InfoSec Career Paths vs Programming Skills – The Basics

On Peerlyst, in my Q&A session, Eric Geek‍ asked:

Is being a great developer vital when choosing information security as a professional career?

My answer below:

Beneficial? Yes.
Necessary? By no means. Demand for development skills in infosec is raising, but the demand for general infosec specialists is growing even higher.

I know many fantastic security professionals, who just hate programming. They’ll code a bit to help themselves, to build some simple automation for their tasks, but they’d never write any serious application.

The market for infosec professionals is so wild, that it’ll eat almost anyone with any interest in security and some technical acumen.

Software engineers can easily become information security specialists

… and they bring a lot to the table, for organisations that need that kind of skill set.

The work required for software engineer/programmer to become security specialist will vary a lot depending on the person and their existing skills, aspirations and predispositions.

If you are a software engineer, then I would recommend to learn more about application security and then move into secure software engineering roles. While in that position, your goal should be to gain exposure to technologies and security processes. This will make it easier for you to switch between other professions within the cybersecurity industry.

If for example you’re a software QA engineer and you know how to test software, it doesn’t take much to start including security tests in your day to day work. It will allow you to realize after a couple of months that you’ve gotten the grasp of quite a few security issues!

If you’re a network engineer, then it makes sense to learn more about infrastructure and network security in order to move into positions such as network security engineer, incident response engineer, or a network penetration tester.

This approach should help you if you want to transition into cyber security at low cost and low anxiety. It makes it easier to make that transition, because if you have a solid background in building something it will come easier to you to figure out how to break it and secure it.

If you’re comfortable in a given specialisation, you won’t feel scared of the amounts of new knowledge you’ll need to possess and this will lower stress to ease you into the learning process.

So a software engineer who wants to transition into security role, should try applying security principles to whatever they’re currently doing — try to learn how to break the things they’ve built, and then how to make them more secure and impenetrable as possible. If you reiterate enough, you can become a security-savvy engineer who can easily add ‘security’ in front of their existing job title and becoming a security specialist in any given field.

I would suggest adding some good eye opening resources to your knowledge base. One that holds value for all types of security operations is learning about basic Security Architecture Principles. And then learning more depending on which fields of cybersecurity you want to explore.

Here are some great materials for Web and Mobile Applications:

  • OWASP Application Security Verification Standard(ASVS)
  • OWASP Security Code Review Guide
  • OWASP Web Applications Testing Guide
  • OWASP Mobile Testing Guide

Network and Infrastructure Security:

But the most foolproof and effective methods of learning security skills to me is doing the following: google stuff out. Start doing some fundamental research in your craft and google is your best friend here, and always will be. Sooner you learn the art of googling, is better because we use it a ton in our day to day work.

If you’re writing code in C++, then google “C++ security vulnerabilities”, or “writing secure code in C++”. If you’re deploying apps in cloud, such as AWS, then google “how to secure AWS applications”, “secure deployments in AWS” and so on. Learn as much as you can from search results and from the latest news, this will expand your security expertise as time goes by.

This way you’ll learn security skills relevant to what you’re currently doing and keep up with the latest cybersecurity trends, which will allow you to live and breath that knowledge and put it to practice in your projects.

You can become valued security professional from any IT specialization

I often get a question on how to become a security professional. And my answer is – by becoming a professional in any other field, or by working your way up from anything you’re currently doing. Reverse engineer requirements from job offers in your area and learn what they want you to know. Then strike at them as soon as you feel comfortable with your skills. Research & reverse engineer job offers & learn & practice & go on interviews & understand what you were missing and why they haven’t accepted you & learn the missing pieces & rinse & repeat until you get a job.

Appreciate the journey and don’t underestimate the value of having a varied background, do it all at the beginning because you’ve got time.

I started my adventure in IT from the very bottom, working as a computer technician, network admin, web programmer, and system administrator. After many years, I got involved in security. I do not regret the time I spent in previous positions because taking an indirect path provided many valuable experiences, all of which gave me perspective. My range of experience allows me to understand the problems many employees face, enabling me to make better decisions for the companies and teams I work with. I believe the security industry could benefit greatly from more diversity

However, if we’re considering a position where you have zero experience in security whatsoever, but have experience in other fields of IT, then I recommend becoming an expert in a different field. Start applying security concepts to your field of specialization. This has worked for so many talented professionals I know. Too many people want to get into security without prior experience in anything IT related. This doesn’t make most of them very valuable professionals because they tend to make myopic decisions without considering business context. Security is merely an addition to business operations, designed to support its longevity. It doesn’t exist on its own.

You can read pentesting and bug bounties blogs, but pasting random payloads without deep understanding will prevent you from contributing much to your organization. Dive deep into anything you learn, stay curious, and enjoy ‘expert’ status in a few years.

Here are a few viable and popular career options:

Web App Security TesterSome skill in coding is good. It’s not necessary, but it is beneficial and it’s usually what separates wannabe experts from true experts. Learn how software stacks work and get a handle on web programming languages like Java, PHP and their respective frameworks. To break something and improve its resiliency afterward, you should understand how it all works. Once you review all the OWASP resources, you’ll know what to do next

Network SecuritySimple bash/perl/python/ruby coding if any. Create a local lab network consisting of various components. Deploy services like LAMP (Linux, Apache, MySQL, PHP) stack and research how to secure each element. While building, study what issues can arise during configuration and maintenance so you know what to avoid and how to test them when sysadmins hadn’t the time, interest or knowledge to do so. Then, focus on PTES (Penetration Testing Execution Standard) Technical Guidelines to discover ways in which penetration testers and hackers can attack your network. Reverse engineer their methods to build proper defenses against future attacks.

Compliance and AuditingZero programming skill required for most roles. Learn about underlying technology and business models. You want to understand how businesses operate so you can protect them and ensure new regulations don’t hinder company innovation. Grab some good business books and gain business exposure by learning from executives and managers with real-world experience. Study industry best practices, like those from the Center for Internet Security, as well as regulated standards like HIPAA, PCI-DSS, DISA STIG, ISO 27001, SOC2 to understand how to make your organization compliant without negatively impacting productivity.

Cryptographer/CryptoanalystDepending on a chosen niche, coding may be just an addition for tests of implementations, protocols and algorithms cracking. If you want to become an expert in this field, I recommend attending a university with strong mathematical and cryptography programs. This is a fascinating field that requires prior and substantial mathematical knowledge, so if you go through heavy math, learning to code will be your least worry 🙂

Security ConsultantDepending on the context, most roles require zero coding, some require some. This position will help you gain experience working in IT or IT security, so you can understand the business and broaden your horizons. If you decide that you want to stay in consulting, research what big companies are doing, technology they use, and regulations they’re subject to, then learn how to manage these for them.

Vulnerability ResearcherAll-in or ZERO. This narrow specialization requires focus in at least one field. Become proficient in at least one programming language, framework, and operating system. Then focus on a narrow set of functions in a given product or service. Examples include studying assembly, C programming language, learning how video transcoding works, and identifying weak spots in a library such as FFmpeg. Zero coding is required if you want to be a bug bounty hunter, who keep calling themselves “vulnerability researchers”

Software Security Expert – Software engineers often become security experts. Be proficient in at least one technology stack, then apply all relevant security knowledge to making products safer. Strengthen security across your organization, responding to the demands of your colleagues and customers.

If you want to speed up the process of becoming values security professional, pick technology that truly interests you and learn as much as you can about it. So instead of being Web App pentester, become a Node.JS security expert. Be a specialist, not a generalist. Go for a narrow niche. Find something that sparks your curiosity and become passionate about it. Know things only 0.01% of people using the technology knows and your pockets won’t be able to hold amounts of money companies will pour into it 🙂

The most important advice here is to look for employment as soon as possible because nothing can beat the quality of learning you get on the real job. It’s the actual job and job market that shows you what is required and what is not.

Almost ZERO programming experience required for Penetration Testers

Don’t get me wrong, pentester who knows how to program and code is invaluable, but some pentesters are such great manual testers that they will find a great employment no matter what. Despite the current state of pentesting in US where actually cool stuff is happening, you still have 95% of countries who’re a decade behind in terms of their cybersecurity posture, and in there all you need is to study OWASP Testing Guide to fill your pockets big time.

Let’s consider a few scenarios and then jump to job specific recommendations.

If you already have some security experience, then check out a few renowned books that are highly rated on Amazon with the title containing word “Pentesting” to build your foundation. Then go for an Offensive Security’s lab and certification – OSCP, which as of now is the most respected entry-level certification for penetration testers. Consume as much content as you can, but don’t allow yourself to get lost in the universe of theory. The best pentesters are those who put their knowledge into practice and get their hands dirty.

If don’t have security experience but work in other IT fields, then the recommendation is for you to become an expert in a different field and then start applying security concepts to your field of specialization. That route worked for many great people working in the industry that I know. If you’re a Java programmer, study how you can test applications written in Java. If you’re an IT OPS engineer deploying services in the cloud(AWS/GCP/Azure) then learn about potential security issues and learn how to pentest those services. Learning will come much easier if you have the proper background.

If you haven’t ever worked in IT, but want to work in security, well this one is tricky and hard because general security isn’t an entry-level role. Too many people want to get into security without prior experience with anything IT-related, which doesn’t make them very valuable professionals because lots of decision they make are myopic and don’t consider business context. You can get easily get excited reading pentesting and bug bounties blogs, but as long if you’re just pasting random payloads without deep understanding of a matter, then you’re not contributing much to your organization. Same way you won’t get a sixpack by reading about pushups, you won’t become a great penetration tester without going into the field and testing stuff.
So go deep in anything you learn about, and enjoy ‘expert’ status in just a few years.

And now let’s take a look at some of your options when you’re completely fresh to the field.

Web/Mobile App Pentester  – Learn how to code. It’s not necessary, but beneficial and that’s what usually differentiates expert wannabes and true experts. Learn how software stacks work to get a grasp of web programming languages such as Java, PHP and their respective frameworks. To break something and improve, then it’s the resiliency afterwards you should understand how it all works. It doesn’t mean you must be a guru software engineer, but you can’t go wrong knowing the basics.
Once you’ve completed all the resources from OWASP you’ll know what to do next.

Network/Desktop Apps Pentester – Create a local lab of a network with various components in it. Deploy some services such as LAMP(Linux, Apache, MySQL, PHP) stack and then google out how to secure each of those elements. While building, study what issues can arise during the configuration and further maintenance, so you know what issues to avoid and how to test them in the future in other environments where sysadmins hadn’t had time, the interest or knowledge to secure their instances the way you could. Navigate to PTES (Penetration Testing Execution Standard) Technical Guidelines and see what are the ways penetration testers and hackers could potentially attack your network, then reverse engineer their attack methods and build defenses so they attacks no longer work.

Specialized Pentester – Pick one technology and go as deep as you can. So instead of being a Web App Pentester, become Node.JS Security Expert. Become a specialist instead of being a generalist and cut the learning process in half or even more. Find something you’re curious about, learn more about it, and become passionate about the field, put in a few solid years of dedication, and you’ll get whatever you want to have. (Well, not precisely everything you want, but you get the point)

Red Teamer – All of the above recommendations apply including social engineering and physical security attacks. You may not have the technical predispositions to be a great web pentester, but if you have been gifted with empathy and social skills then you can still achieve a lot!

There are hundreds of blogs of people who documented their journey, and I recommend you to look into real world examples of people who’ve moved into a pentesting career. Learning from the successes and mistakes of others is very cost-effective. Also, I’ll recommend you a bulletproof method of finding a job as a pentester. An importance most people don’t realize:

  • Find a few dozens of pentesting job offers in your area
  • Extract the most common requirements, both high level and detailed technical skills
  • Know what to study and what employers really need
  • Don’t waste time on learning everything. Learn the minimum possible to get the job and be a valuable team member. From there your career is highly malleable, you can adapt to what your organization needs you to do.

So yeah, you can flourish in the infosec field without having more than one week of study in programming. The market is the ultimate judge. Some companies require programming skills as a must-have, and some don’t care. Find what suits you best and keep on rockin’!

2 thoughts on “InfoSec Career Paths vs Programming Skills – The Basics

  1. Hi Dawid,
    First of all, you are doing great job. I have 1 question, it may be hard because I know that a lot of factors impact on it. What is the average salary for the first job in security in Poland (Krakow/Wroclaw/Warszawa)? Let’s say for a person with 2-3 years experience in QA area, with some programming skills and knowledge of security that is enough for the first job. I guess that web/mobile pentester would be accurate according to your descriptions, so let’s assume for this position. Thank you very much in advance.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.