Justin Taft - Home / Posts

How To Break Into Application Security

So you want to be a white hat hacker? Computer Security is a fascinating field and can be quite rewarding. The work you do will protect people’s privacy, prevent fraud , and can even save people’s lives when working on critical systems.

Having a college degree isn’t necessary. What’s more important is training yourself to think like an attacker, and understand how to prevent attacks from happening.

Study Web Application Security

For application security, it’s important to understand how underlying bugs work A lot of applications these days are web apps, so it’s a great target to learn how to hack.

The Web Application Hacker's Handbook: Finding and Exploiting Security FlawsThe Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws 2nd Edition  is a great introduction to web application security.  If you understand the material in the book, it’s likely you will be prepared to find high severity bugs during security assessments. 

 

 Portswigger’s website also has a great introduction to web vulnerabilities at https://portswigger.net/web-security. They are creators of the hacking tool Burp, which is use by security professionals around the world.

 Visiting local security meetups, such as OWASP , are a great way to network and discuss security with others.  I’ve only ran into friendly people at these meetings who are passionate about helping others. OWASP’s site also has writeups about common webapp vulnerabilities, and a very vulnerable web application to try and hack.

For tooling, check out the Kali linux distro. It comes with a free trial of Burp which is a highly popular proxy to pen test web applications.  Kali is packed with additional tooling used for network penetration tests.

Find Some Bugs (Optional, but highly recommended)

Review some open source software, or participate in bug bounties. Having real world bugs mentioned on a resume helps a ton. I would recommend starting with programs that are unlikely to have been reviewed a ton. Generally they have a lot more bugs in them. Look for XSS vulnerabilities, as these are highly impactful.

Starting Your Career

Look for junior positions at companies. Getting into larger companies may be a bit easier, as they have resources to train employees. Many companies also have intern positions which are great to gain on-the-job experience.

During interviews, don’t be afraid to say “I don’t know the answer, but I would try XYZ to figure it out”. You always can ask additional questions to help clarify questions. It’s better to be honest than lie.

Growing Your Skillsets

Continue expanding your knowledge and challenging yourself. Learn different programming languages and the cavets of them. Java, Python, PHP, and C are pretty popular during application assessments. Learn security on different platforms (windows, linux, android, iOS). Learning a bit of network principals will be helpful.

Some additional resources to learn more advanced concepts are:

Hacking: The Art of Exploitation, 2nd Edition: Highly recommended book for being introduced to  memory corruption vulnerabilities (c/c++). This one is a bit more advanced.

The Mobile Application Hacker’s Handbook is a good book on mobile application hacking. Focus on the iOS and Android chapters. Blackberry and Windows Phone aren’t that popular anymore.

Wargames/CTFs such as overthewire.org can be helpful. Be mindful some CTFs sometimes focus on arcane problems that you don’t run into during real security assessments.

Subscribe to high-quality news feeds and forums. Reddit’s r/netsec forum is a great example. New attack types are often shared and can be great to keep up to date on current events.

Learn a bit of cryptography! During assessments it’s good to just have teams use audited libraries. However there are may ways to recover/forge messages if you don’t know the encryption keys, if weak algorithms are used. Check out https://cryptopals.com for a lessons on implementing and breaking common crypto patterns.

Leave a Reply

Your email address will not be published. Required fields are marked *