For anyone who lacks experience in information security or IT, getting into security testing may seem nearly impossible. But my own experience proves that successful lateral entry is possible.

Here I detail a number of options and tips for a successful entry into the field.

What is Security Testing?

The field of security testing involves working from the “attack” perspective of the IT security industry. For security testers, this means carrying out penetration tests, social engineering campaigns and many other types of tests. How these tests are actually carried out can vary enormously. Because there are many different fields, and because they’re constantly developing, it’s vital that you keep acquiring new knowledge.

Prerequisites

Setting your Expectations

The first thing you need to do is find out if this field is right for you, because you’ll find the path far too difficult unless you’re sure and unless you have the drive to reach the goal of working in IT security. Taking this long path only to discover the work isn’t what you’d hoped or imagined is certainly something to be avoided. Because it’s certainly not what you see in movies. And a lot of consideration often goes into an attack. It’s also worth noting that the work doesn’t end once the attack is neutralized. Afterwards, you will have to prepare a report for the customer outlining what was tested, where the vulnerabilities were found and how they were handled.

Enthusiastic and Eager to Learn

Having an open mind is a must, as is a willingness to continue learning new things. After all, in a rapidly changing environment, you can’t just rely on old knowledge. For instance, an option for exploiting a vulnerability that may have worked two years ago probably won’t work in the same way now. The basic considerations behind them may well be the same, but technology can develop enormously in that time.

Broad-based Knowledge

In my view, entry into this field requires sound basic training in IT. You will need to possess basic knowledge of the following areas:

• networks
• computer systems
• programming
• policies

That doesn’t mean you need to be an expert in each of these areas, however. But it’s important to at least have a basic understanding of all of them, as well as a more thorough grounding in at least one of these fields. Next, I’ll look at some of the ways you can acquire this knowledge.

Pathways to Security Testing

IT Training

If it is still an option and if you have the time and energy, the best approach is to complete an IT training program that will provide you with much of the groundwork you will need in your day-to-day work.

Degree Programs

If a training program is no longer feasible or desirable, another option is to study at a technical college or university of applied sciences, for instance. This is the path that I chose. Looking back, I can say that there were times during my studies and in my work when I wished I already had experience in IT. If I could choose again, I would complete an IT training program right off. Remember, of course, that an IT degree requires a lot of work.

Self-teaching

If you have sufficient interest and time, it is entirely possible for you to teach yourself. This is because many of the best-known figures in IT security didn’t take the direct route to get there. Unfortunately, the general climate in the field increasingly indicates that having the right diploma is key. For this reason, I would not recommend this route.

Tips and Tricks

Community

It’s possible to prepare for an entry into security testing, even while you’re still training or studying.

Start contributing to the community from the outset. For example:

• sign up for the OWASP mailing list
• attend a meeting of your local OWASP chapter
• attend conferences (such as BSides, Swiss Cyber Storm Conference and many more). You can find plenty more events and conferences on Meetup.

Building up your network of contacts

It’s a good idea to start building up your network early on. You might start by searching for people from the industry on Twitter. Twitter is particularly worth mentioning, as a lot of information in the IT security field is shared there and spreads quickly. So if you don’t have a Twitter account already, make sure to sign up for one so you don’t miss out on the latest, most exciting information in the field. Once you have your account, start by following users, ideally people you have met at conferences. If you don’t know anyone in the industry yet, you can start by following your local OWASP and keeping an eye out for IT security events on Twitter. This gives you an idea of who is active in the field so that you can start building up your network. Twitter can also be useful for finding jobs, because jobs are sometimes even posted on the platform.

Try it for yourself

To gain initial experience in exploiting vulnerabilities, you can use projects set up for the purpose. These include WebGoat and the Hacking Lab, both projects of the OWASP. There are also many other projects set up in similar ways.

Conclusion

A basic knowledge of IT is vital for entry into the IT security field. There are various pathways that can take you to this goal. Whatever approach you take, IT security is constantly evolving, so a passion and willingness to learn are essential.

About the Author

Andrea Hauser graduated with a Bachelor of Science FHO in information technology at the University of Applied Sciences Rapperswil. She is focusing her offensive work on web application security testing and the realization of social engineering campaigns. Her research focus is creating and analyzing deepfakes. (ORCID 0000-0002-5161-8658)

Links

• https://twitter.com/le_krogoth/status/911500419729444864
• https://www.meetup.com/de-DE/find/events/?allMeetups=false&keywords=information+security&radius=62&userFreeform=Zurich%2C+Schweiz&mcName=Z%C3%BCrich%2C+CH&lat=47.3667&lon=8.550003
• https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• https://www.owasp.org/index.php/OWASP_Hacking_Lab