TL;DR: I was not some prodigy programmer, I was lucky that a company was hiring entry level positions. I studied web application security concepts, interviewed and saw some friends from university at the company. I feel all this helped me get my foot in the door, there is nothing special about me and nothing that you yourself could not do to get your foot in the door. It is a mix of luck and some work on your part. Mine must’ve been more so luck!

Disclaimer:

IT Security is a huge field, my particular start was in the web application security field and this is just one niche among many different niches. I have linked to a post that talks about the various jobs in infosec and recommend you find an area that suits you and work toward that. You can find that article: here as well as some study resources in the notes sections.

Information Security is not a monolith and you do not need to know everything. You can do well being a master in one niche, and you can also do well being a jack of all trades in a few niches. I do not think you can know it all, but when you master one aspect of info sec it is not hard to jump into another path and be considered knowledgeable.

My background:

I currently have a bachelors in computer science, at the time of my graduation and currently now I have sub par coding skills. I would say I am code literate when it comes to basic code, however if you showed me a full on app at the moment I may struggle to understand the subtle nuances. I did have an IT background but it was mostly desktop support type work and nothing related to networking or coding. I had applied to multiple jobs and interviewed but could not land a job as a programmer just cause I did not have a stellar body of work straight out of college.

Company Profile:

The company I got hired at was a start -up at this point, they were willing to hire people on with minimal experience in the hopes they could teach you what you needed to do the job.

They were acquired by another company but still operate today. They are still hiring although I do not know how their interview process has changed since I left. Here is a link to their careers page: WhiteHat Security Careers

My First InfoSec Job:

While searching on Dice.com I came across a position for an ethical hacker and thought hey that seems cool and applied. I heard back from the hiring manager and did an initial phone interview. I cannot remember what they asked me but I am pretty sure it was some basic level 1 comp sci stuff and then I moved onto the on site interview.

The company was actually pretty cool about the interview process and they gave me a link to study material and said hey go ahead and study this stuff understand the concepts and we will test you on it on the day of your interview.

The link was to the Web Application Security Consortium’s threat classification page. I reviewed each vulnerability class and tried to best understand what I was looking at. I went into my interview and was quizzed on these concepts. The best approach for studying this was to read over the vulnerability class and try and correlate it to my understanding of the web at that time. Honestly I had a bare bones understanding of the web, I did design my own web app in university but that it was a VERY BASIC APP. Below is an example of how I studied and tried to understand the concepts presented.

Example: Cross Site Scripting(XSS) : is an attack where a malicious actor is able to execute their own code on another user’s browser session. So an attacker could send out a malicious link that says “Hey everybody YourBank.com is giving away 500$ to anyone that signups for account protection go ahead and click this link YourBank.com/account?x=<insert a link to a keylogger program in the language of your choosing>” and anyone who clicks that link could have their credentials stolen and transmitted to an attacker. Obviously that is an oversimplified example, but I am trying to drive the point home. You needed to review each class and just make sure you understood it in the context of a web application and implications on the security of said web application.

I completed my interview and as I was leaving I saw some guys who I went to university with, we talked a bit and they told me more about the company and how they liked working there. I mention this part because I am not sure if they provided feedback to the manager that helped me get hired, I will assume they did and this helped a bit.

The manager called back and presented me with an offer, I did not really have any other leads with regards to work and so I said yes and that is how I got started in infosec. Some “hard work” and some aspect of “luck” as well.

The first couple weeks on the job was spent learning how to hack by reading The Web Application Hacker’s Handbook. Then meeting with someone more senior on the team to understand how our internal tools work and how to do our jobs.

The Role:

The role I applied for was for an application security specialist(ASS, yes I think it was intentional). And your job entailed :

• Configuring our scanning tool to get complete coverage of a customer’s site.
• Verify all vulnerabilities presented through the tool.
• Perform a manual assessment of the site and upload all found vulnerabilities to the tool for the client portal.
• If needed you would meet with the client to discuss the vulnerabilities and possible solutions.

What did I learn in role?

1. Learned different testing methodologies:
   • Blackbox : Hacker knows nothing about the site, does not have any credentials just has a URL and goes off from there.
   • Whitebox: You have access to everything you need, two kinds of each level of credential and authorization to use those accounts to test.
   • Greybox: Usually you first approach it from a blackbox test and then after you are done you proceed with a whitebox test. This lets the client know what an attacker can accomplish without access to anything, and the whitebox test will let you know of deficiencies your application.
2. Learned how to perform a penetration test:
   • Understand the goal of the site, how does this site make money for your client?
     • When you think about the way a site makes money, you can begin attacking that aspect, clients care more about how a vulnerability impacts their ability to make money.
   • Map out the site and look at the functionality that is key for profit generation, you will focus on these parts more than other portions of the site.
   • Look for attack entry points, anywhere a user can interact with the site or cause changes on the state of the site are entry points for you to attack.
   • Plan you attack
     • Based around all the information you have gathered you understand a little bit about what are key aspects of the site and how you will attack the site.
   • Execute your attack.
     • Start fuzzing the entry points you saw, ALWAYS ATTACK LOGIN AT THE END! You never want to lock out your credentials early in your penetration test.
3. I learned to think like a hacker
   • Once I understood what it meant to hack into sites(abusing implicit trust given to you), I began to look at everything through this lens. Not just websites, physical security is an aspect of IT Security, and you can learn how to abuse implicit trust people give one another to your advantage.

Takeaways

My information security journey started with minimal knowledge, and required I learn a lot of concepts on my own. Even when I did get an offer, I was fortunate enough to have a company at the time willing to invest in educating me and giving me access to resources and experts in the field to learn more. Below I have included some resources that could help you in your journey into information security.

Notes

Want to get into infosec here are some great resources, this is not an exhaustive list however I think it can help you start on your journey:

• The Web Application Hacker’s Handbook : great resource to sit down and read while drinking a ten gallon mug of the blackest caffeinated coffee ever
• Web Application Security Consortium Threat Class
• The Open Web Application Security Project (OWASP) “is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”
• Awesome Hacking : This is an awesome list of resources for all things hacking and can teach you about all the niches in IT Security
• Jobs in Information Security Blog a blog by Tanya Janca(@SheHacksPurple) about the jobs in information security, you should also follow Tanya on twitter she has been a great resource for me in my learning journey!