Java based Web/Enterprise App Developer - Move into the InfoSec field

Hello Everyone!!

I need some career advice from all the security gurus here. I am a Java based Web and Enterprise Application Developer with 5+ years of experience now looking to get into the field of Information Security. Will my previous experience as an Application Developer have any value add in the field of InfoSec?

Please advise where to start with the certifications related to the InfoSec and the best certification path that i need to take with regards to my previous experience as an Application Developer.

Thank You.

Regards,
emzee

Find more posts tagged with

Comments

the_hutch

That's an excellent background to come into security from... Insecure web apps are the number one biggest problem in enterprise information security. I assume if you've done web-apps, you've worked with front end HTML and backend SQL? Any server-side scripting experience with PHP?

The real question is...what in security are you wanting to do? Or are you just looking for any suggestions that would leverage your previous experience?

JDMurray

First, you must discover what you find interesting in InfoSec and would like to learn for a career. With your background, it looks like Web application vulnerability testing and remediation would be your forte, but you might find that you want to do some other type off application security, or maybe not AppSec at all. You need to look over the objective for a broad InfoSec certification, like the SSCP or CISSP, and find what interests you for a career change.

emzee

the_hutch wrote: »

That's an excellent background to come into security from... Insecure web apps are the number one biggest problem in enterprise information security. I assume if you've done web-apps, you've worked with front end HTML and backend SQL? Any server-side scripting experience with PHP?

The real question is...what in security are you wanting to do? Or are you just looking for any suggestions that would leverage your previous experience?

Yes, I have good amount of experience in working with front end HTML and back end SQL. No experience in server-side scripting with PHP but have some nice experience in client side scripting with JavaScript and ExtJS. if PHP knowledge is really required then i can learn quickly.

And Yes, I am just looking for suggestions that would leverage my previous experience. And I would like to know where to start or which certification should I do to step into the InfoSec field.

JDMurray wrote: »

First, you must discover what you find interesting in InfoSec and would like to learn for a career. With your background, it looks like Web application vulnerability testing and remediation would be your forte, but you might find that you want to do some other type off application security, or maybe not AppSec at all. You need to look over the objective for a broad InfoSec certification, like the SSCP or CISSP, and find what interests you for a career change.

Basically, the thought that provoked me to think upon a career change at this stage is that my current job is not offering me any growth with regards to building a career as a specialist in that field. As you said that Web application vulnerability testing and remediation should be what I should aim for, I totally agree with you. The reason me posting this thread is that because a lot of people who were offering some courses on InfoSec such as Ethical Hacking made be believe otherwise. For them, Ethical Hacking was all about network penetration testing only. I am reaffirming that it is otherwise and includes Application Security as well.

So the big question!! Which is the right certification to step into the field of InfoSec? C|EH? Security+? Any other suggesstions would be most helpful.
Further advice from the Security Gurus here would be most helpful and appreciated.

Regards,
emzee

JDMurray

The first InfoSec cert I recommend is the Security+. It is a good and basic introduction to InfoSec for people that are not sure if InfoSec is something they want to get in to. It's also a widely recognized cert worth having on a CV or resume. There's also a lot of information and advice here at TE on the Sec+, CASP, SSCP, and CISSP.

Pentesting information systems and communications network is mostly about finding flaws in design, implementation, and configuration of software. Occasionally, you find a hardware problem to exploit (cable plugged into wrong port/VLAN, modem not behind a firewall, etc.), but software problems are far more common. Just knowing how to perform thorough, rigorous, security-minded (misuse cases) Software Quality Assurance procedures on Web services, and understand why the problem (vulnerabilities) exist, will make you very valuable in the Web pentest world.

emzee

Thanks a lot for your valuable suggestions!! I'll start off with the Security+ certification.

Regards,
emzee

the_hutch

Sounds like you have a very solid background for getting started. Best of luck.