Hello! My name is Mike and I am an infosec engineer with 10+ years experience. I’ve worked in GRC, Vulnerability Management, PenTesting & AppSec. I have 17 SANS certs (I have a serious problem) and I’m also an infosec community enthusiast and creator/mod for /c/cybersecurity. AMA!
Hi Mike, I’m a big fan of your blog and know you’re a SCA (SANS Cert Addict) haha. Thanks for doing this AMA!
For someone who’s been on the offensive security side of the house for a few years and now getting into more Application Security Engineer focused roles, what would be some recommendations in terms of a skills roadmap? (certs/study/training etc.). Thanks!
Roadmaps are such a double-edged sword imo. I’m as guilty of trying to come up with roadmaps as anyone but have often round it get’s me too focused on future activities when I really need to focus on the task at hand. It’s of course important to have a destination in mind, and often that destination involves having multiple steps to get there (hence the roadmap), but you have to be cautious in biting off more than you can chew (as I have done a lot).
AppSec is, imo, the most interesting security discipline to be in right now. It’s sort of all-encompassing and exposes you to a lot of things, coding, cloud, devops, modern frameworks, etc… Given your proximity to devs, learning as much as you can about coding is/will always be super valuable. Plus, if you can code you can automate which is a skill many in infosec don’t have which can set you apart. There’s so many specific directions to go in in terms of languages to learn, frameworks to master or sub-disciplines to focus on that it’s hard to recommend any specific next step or path though. With coding chops, you have a lot of translatable and easily applicable skills for any job though.
Where do your interests lie? Building, breaking or defending?
Thank you! Yeah, I see myself in that deathtrap of trying to build out roadmaps and taking on way too many things a little too often haha. I definitely agree with you that AppSec is one of the most interesting security disciplines out there atm.
Given my background, I tend to gravitate towards breaking and a fair bit of defending but I’m fairly green when it comes to building. That said, I’m trying to improve my dev skills to be able to understand a developers mindset and be able to design and build an AppSec program from that PoV. On the same note, I’ve been looking into the CSSLP cert as a reference to help me along this journey, any thoughts on the cert or the material?
Appreciate the response and I look forward to your new content.
Haven’t taken the CSSLP nor have I seen it asked for very much on job reqs. It wouldn’t hurt to have but ISC^2 doesn’t exactly have the reputation for practical learning.