Suggestions on How To Become A Security Engineer: Learn the Path to Becoming a Security Engineer

Successful Security Engineers are able to identify the assumptions that need to be challenged.

Developing taste in identifying the right assumptions for challenging takes experience, knowledge & wisdom. Below is my suggested roadmap of reading material that should help anyone develop a successful career in Security.

Self test:

Below are questions you should be able to answer:

  • What do “Confidentiality”, “Integrity” and “Availability” have to do with security?
  • What properties make a discussion a “security” problem rather than a “privacy” problem?
  • What is the 7-Layer OSI model? Can you enumerate the layers from memory?
  • Can you describe the important transactions that make up a TLS handshake?
  • Describe the role of “Input Validation” in any resource accepting input from an untrusted party.
  • What technical solutions can be implemented to perform input validation?
  • What is the role of CVEs in infrastructure security? Why are they important? What practice should be implemented to reduce the risk of events?
  • What is the difference between TCP & UDP? Describe the security utility of a “UDP scan”
  • What tools should you use to discover the entry points to a system on the Internet? How would you exploit them?

If you can go through the material above without breaking a sweat, congratulations! You’re obviously a security engineer and you probably found some useful copy-pasta. Perhaps you’d like to explore doing work with my team? https://www.amazon.jobs/en/search?base_query=digitalsecurity

But if the material above was not easy- it’s time to build some skills:

Establish your Computing Basics Foundation

For a computing foundation- simply master this file: https://github.com/alex/what-happens-when

Pay close attention to the following sections and be able to explain their function:

Learn to program in a memory managed language & a language without memory management

I’ve seen guides online that suggest you can be a good security engineer without programming knowledge. I’ve been working in this industry since 1998. There was a time where I did not consider myself a developer, despite working in security. I later developed sufficient coding skills & experience to know that you cannot succeed at security if you don’t deeply understand what developers experience. You need to learn to code. There is no way to provide significant value if you are unable to transform large amounts of data into a meaningful summary without the use of code. Until you get your hands dirty crafting the tooling to create unexpected outcomes, your opinions have limited utility. You might as well make critical commentary on a pro athlete’s form. Until you’ve walked the path, devs aren’t likely to take your advice seriously- and there’s a high degree of likelihood you are overestimating the utility of your recommendations. There is no substitute for being able to hand craft connections to a server and evaluating responses. You have to learn at least one language (I recommend python because of all of the security tutorials that are available which build upon python- but Go should be considered as a viable long term alternative). If you learn C, you’ll have an advantage in understanding & crafting exploits.

Python is a simple interpreted language that is popular and has lots of security related tutorials. You should just go through https://learnpythonthehardway.org/ if you’re starting from scratch.

C is a commonly used programing language without memory management. You’ll get the benefits of speed, but all of the security danger of managing memory. Lucky for you, the “hardway” folks have a page dedicated to C: https://learncodethehardway.org/c/

Read RFCs on how the Internet works:

  1. Requirements 101: Should, Must, Shall, etc: https://www.rfc-editor.org/rfc/rfc2119.txt
  2. IPV4 Specification: https://tools.ietf.org/html/rfc791
  3. Private IP ranges: https://tools.ietf.org/html/rfc1918
  4. UDP: https://tools.ietf.org/html/rfc768
  5. TCP: https://tools.ietf.org/html/rfc793
  6. Requirements for Internet Hosts- Communication Layers: https://tools.ietf.org/html/rfc1122 “In general, it is best to assume that the network is filled with malevolent entities that will send in packets designed to have the worst possible effect.”
  7. http semantics: https://www.rfc-editor.org/rfc/rfc7231.txt
  8. TLS 1.3: https://tools.ietf.org/html/rfc8446

Go Practice:

Vulnhub.com is a wonderful practice resource.  I particularly like the Mr. Robot exercise, because it gives you a good opportunity to practice discovering entrypoints, exploiting them and ultimately elevating privilege to solve the challenge: https://www.vulnhub.com/entry/mr-robot-1,151/  This would give you an opportunity to practice with nmap, sqlmap, dirbuster, as well as privilege escalation basics. 

Pentesterlab.com is a very inexpensive subscription service that has detailed writeups for the exercises.  It’s beneficial because of the breadth of exercises- you can see individual CVEs and then practice working to exploit them.  Want to learn about Oauth exploitation?  Lots of examples.  XSS, SQL Injection, CSRF, etc.  As long as you have an account and time to practice, I guarantee you’ll have a good starting foundation after going through the labs. This will give you good hands on, per vuln category exploitation experience.

Protostar is one of the best memory corruption exercises I’ve been exposed to: https://exploit-exercises.lains.space/protostar/.  These exercises are much harder than everything above, but if you have desire to develop exploitation skills, these exercises will pay dividends.  This will give you memory corruption experience which seems to be the prerquisite necessary for identifying 0-days in open source software.

Get Inspiration

Videos can be helpful. The LiveOverflow channel is great and covers a lot of valuable exploitation examples: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w

George Hotz (aka Geohot) used to livestream his CTF activities. I’d be surprised if you don’t learn a few tricks from some of his demos:

https://www.youtube.com/watch?v=td1KEUhlSuk

https://www.youtube.com/watch?v=7bv_DNRpHaY

https://www.youtube.com/watch?v=Sx7JszqkL-w

The above is my guide for security neophytes. We need more of security engineers! It’s a long road, but it’s a deeply satisfying career path. It’s nourishing to spend your career building solutions that people can rely on for both functionality & for safety. Do some reading and join our weird cohort.