Career Advice for Developer wanting to transition to security

Hi Folks - not sure this is the right location to ask for security career advice. If not please help me transfer to appropriate section.
Background:
I have a B.S in Mathematics and Minor in CompSci (also took unix admin, cisco training at tech college)
2 years as an operations manager running at technical call center
3.5 years developing winform and wpf engineering applications
6.5 years developing large enterprise web apps (c# mvc, webforms, vb.net winforms, minimal java, some php)
Contracting on side for about 12 years developing web apps, wordpress, drupal, doing office365 administration, office network setups, and other various activities.

My work does not want to invest in security training but my boss has given me the go ahead to build security training for all the developers and he is pretty open about letting me pen test all our apps etc.
I have pluralsight and studied all about web security and completed all the apps in the web security dojo. I then took that knowledge and audited all our programs fixing the issues I found.
I have now begun studying the exploits of years past, running VMs like metasploitable, vulnhub vms etc. I am learning how to do many of the older style attacks like buffer overflows and write my own programs to exploit them. I know I have more to go like ROP chaining, etc.

However I am getting to a point where I don't know where to go from here. As a developer, most of our certifications are crap or at least thats what we all preceive (usual caveat of it matters what you put in etc). To move more into a security developer role or to be a security researcher, I am not sure if I should earn some certs or what. In my world we all pretty much look for experience as the #1 factor. Education and certs are secondary. I am positive it's the same way in security.

1) The ISC^2 CSSLP looks awesome but seems to be more for management
2) OffSec courses seem to be a good fit for me and seem to be quite worthwhile.
3) Do I need to prove I have the knowledge of net+, sec+ by getting those certs or can I just say I self studied, which I have..
4) What suggestions do you guys have for my current position to gain more experience?
5) The EC Council CASE certification looks good but is expensive and do I really want to pay 800 when I can do the OSCP (something people actually respect?).

Any advice would be so much appreciated as I really want to persure my dream as a security researcher, security developer, and pen tester.

Thank you for reading this.
J

Find more posts tagged with

Comments

JDMurray

Jerrod said:

My work does not want to invest in security training but my boss has given me the go ahead to build security training for all the developers and he is pretty open about letting me pen test all our apps etc.

Is your boss the sole owner of the company? Security testing (and education) requires a buy-in from the very top of the business organization. For security testing to be worthwhile, it's not something you do on-the-cheap or teach yourself on-the-job. If you do not currently perform security testing as part of your software quality assurance process, you need to invite in a professional consulting firm to get a proper security testing program started in your organization. By doing so you will save your organization much money and grief in the years to come.

paul78

I'll agree with @JDMurray but it's probably a bias because that's what my company does.

But that said - I do believe that pent testers with a development background tend to have an edge. What I would suggest that may make more sense is for you to get a decent commercial static code analyzer and focus on the appsec portion. As a developer, I think would be more valuable then doing external app pent testing. Plus from a development cycle cost perspective, it would be a better ROI given your interest.

Meggo

I interviewed one of our (InfoSec's) alum on a really similar topic. He's a CIO at a finance company and has some really good advice for those looking to get into the industry. Here's an excerpt from our interview you might find interesting:

As CIO & Hiring Manager, What Value Do You Place on Certifications?

Julian: We look for a combination of experience and certifications, and always prefer candidates with certifications. This is especially true for our systems, networking and security positions. Again, it’s a combination of both. But if all other qualifications are equal, I prefer the candidate with certifications.

Do You Need a Computer Science Degree for a Security Role?

Julian: In the past, it hasn’t necessarily been a need. We weren’t always looking for someone who could code their own exploit fixes or automate testing. In today’s time, however, it’s really changing. Security is a really mature market — having someone with a developer background helps you customize the tools you’ll use to defend your enterprise. I would love to see more developers getting into the security side of things. Being able to code your own remediation is a huge asset.

Full interview is here if you're interested: https://www.infosecinstitute.com/client-stories/julian-tang-on-infosec-institutes-cissp-boot-camp-compressed-engaging-effective/

LionelTeo

Sharing what i did to get better at it

1) download daily malware and pcap fromhttp://malware-traffic-analysis.net and analyse in VM

2) Buy books from amazon and read.

Jerrod

JDMurray said:

Jerrod said:

My work does not want to invest in security training but my boss has given me the go ahead to build security training for all the developers and he is pretty open about letting me pen test all our apps etc.

Is your boss the sole owner of the company? Security testing (and education) requires a buy-in from the very top of the business organization. For security testing to be worthwhile, it's not something you do on-the-cheap or teach yourself on-the-job. If you do not currently perform security testing as part of your software quality assurance process, you need to invite in a professional consulting firm to get a proper security testing program started in your organization. By doing so you will save your organization much money and grief in the years to come.

No he is not the sole proprieter. I totally agree that security needs to be pushed to the left and up. However I have no control over that. As I am sure is the case of most here, nothing will be done until a big incident occurs. Agree on all fronts, but my questions are what can I do to maximize my learning in my current situation and where do I go from here to move laterially.

Jerrod

paul78 said:

I'll agree with @JDMurray but it's probably a bias because that's what my company does.

But that said - I do believe that pent testers with a development background tend to have an edge. What I would suggest that may make more sense is for you to get a decent commercial static code analyzer and focus on the appsec portion. As a developer, I think would be more valuable then doing external app pent testing. Plus from a development cycle cost perspective, it would be a better ROI given your interest.

This is what I have done. I have moved us to static and dynamic analysis. Manual code audits. Finally pen testing our particular apps. This is where I have learned the most. Finding the problems, fixing them and learning and much as I can about each error. I would suggest all developers to do this, it has been a major eye opener.
Thanks

Jerrod

Meggo said:

I interviewed one of our (InfoSec's) alum on a really similar topic. He's a CIO at a finance company and has some really good advice for those looking to get into the industry. Here's an excerpt from our interview you might find interesting:

As CIO & Hiring Manager, What Value Do You Place on Certifications?
Julian: We look for a combination of experience and certifications, and always prefer candidates with certifications. This is especially true for our systems, networking and security positions. Again, it’s a combination of both. But if all other qualifications are equal, I prefer the candidate with certifications.

Do You Need a Computer Science Degree for a Security Role?
Julian: In the past, it hasn’t necessarily been a need. We weren’t always looking for someone who could code their own exploit fixes or automate testing. In today’s time, however, it’s really changing. Security is a really mature market — having someone with a developer background helps you customize the tools you’ll use to defend your enterprise. I would love to see more developers getting into the security side of things. Being able to code your own remediation is a huge asset.

Insightful. I may have just lucked into full training for OSCP and OSCE from a side contract I am about to sign.I feel more comfortable with these certs

Jerrod

LionelTeo said:

Sharing what i did to get better at it

1) download daily malware and pcap t and analyse in VM

2) Buy books from amazon and read.

Excellent advice. In fact I didn't go the malware traffic site, but I have used some recent startups I worked for to get maleware.
From there I have been using IDA Pro to disassemble the malware.

I haven't been reading many books, but I have been following a bunch of tutorials online for the basic exploits in the windows environment. I really think I need to start fuzzing and finding vulnerabilities on my own. This would give me some more credability to jump into a security developer role or possibly security developer role.

Any other suggestions on what I can do to show I have basic knowledge that I don't need net+ or sec+ or some of the beginner certs? With my background, is OSCP or CSSLP the more wiser choice? If, as I am hoping, this side gig pans out, I will have 5-10k to spend on some training and maybe can even get in some sans training. I sure hope that training is worth it because those courses are outragous.

Thanks for all the responses.

paul78

@Jerrod - Would you mind elaborating on what you mean by transition to security from development? If you are already doing work with static code analyzers and evaluating those results - are you saying you want to get out of software engineering as a primary role?

Jerrod

paul78 said:

@Jerrod - Would you mind elaborating on what you mean by transition to security from development? If you are already doing work with static code analyzers and evaluating those results - are you saying you want to get out of software engineering as a primary role?

Paul,

Good question and the short answer is I don't know. I am seeing jobs for software security developer, where the emphesis is heavy on secure software development. That's why I mentioned the CSSLP (of which I meet the criteria to sit for). To be honest I am getting tired of making enterprise apps, even though I do get to work with many new technologies and my job is wonderful.

I think my idea job would be to audit code for companies, do pentesting of web applications, work with some data analysis, and oversee large software projects from the technical angle. I have home physical labs with many configurations, cisco routers and switches, adtran equipment, servers running all types OS and software and I do try to practice breaking in and moving laterally through a network.

As I mentioned above, I have IDA pro and been using it to disassemble malware.

All of that is great to say, but I don't know if people would believe me when I go to apply for a secure development job without these official title before, even though I am doing some of the correct things at my job. I now have everyone doing threat modeling. I took the OWASP top 10 and run 20 page tutorials for each vuln and created videos for my team. That has gone over well. My boss would attest to those things if I jumped.

Thanks.

LionelTeo

Jerrod said:

LionelTeo said:

Sharing what i did to get better at it

1) download daily malware and pcap t and analyse in VM

2) Buy books from amazon and read.

Excellent advice. In fact I didn't go the malware traffic site, but I have used some recent startups I worked for to get maleware.
From there I have been using IDA Pro to disassemble the malware.

I haven't been reading many books, but I have been following a bunch of tutorials online for the basic exploits in the windows environment. I really think I need to start fuzzing and finding vulnerabilities on my own. This would give me some more credability to jump into a security developer role or possibly security developer role.

Any other suggestions on what I can do to show I have basic knowledge that I don't need net+ or sec+ or some of the beginner certs? With my background, is OSCP or CSSLP the more wiser choice? If, as I am hoping, this side gig pans out, I will have 5-10k to spend on some training and maybe can even get in some sans training. I sure hope that training is worth it because those courses are outragous.

Thanks for all the responses.

If u have some budget for training then getting the SANS GREM/GXPN cert should be a great way to indicate your interest.

Constantly working on Cybersecurity stuff and being curious about it is the way to break into CyberSecurity. If you have been using ida pro to disassemble malware/code, then ur on the right track of being a good cyber security professional one day.

Python is a highly sought after skill in Cyber Security industry. Since your a developer, listing ur proficiency in Python should grant you an edge over candidates that don't.

Continue working on ur skills and one day you should have no problem breaking into such an opportunity.

paul78

@Jerrod - from your description, it sounds like you are gravitating towards offensive security roles. And it sounds like you are doing all the right things already. I read Julian's interview with @Meggo and it was very interesting. But my own belief about why I prefer to see offsec people come from software engineering background is entirely different. It's because I do expect that they understand how to develop or modify exploit code. But that's my own personal bias since I came from a software engineering background. I also don't feel the need to have someone hold any particular certification other than for marketing purposes.

Since you are mostly exploring - by all means, do one or two certifications. If anything, it let's you become accustomed to the nomenclature that is used. Certifications can offer a structured approached which is nice. As for OSCP vs CSSLP - take whichever you find the most interesting or both. When certifications got my interest, I started with the CISSP because I couldn't decide where to start.

As for your comment about people believing that you are qualified or passionate about this subject - that's easily remedied if you have a portfolio of work to include with your resume. We always check out a candidates public github repos for the type of security research that they do or any talks or papers that they have published. You mentioned you have been doing some malware work - publish something about the work.

Jerrod

paul78 said:

@Jerrod - from your description, it sounds like you are gravitating towards offensive security roles. And it sounds like you are doing all the right things already. I read Julian's interview with @Meggo and it was very interesting. But my own belief about why I prefer to see offsec people come from software engineering background is entirely different. It's because I do expect that they understand how to develop or modify exploit code. But that's my own personal bias since I came from a software engineering background. I also don't feel the need to have someone hold any particular certification other than for marketing purposes.

Since you are mostly exploring - by all means, do one or two certifications. If anything, it let's you become accustomed to the nomenclature that is used. Certifications can offer a structured approached which is nice. As for OSCP vs CSSLP - take whichever you find the most interesting or both. When certifications got my interest, I started with the CISSP because I couldn't decide where to start.

As for your comment about people believing that you are qualified or passionate about this subject - that's easily remedied if you have a portfolio of work to include with your resume. We always check out a candidates public github repos for the type of security research that they do or any talks or papers that they have published. You mentioned you have been doing some malware work - publish something about the work.

Paul,

Thanks. So if I am understanding correctly, if I publish my articles and tutorials etc on my website, that demostrates comprehsive knowledge of foundational material, that the basic certifications like net+ and sec+ are not necessary? Also what exactly are hiring managers looking for in articles and at what people have on their githubs?

For example, for the OWASP top 10 I have written comprehensive tutorials on how to exploit and secure each area. So for injection attacks, I have created a mini ebook (I say mini but it's at about 250 pages lol). The first portion deals with sqli and is titled A comprehensive tutorial on RDMSs and their Exploitations, or that's my working title. It is about 70 pages which does not include the multiple software solutions it comes with. I want to make videos for the material and was thinking about creating a metasploitable type VM that one could download and build. It would have the source code and require the person to fully exploit it and then code the fixes. The rest of the book deals with other injection attacks. I plan to write out fully a mini book (from my notes, smaller articles) on each area of the top 10.

This is the material I would like to be releasing. I code all day, so creating another open source tool just to have a git hub with material on it is something I want to avoid. Do you think once my material above is complete that this would look favorable?

I know Python but mainly use that for data science projects. I could easily automate with it. I know a ton of languages. Maybe if people want some code examples, I could post some things for arduino or rasberry pi programming. I haven't found a niche devsec area where I could make a custom tool that wouldn't be yet another tool of the same things out there.

What would one publish in regardless to maleware work? I am not discovering brand new maleware (yet). What are your thoughts on this versus the above I mentioned I am working on?

Thanks folks!
Jerrod

I do think I am doing the two OffSec certs and then CSSLP just not sure when yet.

UrbanBob

This might sounds like a dumb idea but why not start by applying for jobs

paul78

UrbanBob said:

This might sounds like a dumb idea but why not start by applying for jobs

Sometimes the obvious approach could be the best approach - lol

@Jerrod - it sounds like you may actually like where you are and you are being given the opportunity to add value to your employer while doing the things you enjoy. Perhaps one approach is to have a conversation with your supervisor and simple ask for a title change and one that's more closely aligned with what you do.

As for some of your comments/questions -

basic certifications like net+ and sec+ are not necessary?

I actually don't think that there is career value for you to have a Net+ or Sec+. It's probably only useful to you if there are topics in those certifications which you don't already know and you are interested in those topics.

.. what exactly are hiring managers looking for in articles and at what people have on their githubs?

I can't speak for others. But for me - depending on the role, seniority, and experience - it's things like thought leadership, creativity, and to see if someone had any type of demonstrable passion for their craft. I also look because it can help correlate if someone's resume really lives up to the "marketing" in a resume.

... I want to make videos for the material and was thinking about creating a metasploitable type VM that one could download and build. .... Do you think once my material above is complete that this would look favorable?

Yes. Absolutely. For me, someone that contributes back to the community in this way is usually viewed favorably.

What would one publish in regardless to maleware work? I am not discovering brand new maleware (yet).

Malware research isn't really related to penetration testing but if you enjoy it, you could always blog about what you learned. If you are researching malware used in botnets, you would write about the DGA's that you discover or how to discover them and publish the seeds. Maybe you will discover new variants since the seeds change with new variants.

What are your thoughts on this versus the above I mentioned I am working on?

I think you are doing all the right things. One other thing since you mentioned an interest in web appsec pent testing - you could join a bug bounty platform like HackerOne, Bugcrowd, etc and use that to build some credibility as well.

Jerrod

Thanks guys for all the comments. I actually have a great job and as I mentioned my boss even wants to give me the title but higher ups don’t see the value yet. Typical stuff we all have seen in our careers. I am getting to do quite a few things I can claim legit that I am doing security wise.
So luckily I’m now entering a partnership for a startup and they are going to pay up to 3k for security certs! Also I don’t have to claim it for taxes as they are directly paying for it. At least I hope it will turn out that way.

I know all about net/sec+ and took a few online exams I aced so I am not doing that. I just wasn’t sure if someone would want to see that. I am going straight for oscp within the next month. I want to finish up my training on the owasp. I’m glad that will look favorable. I even have advanced and beginner tutorials on it (for example with databases I wrote a guide to relational algebra and calculus and set theory).

Funny you mention DGAs as I just wrote a walk through on different algorithms. I was thinking about about actually showing how to create one in a lab that reads data from a picture to control, like from a twitter page (but a fake quick site I wrote).

This has been some great advice. I’ll try to log my oscp experience here in the appropriate forum.

thanks
j

gulatisneha56

paul78 said:

I'll agree with @JDMurray but it's probably a bias because that's what my company does.

But that said - I do believe that pent testers with a development background tend to have an edge. What I would suggest that may make more sense is for you to get a decent commercial static code analyzer and focus on the appsec portion. As a developer, I think would be more valuable then doing external app pent testing. Plus from a development cycle cost perspective, it would be a better ROI given your interest.

I agree with you.