This post is part of an article originally published here.
In essence, cybersecurity is all about discovering non-default uses of everyday technology to cause unintended behaviour.
As a cybersecurity researcher, you take regular everyday things and think of malicious ways of using those things. Sounds simple, but you might say that you don't have a burning intellect or scientific thought process. You also don’t have a mathematical background, you know nothing about discrete mathematics or dark sciences. Hence how can you be good at cybersecurity? This is a myth. You don't need to have any of those things to be good at cybersecurity. Sometimes we like to think what we are thinking is quite unique but it's not. In fact, most of the people have the same questions because human psychology is more or less similar.
There is much abstraction in technology that you don’t need a mathematical background or a scientific thought process. There are people who never had a formal education and are still excellent security researchers. Let’s dive into the post and suggest some ways that you can get ahead in web security.
It’s important for you to know;
Where is web development headed?
What is the best framework used in the world used today?
What is the most used framework?
In cybersecurity, people lose passion when they are not able to find bugs. You need to burn the midnight oil and nurture genuine curiosity about web security so that you don’t outgrow your passion for it. You don’t want to look at the website from a bird’s eye view and find low hanging fruit i.e, security vulnerabilities without any serious impact. If you want to be an above average web security researcher, you have to take a closer and deeper look at how the different technologies used by the website come together.
Like, I said there is no difference between a web developer and a web security guy. You only make a distinction by pushing yourself to know beyond the default use while learning.
Start building simple and small websites with PHP or HTML.
Get familiar with database and web server, try making tiny pages that take input from a user like login credentials or contact details and learn to do some penetration testing. I have curated a list of helpful resources for Beginners to get started with Web Development and Penetration Testing.
Practice common security vulnerabilities in an ethical hacking environment.
With the help of ready-made vulnerable applications, you actually get a good enhancement of your skills because you can learn in a safe environment. Here are few resources to legally practice your hacking skills.
Most importantly, Take the OWASP - Free Testing Guide to practice security.
OWASP has created lots of resources for strengthening the relationships between security and development. You can read about almost 70 - 80% of vulnerabilities on Web and how to find bugs. OWASP aims to help web security researchers understand the What, Why, When, Where, and How of testing Web Applications. If you are getting started with Web Application Security Testing, here are OWASP Resources that will help you get ahead in Security Testing.
If you want to be an excellent web application security researcher, Go after bug bounties. You can sign-up with hackrone and bugcrowd. You will see public programs that have running a bug bounty programs. For example, Google is running a bug bounty program, you can go ahead and try to find the issues you have learned. Don't ever procrastinate by thinking that you don't have enough skills to find a bug for big companies. You should try to find vulnerabilities in products that you even use and take some real challenges to financially bootstrap your career in web application security.
You need to build patience to stay focused because it's very easy to fall into lazy thinking habits. The common problem in bug bounty hunters is that once you find a bug, you get over excited. You want to get paid for it quickly, your focus redirects to money and you stop logical thinking at $200 bounty. And as a result, sometimes your bug will have much more impact. Only if you think more, you can make it to $2000 or even $20000 bounty.
Here are some resources that will help you get ahead in Bug hunting;
Once you find a couple of Bugs through Bug Bounty programs. You will get a job in most companies.
Always keep in mind that the devil is in the detail. And when it comes to security, engaging curiosity will create capacity for patience while trying to find bugs. Be Curious and Patient
If you enjoyed this post, do share it with your friends ... !
📜Please leave a comment below for any questions or let me know what you think!