Infosec researcher | writes @ https://shellsharks.com
Mastodon: @shellsharks@infosec.exchange
There’s no one path in to be sure. But there’s lots of ways to educate yourself and build a “hireable” portfolio from home and without getting a typical 4-year degree. Learn to code, get some applicable certifications, start a website (as your digital portfolio), contribute to open source or spin up your own project(s), etc… The IT/software/cyber market is not at its peak (in terms of opportunity), but we’re definitely still here and there are openings. It’s still a great field with a lot of perks if you can weather the challenges of “breaking in”. It’s also not going anywhere, despite what some may lead you to believe given the advent of “AI”. For those of us in tech, we’ll be the first to tell you that our jobs are pretty safe.
If it’s infosec you might be interested in, you may find this guide I put together and typically share interesting - https://shellsharks.com/getting-into-information-security.
Good luck!
I’ve tried a bit. But not really day-to-day just yet
nope 😕
Overall, yes. Day to day y’know it varies. Pure “security work” is, for me, genuinely interesting and I spend legit personal time learning and working on projects, for no other reason than they are kinda fun. What I do as a security engineer for a corporation day-to-day and week-to-week doesn’t always translate to the “fun stuff”. So my answer is somewhat nuanced. Yes, I do like cybersecurity. But no, I don’t always like the work in terms of how it manifests in corporate life.
Got a bunch of house projects coming up myself… What kinda renos you up to?
Yeah $400 is too rich for me at this point in my life. But maybe one day 🤷♂️
I just use an Osprey Comet daypack (https://www.amazon.com/gp/product/B072N2WY6S/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1), though if I had just random money to burn I might go for the “Technonaut” https://www.tombihn.com/products/techonaut-30?variant=40265614753981
I wouldn’t worry about certs to start, especially not OSCP. Since you are in the software/dev space, I would consider security roles in the AppSec or CloudSec space as places to jump first. For that, consider going through PortSwigger’s web security academy (free) training online to learn more about web vulns, their impact, how to mitigate, etc… If you want a cert, consider one from a cloud vendor and apply to jobs that use that vendor. If you can do even basic scripting, understand app-related vulns and use a few appsec tools then you should be an easy hire for a lot of places. (That said, I’ve been hearing the market for infosec is atrocious right now).
Never been in the QA world myself, but as someone who has spent a fair bit of time in AppSec, I’ve encountered Selenium the most. 🤷♂️
When you say “transferrable in QA” do you mean, languages useful for QA folks that transfer out? I’d argue any/all of them would be for appsec folks.
Not a bug bounty hunter myself, but it seems like one of those things that you just have to jump into and start trying to do. So many bounties seem to be pretty low-hanging fruit type of stuff. The payouts might be either LOW or non-paid, just recognition type stuff, but seeing an accepted bounty submission come back does a lot for your confidence. It’s like CTFs in a way. Getting into CTFs seems intimidating at first, but then when you go actually do one and you have some level of success, it starts to feel a bit more approachable, you get more XP and you do better the next time.
You could also check this out https://www.bugbountyhunter.com/zseano/ and anything/everything from https://portswigger.net as that team is the best I know in terms of cutting-edge web app research.
That’s a loaded question 😅. One that can be answered in a few different ways… From a technical perspective, “infosec” is a relatively vast field comprised of a lot of sub-disciplines, so from a tooling and procedural perspective, it varies from job to job. Some would argue a lot of what we do is just theater, and for many orgs and many “pros”, this may very well be true. At the root of it all though, you could say our job is to ensure the Confidentiality, Integrity and Availability (classic CIA triad) of data/systems, keeping in mind the balance/tradeoffs between security needs and business requirements. To do so, we employ a variety of tactics, techniques, tools, methodologies, frameworks, etc… Another way to boil down what security folks do is in the lens of “risk”. Most business and IT decisions in general come down to risk-based decision making and security is no different. Security teams should understand the risk introduced by the threat landscape coupled with the respective data, attack surface, business assets, etc… to help inform the business how to reduce security risk to acceptable levels.
Hopefully this answer isn’t too vague and non-answer-ey!
Titles in the security world are kinda a mess. Generally I just look for “-security engineer” titles. So in this case you would probably find “Cloud Security Engineer” or something. Look for security engineer roles that have anything cloud-related in the job req and you are probably on to something.
Hard to say, especially in this market. But, if you have some coding chops (from DevOps experience) or you have some knowledge of native cloud security tooling (from a Cloud role), then you would definitely have a leg up in getting a security engineer or netsec role (consider that a lot of modern “networks” are largely cloud networks).
I’d wager most people do. But you certainly hear about all the people who spend their free time doin more cyberz. I am definitely guilty of this a lot of the time. But I’ve been working harder to disconnect more. Being a parent helps with this as it’s pretty mandatory.
I wrote a bit about the pitfall(s) of “Certification Paths” - https://shellsharks.com/notes/2023/11/14/stop-worrying-about-certification-paths.
This is coming from someone who has A LOT of certs, and I’ve learned over this time that it’s just not the right way to think about progressing career-wise. You can read more though about certs and some thoughts on what you could take here too https://shellsharks.com/training-retrospective#what-certification-or-training-should-i-take.
I’ve seen a lot of Cybersecurity salary surveys on Reddit (sorry to linking to the other place - https://www.reddit.com/r/cybersecurity/comments/15fo0e6/how_much_are_you_making_in_cybersecurity/). Levels.fyi is also pretty accurate for cyber/software engineer data across the various levels, especially at your typical “tech” companies (https://www.levels.fyi/)