5 answers
D.’s Answer
Information Security is a massive field, with a lot of opportunity. The first step is deciding where you want to focus. From your question, it sounds like you're looking for the application security side of things.
Learning about writing web application is a great first step, but the specific language or framework isn't too important. I recommend starting with the Rails Tutorial, a free book that covers writing a web application from start to finish.
Once you've got an understanding of how data flows through an application, you'll be in a great place to start identifying security issues.
A great overview is the OWASP Top 10. This describes what they consider to be the top classes of security vulnerabilities in the wild today, along with examples of each. They also offer the OWASP Juice Shop, a vulnerable web application you can run on your own computer at home to learn about security vulnerabilities. It even has a companion book to help you work your way through the challenges.
Finally, there are ways that you can safely and legally practice on real life applications whenever you feel like you're ready to give it a shot. Companies like HackerOne and Bugcrowd help pair security testers with companies who will pay for security vulnerabilities you discover. HackerOne also offers Hacker101, a video series and set of example applications to get you started.
Yogesh’s Answer
Information Security is a very broad field of work and the resources would depend on what you are specifically aiming to learn and what you already know. You mentioned Programming/Scripting and also pen-testing and hence I will recommend the following books:
- The Tangled Web: A Guide to Securing Modern Web Applications - By Michal Zalewski
- The Web Application Hacker's Handbook - By Dafydd Stuttard
Getting the fundamentals correct is crucial to have a successful career in product security and the above two books would give you a good head start. If you are already familiar with the most of the content/knowledge in these books, it is time to get some real-world hands on experience. There are multiple way to get such an experience, a few of which are:
- Using OWASP WebGoat / OWASP Juice Shop to test your learnings
- Participation in a BugBounty Program (BugCrowd or HackerOne)
If you are interested more on Code and coding patterns around security, resources for understanding security specific principles of each programming /scripting language would depend on the language of your choice. To get you started take a look at the two below:
- Secure Coding in C and C++ (SEI Series in Software Engineering) - By Robert C. Seacord
- The CERT Oracle Secure Coding Standard for Java (SEI Series in Software Engineering) - Robert C. Seacord
If you are interested in learning more about Cryptography, I would recommend signing up for Coursera and going through the following course by Dan Boneh. Dan is a professor at Stanford and renowned worldwide for his knowledge and expertise in this subject matter. If this is your area of interest, start with the course before reading a book.
- Cryptography I and Cryptography II - Coursera by Dan Boneh.
Hope this helps!
-Yogesh
Jen’s Answer
Information Security is a great field to be in right now. There are so many opportunities.
Some great resources I have leveraged to grow my skills were sans.org training classes and participating in local security association chapters such as ISSA or ISACA. The chapters I have participated in have provided resources like annual training events or capture the flag events.
CodeAcademy is also an online training resources with courses in just about any subject that are available for no cost.
Jordan’s Answer
This actually depends on what part of Information Security you prefer. I'm an Application Security Engineer, and can only speak to Application Security:
One of my favorite books is The Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto. It's out of date (by about 10 years), but it will teach you the basics.
If you want practical experience, Capture the Flags (CTFs) are the best. A great starter CTF is OWASP's juice shop. It has a cheat sheet if you find yourself needing help. When you are ready to move on to the hard CTFs I suggest looking up PICO and BSides CTFs.
A neat little thing I found recently, a common prefix for Github repos of resource lists is "awesome-". For instance, here are quite a few I have saved in the last few days:
- Hacking Resources: https://github.com/jekil/awesome-hacking
- Security: https://github.com/sbilly/awesome-security
- Payloads: https://github.com/swisskyrepo/PayloadsAllTheThings
Hope that helps give you a guide to next steps!
Stephy’s Answer
Hi Omar,
There are like tons of places to read and interactively learn info sec technologies you have mentioned. I would like to throw out few of my favorites.
Python - a byte of python (by SwaroopCH ) https://python.swaroopch.com/
Information Security - Cybrary course https://www.cybrary.it/course/ethical-hacking/ Please feel free to explore all the free info sec courses from Cybrary
Reads: Try to read all the security architectures online
Software real life architecture - http://highscalability.com/blog/category/example
Google security architecture[cryptography and much more] - https://cloud.google.com/security/infrastructure/design/
Delete Comment
Flag Comment