cybersecurity

3155 readers

1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 1 year ago

MODERATORS

[email protected]

Mentorship Monday - Discussions for career and learning! (infosec.pub)

submitted 8 months ago by [email protected] to c/[email protected]

5 comments fedilink hide all child comments

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

top 5 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 8 months ago (1 children)

Any advice on requirements to have a shot at appsec jobs?

I have my sec+ and my job is devops. We do everything in AWS (no on prem at all). However I have no actual cyber experience. Our team is pretty small, so I do as much dev as anyone else and as much ops as anyone else (deploying/managing cloud infrastructure), including standard security stuff like IAM and network configuration. It's also a small unknown company.

Is this enough to try and directly break into appsec, or do I need to start with another "cyber" role like SOC analyst or security engineer or something like that? I also plan on getting my OSCP at some point soon if that's relevant.

[–] [email protected] 1 points 8 months ago (1 children)

Hard to give you a definitive answer on this one. I'd say you'd be hard-pressed right now to pull that off without a direct referral or other networked way-in. Job market is condensing, lots of (experienced) out-of-work folks looking for new roles, etc... If you aren't already in infosec, or you're not a full-time dev with some security knowledge, it will be tough. Your best bet (roughly) on things to add to your skills/portfolio would be...

Proficiency with one or more languages that your target role company uses (and evidence of this XP)
In-depth knowledge of OWASP "stuff" (Top 10, ASVS, etc...)
Practical XP with attacks/exploits (via experience, CTFs, trainings, Web Security Academy, etc...)
Some applicable certs

Some other stuff you might find useful....

[–] [email protected] 1 points 8 months ago (1 children)

Thanks!

Do you happen to know what certs would be most "applicable" in this case? Something like OSWE?

[–] [email protected] 1 points 8 months ago

Pure appsec certs off the top of my head… OSWE, GIAC GWAPT (and others from SANS), Portswiggers Burp Suite cert, OffSec also has a 200-level appsec cert. I’m sure there are other popular ones too.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

Wondering how I can best spend my time in a vast universe of infosec knowledge.

I feel like a lot of learning websites are geared towards pentesting, because it is a very active / immediate skillset - if you do things right, you'll get a flag.txt or something. I guess I'm just looking for something that isn't just watching videos or plugging away at Jeopardy style learning (HtB, Try Hack Me). But I'm also a bit directionless at the moment - there's so much to learn and I don't know which way to go.

Edit: decided to peruse some of the older topics for immediate gratification, came across your great guide here - https://shellsharks.com/getting-into-information-security - problem is I do a lot of this stuff already. I think I need to figure out my own direction.