Application Security

Broodmdh

I have been working as a developer for almost 5 years now, and I want to move into security related work. Specifically, I would like to focus on application security (code reviews, pen testing, iis & db hardening etc), but I don't know where to begin.

I am considering getting a cert as a signal of serious intent, but I haven't found much information on application-security-specific certs (aside from GIAC, which are prohibitively expensive). As a result, I have been considering getting my SSCP, but I don't know if it will be very applicable. My employer most likely won't pay for the certs, so I will have to foot the bill myself and be very careful with my selections. Any advice that you can offer would be appreciated.

JDMurray

You sound a lot like me five years ago. I am a software engineer and wanted then to fully move my career into the arena of InfoSec and specialize in application security. I started by getting a Masters degree in InfoSec, joined relevant professional InfoSec organizations, hung around on InfoSec-related Web forums, went to security conferences, obtained several well-regarded security certifications, and was finally hired to a software engineering position with the word "security" in the title. It was a long time and a lot of hard work in coming, but my strategy did pay off.

And I had to pay for it all myself too. Invest in yourself; no dollar you spend on advancing your career, or personal development, ever is wasted.

Broodmdh

Thanks for replying, JDMurray.

Which certs did you start with? I have considered getting my masters (online, since no Uni's in my area offer Info Sec at all, let along at the Masters level), but $30k is more than I can afford, even broken out over 5 years. I can handle the certs (if not always the associated training) without putting my family in the poor-house, but I see your point about investing in yourself.

JDMurray

I had to get used to paying a lot more than $30K broken out over 10 years (don't forget the interest). It was easy to get a student loan through SallieMae, but she's a harsh mistress on the payback. But, like any financing, the more you can pay each month the more interest you save in the long run.

The Security+ is the first cert to start with. It's a good intro to the knowledge base used in InfoSec, and is recognized by many organizations (e.g., Microsoft, HIPAA, (ISC)2, DoD) and hiring managers. From there you can go to CEH for pen testing, CCNA Security for network security, CWSP for wireless security, or SSCP for a general, mid-level technical InfoSec cert. The SSCP is good prep for the CISSP exam, so I recommend not going for it until you are close to needing to study for the CISSP.

As you look at certs for InfoSec, you will notice that there aren't many specifically for application security. There are a few certs for secure coding and development practices (GSSP, CSSLP), testing for software for vulnerabilities (CEH, OSCP, CNOP, GPN, GWAPT), and one for reverse engineering (GREM). There are also Java and .NET programming certs that have little to do with security. You'll choose based on what your interests in AppSec are and how much you're will to pay (in future, try to favor employers that pay for training ).

Broodmdh

Thanks for all of the advice. I'll try to put it to good use!