|
Well yes, back in the old days most of us were self thaught through articles such as Phrack, or connections on IRC, and lots and lots of experimentation. I would say today it is both easier and harder. It is harder because the body of knowledge is so much larger, it is easier because so many more materials and exercises are available. From my perspective, and I lead a team of these security researchers, it is an advanced career path, and still requires a lot of self-motivation. That said, there are more and more definitions of what "security researcher" means, in some cases it means being able to find web vulnerabilities without using Burp, so YMMV. I would suggest to focus on fundamental skills such as reverse engineering, code review, low-level languages such as C and assembly, interfacing at a low-level with binaries through debuggers and instrumentation etc etc. Those are all broadly applicable.
Playing CTF games is a good starting point too, as is auditing open source software. But make no mistake, it will be a challenge, and it will require tenacity on your part.
Good luck ! |