial mindset is important but if you are switching no one expects you to have some hands on experience in pentesting. Though it would be great idea to do some basic hands on training in pentesting. The one I’d recommend is pentesting student from INE. It’s free and has labs. And you could add all this to your resume. It would be beneficial to try some CTFs in parallel. But for jumping into AppSec it’s not that urgent or necessary. Your SWE experience, security mindset and ability to communicate security related issues to developers is what most valuable. The rest could be easily picked up.
what do you mean by appsec? C/C++ OS and javascript engine exploits or web app security? I think if youre a c++ dev the first will be more interesting
peer? except for cofounder one doesn’t usually hire peers. DM for referral tho
It’s actually pretty easy, if you’re self-motivated given you have a developer background. We’ve hired many developers-turned-appsec, and all you need to do is start thinking like an offensive security person and getting some hands on practice. You can start with YouTube - and then start some AppSec upskilling via platforms like PortSwigger’s website or Hackthebox etc. These sites are super comprehensive as far as I’m concerned and if you’re interested in learning, you can progress on your own through the content