Hello! My name is Mike and I am an infosec engineer with 10+ years experience. I’ve worked in GRC, Vulnerability Management, PenTesting & AppSec. I have 17 SANS certs (I have a serious problem) and I’m also an infosec community enthusiast and creator/mod for /c/cybersecurity. AMA!
Hi Mike, I recently started working as programming intern for a company doing webapps. I’ve worked part-time gigs in a completely different field before, that means I got no certs, no job experience in IT to speak of, I’m not the young guy fresh out of school anymore. However, my interests have always been to break into cybersecurity and have slowly added some relevant knowledge as bare minimum… linux bash scripting, selfhosting, networking and etc. I’ve been checking out the certs usually recommended plus all the specializations out there and gotta say this is no easy commitment, but I do want to learn.
The thing is, what I’m currently seeing as intern is very different from what people in this field usually speak of online: For example, I was expecting the latest tools and whistles, but the company I’m at uses very old (10 years) frameworks for maintenance and support for corporate clients, windows only, proprietary stuff with very little documentation online. It gets… demotivating? It’s still a job and I have bills to pay, but I’m wondering how many years of experience do I need as a regular web developer (if my contract is renewed, even) to even attempt branching into infosec?
I know this gets asked a lot. Sorry for the long text. TL;DR: just started as intern programmer, company works with ancient dinosaurs instead of latest stuff, years of experience needed to become hackerman (or jumping from first one to others shown here)?
I don’t think there’s some minimum XP (in terms of YoE) bar to hit. You just need to be able to demonstrate your practical XP in some manner. Some people get this through work in IT/cyber, others through academics and others still through personal projects and doing things at home. There is a TON of self-teaching options these days through online trainings, CTFs, cons, meet-ups, etc… And lots of ways to document and market your experience and know-how (blogs, social media, podcast, etc…). Personally, I suggest learning a bit of coding, some cloud XP, start a small blog or post about what you’re learning on a micro-blogging platform and network network network.
As for your current place of employment, having a VERY legacy environment can actually be somewhat good for security as it may be “easier” in some respects to find misconfigurations and Vulns. Does your company have any security resources? If not, try to volunteer to help in that area, if they do, introduce yourself and ask to shadow/help/learn from them.
I see. I will have to document my progress and remind myself the company isn’t actually financing this. I should start by creating a blog.
Haven’t personally talked to the IT dep yet - I am in a small dev team for internal webapps and the last time we contacted them was because of printer problems, hah. Will try contacting them once I feel ready.
Thank you for the insights. Sorry I took too long to respond.
If anything that’s a great learning environment. Offensive security is a lot of reverse engineering, figuring out how stuff works based off (extremely) limited information and understanding how best to attack it.
Moreover, as these are old systems, they’re more likely to be outdated and vulnerable - not that you should try without permission or a clear understanding of what you are doing, particularly on production gear.
At any rate, no company will pay you to learn a completely different job to the one they hired you for. So you’re going to have to spend some of your own time learning about security. Where to start has been repeated ad nauseam online so I won’t attempt it.
Sorry for the late answer.
I haven’t thought of it that way - if I can convince my boss to test my skills on the legacy systems the company is running, it could be beneficial for both… assuming I get permission and enough actual skills to assess vulnerabilities.
Thank you for the perspective. I agree that intro posts are repeated ad nauseam, I will find my own way.