Moving to security from development

It’s not early in my career but security is the opportunity of the decade. That’s why I’m willing to pay the price to respec into security.

My professoinal background

I’m not staritng from 0. Here’s some important context about my career journey:

• tech industry for ~10 years

• worked at: startup-ups, high-growths, large institutions

• worked as: Front-end, “Fullstack”, Devops

• mostly working with: Javascript and Ruby

• Engineering management: I’ve done a 2 year stint at a high-growth startup

Approach to security

Security is an extremely broad field. From physical to digital. From hardware to software. And countless specialties.

My goal is not to learn all of security.

My goal is:

1. Learn enough security to navigate to the right initial niche

2. find the right initial employement engagement

3. Land where I can continue to explore longer term options in security.

🗡️ The (wild stab) plan

Faced with infinite paths, I followed my gut and chose a batch of things to get started. Here was the first month.

Defcon— Hacking mecca. I attended in 2021.

Packet analysis training— After Defcon, had a taste for conferences. That led me to https://wildwesthackinfest.com/, which led me to Getting Started with Packet Analysis w/ Chris Benton. 4 days of immersive training.

ITPro.tv— I started watching Network Chuck and he recommend ITPro.tv to learn more. So I did.

Books— I ordered at least 30 of the most popular information security books. The two most helpful for understanding the topology were Pentester Blueprint by Phillip Wylie and Kim Crawley and [Breaking into information security] (https://leanpub.com/ltr101-breaking-into-infosec) by Andy Gil

🤺 The (more informed) plan

After a months of trying wildly, a more methodical plan formed.

1. Study the fundamentals in a way I can validate.

2. Seek certification for external validation.

3. Connect my existing skillset to security via the sortest route, and get paid to prove it works.

4. Participate in the community

---

1. Study the fundamentals in a way I can validate

Study the fundamentals daily. I’m starting with TryHackMe for ~30 minutes a day. Sources like TryHackMe have both a study and lab sessions, so I can try out what I’m learning.

Other online learning source optoins: TryHackMe, HackThisBox, Pentest Academy + Labs, TCM training.

Books I plan on studying: Basic Security Testing with Kali Linux, Third Edition by Daniel Dieterle, Learning by practicing Hack & Detect by Nik Alleyne, Hands on Hacking by Hickey Arcuri.

Goals:

• Rapidly reduce unknown unknowns in my journey in security research

Action Items:

• Daily habbit of studying fundamental security material (i.e. a broad scope of basics) for 30 minutes daily

---

2. Seek certification for external validation

Certs will not turn me into a security guru. But as an outsider they will give me a shred of credibility and help me understand where my gaps are

Network+ followed by Security+ will be the two I puruse. More info about certs and how I came to this conclusion.

After there are more basic certs I could get if I wanted to fill in other fundamental gaps (Linux+, Server+ Cloud+) or I could do the CISSP path (SSCP then CISSP). The only cert that sounds FUN to get is OSCP. Maybe that next? Will re-evaluate after I have the first two under my belt.

I will use ITpro.Tv, ProfessorMeser and IT & Security Prep CompTIA daliy to study.

Goals:

• first exam in 2 months (Network+)

• seocnd exam in 4 months (Seucrity+)

Action Items:

• Study flashcards for Network+ daily (as a consequence of screentime limites I put on Twitter & Instagram)

• Sign up for Network+ exam for 2 months

• Use ITPro.TV + ProfessorMeser to develop a weekly sylabus of cirriculum that I study. At the end of each we to re-inforce my learnings, I’ll publish a blog post or a series of tweets based on what I learn.

---

3. Connect my existing skillset to security via the sortest route, and get paid to prove it works.

Bug hunting is the quickest way for me to be professionaly productive with security. I have received these type of bugs reports as a developer, so I’m a familiar with the process and understand how report them efficiently. (The runner-up idea is to contribute to the open source security tools.)

There will be an aggressive learning / research phase. Followed by an aggressive practice phase. Also, this where I will spend most of my security study time.

Here are my current best sources of study:

• Real-World Bug Hunting by Peter Yaworski
• Web Application Security by Andrew Hoffman
• Web Application Advanced Security by Maor Tal
• WASEC: Web Application Security for the everyday software engineer by Alessandro Nadalin
• Container Secuirty by Liz Rice
• Practical Cloud Security by Chirs Dotson
• Security Engineering: A guide to building dependable distributed systems by Ross Anderson
• XSS survival guide by Wesley Thijs
• Broad scope bug bounties from scratch by by Wesley Thijs
• Uncle Rat’s bug bounty guide by by Wesley Thijs
• NodeJS Security
• HackerOne
• Bugcrowd

Goals:

• Play https://ctf.hacker101.com/ asap

• Made a single dollar from bug hunting as soon as possible via Hackerone or Bugcrowd

Action Items:

• Dedicate 1-2 hours a day to become effective in bounty hunting

---

4. Become active in the community

I want to be invovled in the community. Seeing the change that people like (Jim Browning)[https://www.patreon.com/JimBrowning] are able to harness for doing meaningful good in the world by being in the security community has inspired me to try to embrace this. I’m historically more to-my-self. But I’m going to try to do it differntly this time.

Goals:

• Make infosec friends

Action Items:

• Post daily what I’m learning to Twitter (3 tweets)

• Write about what I’m learning and share where appropriate

• Follow the folks I’m learning from on Twitter

---

Ok folks! That’s it for my first post. Any questions or comments, feel free to reach out to me ony any of my normal channels.