What to study for security?

I seem to have followed the completely opposite route to infosec from most people on here. I won't be studying for a degree until the end of the year, I don't have any hardcore network admin experience, and I don't know how to pen test. My previous roles were mostly in compliance, risk management, and a lot of security consultancy (both at project, policy and incident level). So I know a lot about a bit, without being able to natively read a TCP **** or something like that, or tell you the intricacies of layer 2 vlan hypervisor switch tables (it's all magic to me).
I plan to correct that while I'm reading up on cloud security.

My first thing to learn is about general pen testing and so I'm working out how much it's going to cost to build a lab (going for an HP microserver that I can just stuff with disks and ram). In the meantime, I have a laptop and will go from there. The second thing - and this where I'm a little lost - is I think I should also learn how to program. I'm starting with python because it's mentioned like everywhere. After that, I'll start looking at learning C++. It's an old language, but I think it will be worthwhile because It'll get me up to baseline level with a lot of the other, modern languages out there.
I've taken a look at Amazon for books on Python programming but would like recommendations. My first choice is Black Hat Python, but the more I read the blurb and the reviews, the more I think this is for someone who already knows Python.

My one caveat is that the 'teach your self in 7 minutes' types of books aren't for me. I'm going to need more than 24 hours or a week, or whatever they promise.

Any advice?

Find more posts tagged with

Comments

the_Grinch

Start with networking. I always point people to this article because it will get you where you need to be:

https://web.archive.org/web/20160310060148/http://infiltrated.net/pentesting101.html

paul78

I suppose it kinda depends on what you want to do in security. And the advice you are going to receive is going to depend on the background of the person giving it

Since I come from a software engineering background - I tend to favor a foundational approach.

For someone that wants to enter the highly technical aspects of pent testing and exploit development - understanding how the software that drives the operating systems, apps, and networks imo is invaluable. I would generally not recommend C++ but C instead - but better would be Assembly - The Art of Assembly Language Programming is often the resource that most cited - Art of Assembly Language Programming and HLA by Randall Hyde

I would also suggest SecurityTube - Welcome to SecurityTube.net

leboratorical

paul78 wrote: »

I would generally not recommend C++ but C instead - but better would be Assembly - The Art of Assembly Language Programming is often the resource that most cited - Art of Assembly Language Programming and HLA by Randall Hyde

I would also suggest SecurityTube - Welcome to SecurityTube.net

Thanks for your response. Can I ask why C and Assembly Language first? What is it that will give? I most likely won't be penetration testing myself

, but I will need to know the nature of vulnerabilities and how and where they get introduced. At some point it may be that I'll be needing to learn how to work in a DevSecOps environment, so maybe you're right.

And now I think I've talked myself around to your position.

@the_Grinch - thanks! will pick that up and take a look!

paul78

leboratorical wrote: »

Can I ask why C and Assembly Language first? What is it that will give? I most likely won't be penetration testing myself , but I will need to know the nature of vulnerabilities and how and where they get introduced. At some point it may be that I'll be needing to learn how to work in a DevSecOps environment, so maybe you're right.

I may have misunderstood. I read your post to mean that you wanted to understand how exploits are developed for penetration testing and how vulnerabilities occur.

If you just need to have an overview understanding - learning a language may not really be necessary be where you may want to consider starting. Perhaps watching the videos on SecurityTube and elsewhere such as on the Offensive Security sites - https://www.offensive-security.com/metasploit-unleashed/ - may whet your appetite for the topics involved and you can then hone in on your specific interests.

For devops - you are most likely to encounter use of interpreted scripting languages like Python so learning Python could be useful. Understanding how tools like Git, Jenkins, etc. are used would also be a good place to start.

leboratorical

Thanks both of you. This has given me a firm start to go forward.