[igolden]

I’ve been a professional software developer for the last 4-5 years, but never took security serious until iot took off. Get some raspberry pis, install kali Linux on a VM or spare computer, and go to work! It’s just so easy and cheap to setup a pen test lab. I’d recommend every dev have a few attack machines for fun. That’s how I got started.

It’s also a huge field. Try checking out security in your current discipline. I was a web developer in 2013, so it was natural that I was inclined to look at SQL injections, XSS, packet sniffing, Etc. I already understood the domain. That is easier than jumping into reverse engineering firm ware if you have no xp.

Now after a couple years of practice, I’m recommitted to security. Huge issue in our current tech ecosystem. I was just approved to take CEH and will be taking it next month. To make it official. If you need some structure to your learning and want to make a career move, check out getting an industry base cert like the CEH or offensive arc cert. most security jobs prefer candidates to have at least one, and they’re not incredibly difficult.

Happy pwning!

[sasas]

Skip the CEH and go straight for the OSCP. It's much more valued. Many in the industry seentu CEH as a joke. Good luck!

[igolden]

I don't disagree that CEH is inflated, and this coming from me, the guy who paid $1000 for the chance to test.

What the CEH does give people is a curriculum that they can adhere to. Not everyone can wrap their head around a complex subject like infosec alone. It's not a badge of honor, especially in a niche like infosec. But it does show you're serious about the field and willing to make a financial commitment. That's why i'd say it's worth considering if you're looking to make a career move. Of course, look at every other option and choose the best fit for you.

[PeeryTwo]

I wouldn't skip the CEH, at least not the material, but I wouldn't use it as a badge of honor on a resume either. It's a decent study guide as it exploses you to the nomenclature fairly well but it's far too easy to pass the certification without actually being proficient in anything.

[freehunter]

There is a massive difference between the CEH and OSCP. If he's ready to take CEH, I'd say do it and use that experience to begin studying for OSCP.

OSCP is no fucking joke. It's hard.

[nickthemagicman]

Hey man this is really inspiring. I've been thinking about switching from web dev to security. How do you like it in comparison?

[igolden]

Right now I am happy as a freelance software engineer. I wasn't looking for a new job (I wanted the KNOW), but I _was_ looking for validation among business-types. I also have a few certs from AWS, and attaining those created the validation I needed in Devops/cloud (so it can be worth it for career growth).

Honestly, I just got tired of being THAT developer who willingly shirked his security duties. I always let someone else 'handle it'. In comparison now, I'm much more confident because I know (more) about securing the network and underlying ecosystem that my applications live in.

I think most people hiring want to see a developer who is excited and puts out lots of work. I've always been pursuing this in my free time, which goes a long way to show that I am truly interested in the subject. But at the end of the day, your cert can't secure a network if you can't. Get the KNOW and you'll find an opp w/ or w/out the semantics.

Hope that helps.

[nickthemagicman]

That helps thanks for the reply!

[Txmm]

"It’s also a huge field. Try checking out security in your current discipline."

I'm actually 15 at the moment with basically no experience besides messing around with kali tools like a script kiddie.

Got any tips for programming languages to learn/where to learn?

I appreciate the post!

[raesene9]

In terms of languages I'd echo the sibling comment, Ruby or python are likely to be good choices.

If you're looking for things to start getting into security type learning, you could do a lot worse than start with CTFs (https://ctftime.org/ctf-wtf/) Whilst they're not identical to what you'll face as a security tester, they cover a lot of similar skills. Also you'll likely meet people in the industry by doing them.

There's also sites like https://pentesterlab.com/ which have free examples of pentesting challenges.

[Txmm]

Hmm those look very interesting. Thanks!

[graystevens]

Take a look at either Ruby or Python - both have huge userbases in general, but are also used regularly within the business.

A lot of quick scripts are written in Python - you may have noticed this in Kali.

Ruby is what metaspoilt in built upon, meaning a lot of the modules are also ruby.

Both are great languages. In regards to where to start with learning them, take a look at https://www.codecademy.com, both are featured there and give you a nice gentle introduction to their syntax and ways of workings.

Also for Python there's https://learnpythonthehardway.org which is awesome, and https://automatetheboringstuff.com which is a little more practical to begin with.

Once you feel comfortable with the language(s), go read the source code for those scripts or modules in Kali and see what else you can pick up.

[Txmm]

Thank You!

[brightball]

For some interesting reading, go pick up a Kevin Mitnick book like Art of Intrusion. It's not a technical how-to but a collection of social engineering stories that are fun reads. Gives you a lot more insight into where the real vulnerabilities are.

[HakureiSec]

You have a long but very interesting road before you. Infosec is huge. Lesley “hacks4pancakes” Carhart has a great series which provides an overview of what you can choose from: https://tisiphone.net/2015/10/12/starting-an-infosec-career-...

If you're serious about infosec and not just want to run tools and call it a day, I suggest covering the basics first:

- programming: would be cool if you learn not only some language but programming “as art and mindset” in general. This includes your typical Computer Science courses, algorithms etc. Great if your school or university teaches those but you can always fall back to online education platforms.

When it comes to language, I'd recommend Python over Ruby. Granted, the latter powers Metasploit, but a lot more tools and wrappers around tools are written in Python. Once you know Python, creating Metasploit modules won't be a problem because a lot of things are handled by the Metasploit Framework.

Also, this comes from a highly subjective Python developer but suggest to learn Python 3, despite a lot of infosec tutorials and tools still using Python 2 (e.g. socket programming). It's easy to fall back to Py2 if you need but you'll have the power of latest and greatest if you go Py3 because not everything is backported. Most books contain a lot of useless material and are pretty slow-paced and I'm not a fan of “Learn Python The Hard Way” either. I personally started with “Learning Python” by Mark Lutz; after about a third into the book I ditched it and just went practicing and googling for answers. Cannot vouch for “Automate the boring stuff…”. You do you but in the end it all comes to practicing.

- networks: almost as important, if not more important than programming. Web pentesting, internal network pentesting, malware reversing, DFIR, even some part of exploit writing constantly interact with networks and analyze traffic.

- OS: for starters, tinkering will be enough. Familiarize yourself with Windows (console, registry) and some flavour of Linux (shell, permissions, important files etc.), preferably Debian-based because they are popular in CTFs and tutorials. Install and configure some software like web servers, databases, development environments to get the hang of it.

Where to learn:

Google, obviously.

https://pentesterlab.com/ is great for web pentesting. They have free tier with pretty okayish explanations and exercises. They also have “Bootcamp” section which covers some network, programming and Linux stuff.

LiveOverflow's Youtube channel has a playlist called “LiveOverflow Binary Hacking” which is a great primer into exploit development on Linux. For Windows, you should probably check Corelan series: https://www.corelan.be/index.php/articles/

https://www.vulnhub.com/ has machines for practice. Not all of them are great but you may learn a lot by reading writeups.

When it comes to certifications, they all serve their purpose, even CISSP and CEH. I did OSCP and while I won't call it “10 out of 10”, it's decent and probably the best one when it comes to skill practice and cost. It targets internal network pentesting, though, which might not be that useful if you choose other field.

Did I mention Google?

[demonshalo]

I remember when I was 15 and asked that same question on hellboundhackers :D #nostalgia!

Jokes aside, go with Python. It was my first language and to this day I can't think of a better language for people to start out with!

Good luck to ya!

[Txmm]

Thanks!