Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!
I’ve always been curious if command centers are a thing in cyber security. Is there a room full of people at every major bank monitoring infrastructure health and network traffic for signs of infiltration or compromise, ready to pounce? And if so, is that as cool of a job as it sounds or am I delusional?
Something I don’t think is talked about enough in offensive cybersecurity training / skill development are communication skills. Too often we are seeing folks try to enter these roles without the ability to write reports and give presentations to audiences with a mix of technical and business attendees. My recommendation to folks considering these roles is to put in the time to get communication skills to a very professional level. Train it just like report writing or public speaking was a new shiny hacking certification. It will improve your chances of landing the job.
Agreed, and I think this goes for a lot of technical professions. You’re better at your job if you can walk the business walk and talk the business talk. I sit at the nexus of business and data, and working on being fluent in both makes me better at both.
Agree, when I have held talks for cybersecurity students I usually tell them that a lot of the work time goes into writing report. Because the customer (be that internal or external) does not care about what cool thing you did during the test, they care about the risk and your findings have to reflect that.
I am hosting multiple services, but my application/web security knowledge is lacking. Is there a guide or framework to check for common or risky mistakes? Is there a list of things I should check every application for, or guide on how to harden hosted applications? That is a topic that I am going to tackle in the near future, and would appreciate some tips in advance.
OWASP is arguably the standard for web application assessments. They cover most of the areas and testing guidance. Burp Suite web academy offers labs that cover many web application security issues. For secure coding, you’d need to look for references aligned with your language of choice.
Thank you!
There’s a browser extension you can use by owasp, I think it’s “Penetration Tool Kit” or ptk
I stopped using it because it was slow (being a browser extension and all) but I do like how easy it was to use while needing to be logged in or get past captchas
Owasp zap is good for reconnaissance scanning
I really like burp suite for reverse engineering a web app. You can use the proxy to intercept http packets and see what every change illicits
Thank you!
Having minimal professional IT experience, yet an IT degree, what should I focus on to get into the cybersecurity field?
Got your 3 C’s right here --> Code, Cloud, Collection (and by collection I mean document what you learn in a blog or GitHub or something). For coding, I’d say go with Python and for cloud, get a free AWS account and learn the basics.
Familiar with the 2, just need to create now I guess
I have around 6 years of experience in different fields like vulnerability management, web penetration testing, SAST, DAST, secure architecture reviews and threat modeling.
What is a career path suitable for someone with this background? Security architect? Principal security engineer? I am not sure what steps I should be taking to progress. I am considering taking CISSP or CCSP as a major cert in the coming year.
Looking for resources (books/blogs/videos) on how to get started with getting into cyber security. I’ve got 13 years of work experience of which 10 as a Linux sysadmin/SRE/DevOps (it’s a culture, not a role) and 3 years as a software developer. I understand the field is wide and there’s many positions I could look getting into.
I get along with people well and have worked as a consultant before, so I could see doing that at some point as a contractor once I’ve got more experiencing in the field. Generally I’m not a big fan of working at big companies, but don’t mind doing gigs for them.
I guess familiarizing myself with pentest and other tooling would be a good start?
I wrote this up a few years ago on the topic of breaking into the field. Maybe it could be useful to you! https://shellsharks.com/getting-into-information-security
General question but how do y’all actually find a mentor? I feel like there’s probably a local group nearby me or something that I could look into but are there places/people that are more likely to say “yes, I will mentor you” in y’all’s experience?
Tanya Janca (https://infosec.exchange/@SheHacksPurple) has a thread for mentoring on her Mastodon weekly (https://infosec.exchange/@SheHacksPurple/110690887324427507). There’s a ton of communities (https://shellsharks.com/getting-into-information-security#online-communities) to ask around too. What type of mentorship are you looking for?
@shellsharks@infosec.pub Sorry, was offline for a few days! Not really sure what I’m looking for, honestly? Mostly someone to kind of push me for doing more/exploring more? I’d like to focus in on AI security as well as container security and I know I can start that work on my own – I just know it’s easier/more likely for me to do things if I have someone filling in the blanks on things I don’t know that I don’t know. I’ll start with those there (been following She Hacks Purple and InfoSec Sherpa for a bit) and see if any long hanging fruit shakes lose from the tree, thanks again!
I’ve seen some good AI-related security things out of OWASP lately and some container security stuff from DataDog if you want to do a little googling.
I feel like I’m a bit lacking when it comes to finding race condition vulnerabilities. Any tips on that?
Honestly would have to Google resources myself haha
