[hqsolomo]

If you have the patience you can try setting up your own CI/CD pipelines.

IMO API dev isn't THAT different from what you already do, just a different mindset. Take this with a grain of salt from me though because I only dabble in API dev.

There's an O'Reilly book "Cloud Native DevOps with Kubernetes" that have me a solid grasp on Kubernetes but the biggest lesson from that section was "don't manage k8s yourself" and that was the BEST advice about K8s I've ever seen. Create a free account with the cloud service providers and play around with k8s (ideally after you've run through some guides on CI/CD). This is 100% your "real world experience".

If you're looking to try a new career field I think you'd likely excel in infosec with your background. Take a look at application security and see if that interests you.

I know your pain as I'm on the tail end of what you're going through, but as an outsider looking in it seems you're in a much stronger spot than I am! They're is light at the end of the tunnel!

EDIT: IT needs specialists AND generalists. From one generalist to another, don't be too upset about not being an expert in your domain. I'm a CISSP that struggles with security analysis but can do security management, privacy, and GRC off a fresh bong rip and a four loko+rip it cocktail. THERE IS NOTHING WRONG WITH NOT KNOWING EVERYTHING BECAUSE A GOOD TEAM WILL ALWAYS LOOK OUT FOR EACH OTHER

[readyna]

I agree API dev doesn't seem particularly special. Really boils down to async calls with a chance of never hearing back. But maybe I'm that out of touch... Even if it is trivial though, I've had a recruiter ask me for specific examples of any API experience I have, and of course proceeded to ghost me.

Skipping k8s management makes a ton of sense to me, especially since that should be considered more of a DevOps job anyway. But since you say to do CI/CD first, I assume you mean I should go through the entire flow where I submit commits and have the "CD" deploy to the cloud k8s? Seems like I'd still need to be able to bring up my own local instance to see my code changes during dev, and would need to manage the local k8s.

Security might actually be the way to go long-term! The way I see it, it has to be verifiable (not possible to depend on AI) and can't be outsourced (at least not to any adversarial country). I'll definitely look into that!

What was your playbook to get into infosec?

[hqsolomo]

When I say "do CI/CD first" I do mean "make a commit and watch it go brrrr". You could build a pipeline yourself if DevOps engineering sounds fun but my experience with it professionally is "do whatever the DO guys say to make sure your changes reach prod". I dabble in my spare time out of curiosity and because I like punishment, lol.

I took a nonstandard path into infosec- I never actually went to school for it because it just wasn't taught where I went at the time. I learned by reading a lot and testing what I read against my own (and sometimes not my own) machines and my previous employment gave me a solid foundation since all of my professional skills were transferable. I was a dev for 2 years and a security-focused business system analyst for 6 years before getting my first job in infosec, and I'm 100% sure I passed my CISSP solely on dumb luck because I just "picked what made sense to me." I never took Sec+, Net+, OSCP, etc... certification because by the time I found out those certs existed I was already a CISSP and working to shore up my blue team weaknesses (blue team = "don't hack me bro", red team = "IT'S PWNIN' TIME". There's also purple team where you do both, I see this being the future of the craft much like how development and operations has pretty much merged).

I definitely recommend reading up about cybersecurity topics- maybe even take a Udemy or Coursera course or two on the fundamentals. Even if you get an entry level role I have no doubt you'd be able to ramp up quickly. You DO need to understand networking concepts so that might be new but it's seriously not THAT in-depth and you can skirt by initially with the basics (know how networks work, and be able to both capture a packet and read a PCAP file) and pick up more as you grow into the field. You'll need to pick up soft skills to help you frame technical concepts into terms laypeople can understand for your reports, which can be a challenge at first but you get the hang of it after doing it a while. As long as you're on a decent team any weaknesses you have can be covered by an ally- DO NOT BE AFRAID TO ASK FOR HELP WHEN YOU DON'T KNOW SOMETHING!

I do need to be transparent- my skills are more on the security management side (I could talk for HOURS about security risk) and most of the roles I've seen advertised (including the one I just left) are for security operations center staff. Hopefully another security professional here more skilled than I can chime in to keep me humble and honest!

If you're interested (ISC)2 has a "Certified in Cybersecurity" certification intended for people new to the industry. I'd take a look at the exam material for that and see if it interests you. You may be tempted to jump for CISSP, CISM, a GIAC cert, etc... Save those for later in your career when you KNOW you're ready (also I dunno about CISM but CISSP requires at least 5 verified years of professional security work and the endorsement of another CISSP. I don't think the GIAC certs are as strict but they're WAY more expensive). They're NOT easy, and there's a real risk you'll end up like me if you successfully take the shortcut, a CISSP that excels at the really hard stuff but has no interest in/sucks at the grunt work.

If you can get a mentor for cybersecurity that would be a huge plus- not just for helping you find a job in the industry but it REALLY helps fight off the inevitable imposter syndrome (I have met exactly ONE security professional in my entire career that didn't deal with imposter syndrome at some point in their career. That one guy has a higher IQ than my car has horsepower).

Hope this helps!