In my post From developer to pentester, I described how I switched from a job as a software developer to a job as a security tester. Since I wrote that post, I’ve been asked a lot about how to learn pentesting as a developer and how to make the switch to pentester. This article describes how I learned enough security to get a job, and then even more.
How to become a hacker
My interest in application security gradually increased along with my career as a developer, up until the point that I got a job as an application security tester. Here is what helped me to become a pentester.
Create a web application
When I switched to pentesting I had already more than 15 years of experience in developing web applications, and that knowledge still helps a great deal when hacking web applications. Programming gives me insight into how a web application work and why it works like it does because I have programmed something like that before. This gives a huge advantage as a pentester. I try to exploit things that I think are in the application, based on my experience as a developer.
It also gives more empathy for software developers to which you report vulnerabilities. Experience in programming helps with giving recommendations to developers about how to fix security vulnerabilities, because you have seen their side of the story. This helps you with explaining the issues and making a correct consideration between risk and reward. Some issues are hard to solve and give little security improvements, but you only know that when you have tried to solve them once.
To learn hacking web application hacking, create a simple web application yourself. This process teaches you about how they work and helps you hack them.
I started out by developing applications in PHP. PHP doesn’t necessarily use a framework and makes it easy to have vulnerabilities in your code. I wouldn’t advise starting a new web application today in PHP, even though PHP greatly improved in the meantime.
Focus on security in your current job
If you currently have a job, for example as a developer or system administrator, you can already integrate information security in your job. I learned the most about security while paying attention to it while I was developing web applications. I just read a lot of articles on the internet and tried to improve my programming. Applying what you learn makes sure you really understand it well, and it broadens the knowledge of your current work. And you can start with this immediately.
In my previous job, I once found a security issue during a presentation meeting. We had the normal password reset functionality, where users can input a validation code sent by text message to reset their password. First I demonstrated that the correct code worked as it should. Then I wanted to show that an incorrect code, such as “123”, didn’t work. Except that it did. The code that looks up the validation code in the database works with either a code or a numeric primary key, and it tries to guess which is which. This means that using a short simple number worked instead of the long random validation code.
I get often asked about certifications. I didn’t do any hacking courses or certifications. A certification makes you stand out to employers, but it is possible to get a security job without any certification.
One good certification that really tests if you are capable of pentesting is OSCP. That certification involves hands-on hacking and can be trusted to indicate competence. However, it is not really targeted at beginners.
On the other hand, the CEH certification is not a good indication of somebody’s knowledge. It looks good on your resume but it doesn’t indicate actual competence of anything, it is just something to impress HR people with.
Another certification that may be interesting is the eWPT and eWPTX. This is focused on web applications only. However, it is not as well known as the OSCP so it doesn’t reflect as well on your resume.
Instead of getting a certification it is also possible to find vulnerabilities in open source software or bug bounties and put that on your resume to show you are a capable hacker. However, I don’t really understand the job market, so I am not the best to give you advice on this.
Read about hacks
I read a lot of blog posts about hacks, especially those posted on /r/netsec. I found the blog posts containing code or other technical details particularly interesting. I have listed a few here. If you don’t like reading, you can watch videos of presentations, although it’s pretty hard to filter out the good ones.
I also learned a lot by answering questions on Information Security StackExchange. Answering other people’s questions keeps you thinking about security problems and makes it apparent where you are missing knowledge.
A lot of infosec people also have Twitter accounts. However, the useful infosec knowledge on Twitter is interspersed with clickbait, politics and hate.
To learn pentesting you need to practice a lot, both on hacking exercises and real web applications. You need to get a feeling about what vulnerabilities are where and how to find them. There are a lot of practice sites and I practice on real web applications that I run on my own computer. I think this experience of figuring out how real web applications work is very important to hack them. I don’t really do bug bounties.
I think a good starting point is to learn about the vulnerabilities in the OWASP top 10 and start with simple hacking exercises such as the XSS game. Another good resource is Portswigger’s Web Security Academy, which mixes explanation with hands-on exercises.
However, practice sites are no substitute for real applications. You need to find vulnerabilities in applications that are not games and don’t have a clear solution in order to get proficient at hacking.
As a programmer, you typically work with one or two frameworks on a job. As a hacker, you may encounter many different programming languages and frameworks in several applications. Some platforms are used pretty often which I never heard of, but my colleague hackers already had experience with. Most Mendix applications have the same authorization issues. I had never heard of it, but I already tested three or four Mendix applications since I started working as a web app hacker.
When I hack web applications I typically use a browser with a clean profile and an intercepting proxy such as Burp Suite. When I started out I ran this on a Kali virtual machine, but now I just run it directly on my Macbook. I use the active scanner from Burp a lot, but still I find the most vulnerabilities by just manually modifying requests. I use dirsearch to find files on the web server. I used to use nikto, but this rarely resulted in vulnerabilities not found otherwise, so I no longer use it.
I feel that in the infosec field there is very much to learn, even more so than with developing software. Sometimes between projects there is a little time to research or learn something, and I occasionally research stuff at home. Especially when I just started I was learning a lot in my own time. For me, this was mostly because I was very interested and keen on learning new things, but I can understand that it is hard when you don’t have as much time. When I started I tried to write a blog post every week, which is pretty demanding but also made me learn at a quick pace.
Get a job
I learned very much on the job. I am doing a different project every week, and I learn something from every project. I am eager to learn and I think this is rewarding, but it takes effort and it is not for everyone.
Getting a job in security makes you learn easier and faster. It doesn’t have to be a pentesting job right away. You can first get a job that is similar to your current job but with more focus on security. Maybe you can switch to a security-oriented position inside your current company.
Eventually you may want to apply for a job as pentester. Don’t wait too long before doing this. You don’t have to be a perfect pentester before you start working as one. The most important thing is to show your employer that you are capable of learning it fairly quickly.
As a pentester, it’s your job to point out technical errors that developers made. Developers will make errors that are very obvious to you. The pitfall of this is that you get arrogant, and to think you know much about security and developers are idiots. You don’t, and they aren’t. Pointing out errors is much easier than fixing them. People outside of the security bubble have other priorities that you don’t understand. Stay humble and nice.
My experience doesn’t give a straight path from developer to pentester. However, I hope that my experiences are useful in helping you find your dream job.