Ask HN: Best route from developer to pentester

[careershift]

I have a lot of experience with web (rails, angular, ember, react), android and backend (nodejs, go), but got laid off a while back and am thinking of branching off a bit and look in to pentesting. It's an area I have always had an interest in, so now that I have time I wanted to delve a little deeper. There are some costly courses available, but seeing as I am getting short on money it is quite the risk without having some solid testimonials backing it up.

If anyone can offer me some advice on a good starting point I would greatly appreciate it.

[justsorneguy]

I think https://www.cybrary.it/ is pretty good for free lessons. You can combine it with VMs like https://www.offensive-security.com/metasploit-unleashed/requ... and those from https://www.vulnhub.com/ for a bit of hands-on. Also, you can get a lot of information specific to your language, like http://guides.rubyonrails.org/security.html and https://github.com/presidentbeef/brakeman to look at real apps, to see what can go wrong.

[justsorneguy]

Oh, and there are some good podcasts, too. Like Risky Business, 7 minute security, Liquidmatrix, Security now... 7 minute security just had a decent series on how to set up a DIY $500 pentesting lab, for example (https://vimeo.com/179271256).

Finding some famous pentesters to follow on Twitter can't hurt, either.

[careershift]

That seems like an awesome resource! I can't believe all those courses are free.

[andrewhayter]

Really interested in this as well. Currently working as a web dev but really get excited when it comes to web app security.

Can we also discuss paid courses that might be of value as well?

[justsorneguy]

I think https://www.offensive-security.com/information-security-trai... is probably currently the best bang for the training buck...