Overview
Side projects can significantly differentiate you from other candidates when you pursue your first role in cybersecurity. They not only provide valuable talking points during your interviews but also showcase your genuine interest and dedication to bringing projects to fruition.
When choosing a side project, consider:
- Completing it within a practical timeframe.
- Selecting a challenge that sharpens your skills without overwhelming you.
- Creating something you can use in the future, although this isn’t strictly necessary.
Penetration Tester Projects
Project 1: SMB Share Scanner for Hard-Coded Credentials
An old colleague of mine once designed this tool when tasked with evaluating thousands of shares during a pentest. This tool scans open SMB shares, connects, and scours the files and scripts for hard-coded credentials. If you’re a penetration tester navigating a vast network and strict timelines, this project is a gem. It challenges your scripting, networking, and error-handling prowess.
Going the Extra Mile
If you want to make your tool more advanced, consider implementing features like throttling, file size checks, directory traversal limits, and logging capabilities.
Project 2: Custom C2 Server
Design a personalized Command and Control (C2) server to support your penetration testing. Ensure you fortify it, integrate robust authentication measures, and design it to either serve files or catch reverse shells.
If you’re new to programming and need a helping hand with this one, Joe Helle’s eBook is a great resource to get started.
AppSec Projects
Project 1: Burp Suite or Browser Extensions
Whether you’re enhancing existing extensions or building new ones, focus on versatility. Some innovative ideas include:
- Header analyzer – automatically test for misconfigurations saving you time.
- JavaScript event logger – capture and log JavaScript events triggered while you are browsing to help you understand client-side behavior and identify vulnerabilities like DOM XSS.
- Parameter logger – Automatically log parameters to a file while browsing to use later for fuzzing.
Project 2: Vulnerable Application Testing
Set up a vulnerable application and test different open source security scanners against it. You can compare the results of different open source tools and also review how they stand up to an increasing hardened target. For example, how well do scanners identify vulnerabilities before and after deploying a WAF? How well does the WAF prevent attacks with it’s standard configuration vs the use of extended rule sets?
This project in particular will give you a lot of insight into protecting web applications and shows that you can evaluate tools, a useful skill in the eyes of a hiring manager for any appsec team.
GRC Projects
Project 1: Open-Source GRC Dashboard
Create an open-source dashboard using tools like Kibana, or even Excel, to manage and display governance, risk, and compliance data. Doing this will give you insights into what features are required and what are nice-to-have so that when you step into a role, you’ll be able to evaluate the tools that the organization has and provide insight on what’s missing.
Project 2: GRC Playbooks
Develop flexible playbooks detailing what to do during things like a data breach the onboarding of a third-party vendor. Most people understand these processes at a high level but creating these playbooks will give you a much deeper understanding of the details and shows that you already have the ability to review, create and maintain these processes. You can also share your playbooks to the community too so that others can benefit.
Wrapping Up
Side projects are a great way to gain experience and showcase your skills to potential employers. Each project takes a step closer to landing your first role by not only enriching your resume/CV but also giving you plenty of talking points in interviews. Remember, the key is to pick projects that align with the role you’re targeting and don’t forget to enjoy it along the way.
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity. He created many of the web hacking courses in TCM Security Academy, as well as the PJWT and PWPT certifications.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.