Overview
Starting an Application Security (AppSec) testing career in 2024 can seem daunting given the vast landscape of content and resources. In this blog post we will demystify the journey, offering wisdom, practical advice, and resourceful tips help you out.
This isn’t a guide you need to follow in a particular order. It’s about building a foundation of knowledge and skills you can use and improve upon; don’t worry about skipping ahead.
Avoiding Content Overload
With a plethora of great content creators like Rana Khalil, NahamSec, InsiderPhD, and LiveOverflow (to name just a few), the AppSec field is rich with information. It’s crucial not to get overwhelmed. Don’t feel like you need to watch every video or read every blog post.
What we recommend is maintaining a document to organize useful content, links, and specific vulnerability techniques. Programs like Obsidian or Sphinx can be handy for this, helping you create a go-to resource during your AppSec endeavors. Obsidian uses Markdown, which is simple to learn. Whereas Sphinx uses a similar language, however it also allows users to compile documents into an HTML or PDF file.
Writing your own notes not only helps retain a general understanding of certain concepts. It also means you have reference materials on hand so you don’t need to search the Internet.
Mastering the Fundamentals of Application Security
Understanding the nuts and bolts of web applications is a must if you are serious about a career in AppSec. We cannot stress enough the importance of grasping protocols like HTTP, HTTPS, and WebSockets. You should also get acquainted with both client-side (browsers, HTML, JavaScript) and server-side technologies (web servers, databases).
The Traversy Media YouTube channel has a great crash course on HTTP and other topics. Similarly, WebDevSimplified has several short 5-10 min videos covering the basics. Besides videos, platforms like Wikipedia can be invaluable resources for beginners and seasoned learners alike.
The Importance of Learning Programming
While proficiency in programming isn’t necessary for AppSec testing or bug bounty hunting, it’s a significant booster for your career. There are many benefits to understanding HTML and JavaScript code, such as being able to understand application functionality. In addition, it makes you capable of crafting client-side payloads for XSS vulnerabilities.
Becoming proficient in writing code in at least one programming language can help automate boring tasks, as well as provide an understanding of how to fix insecure code. We recommend learning some Python, as it is both versatile and easy to pick up. Many Linux distributions like Kali also have it installed by default. We would also recommend learning Java as this will allow you to create extensions for Burp Suite, which is the main testing tool web app pentesters use.
There are many places where you can learn to code for free. TCM Security Academy offers a FREE Programming 100: Fundamentals course that is designed for beginners.
Delving into Security Concepts
AppSec isn’t just about understanding applications; it’s equally about mastering security concepts. Learning about vulnerabilities, their detection, exploitation, and mitigation is crucial. In addition to this, it is necessary to know how to enumerate an application, identify interesting parameters, and use different fuzzing and scanning techniques.
We highly recommend PortSwigger Web Academy which contains several learning paths and individual topics that cover the most common vulnerabilities. There are also over 200 labs with different difficulty levels, all available for free.
OWASP, the Open Worldwide Application Security Project has a free cheatsheet series and web security testing guide. The guide covers the full testing process and provides useful tips and techniques for finding vulnerabilities.
If you are prepared to spend a little money, then both HackTheBox Academy and TryHackMe have educational courses and learning paths with live practice web apps to try your skills against.
Of course, at TCM Academy we also have several application security courses such as Practical API Hacking and Practical Bug Bounty, plus the Practical Web Pentest Associate (PWPA) certification.
Mastering Tools of the Trade
Although a paid product, Burp Suite Pro emerges as the go-to tool for web app penetration testers, with its comprehensive features for identifying and exploiting vulnerabilities. PortSwigger have well-written documentation for Burp Suite, in addition to video walkthroughs explaining various features and testing techniques. In fact, the PortSwigger YouTube channel is worth subscribing to as they release short videos explaining new features.
TryHackMe has a Burp Suite module available which teaches you how to use Burp against live examples. There are two rooms available for free users, and 3 extra rooms only for subscribers.
Note that purchasing Burp Suite Pro is not necessary to start your AppSec career, and most web app penentration testers will be supplied a license by their company.
For beginners, ZAP offers a free alternative, and tools like feroxbuster, gobuster and ffuf will help with the enumeration stage of web application hacking, identifying hidden files and functionality which are easy to miss.
Several vulnerabilities have inspired highly specialized tools aimed at making their discovery and often their exploitation far easier to achieve. For example, SQLmap is the best tool for finding and extracting information from SQL injections, making this often slow manual process almost entirely automated.
Gaining Real-World AppSec Experience
A great way to gain real world experience when starting out in AppSec is to join a bug bounty platform like Hackerone, Bugcrowd, or Intigriti. Most platforms are open to newcomers, and if you follow the stated rules of both the platform and (more importantly) the bug bounty program, you can try your hand at hacking live sites without legal repercussions. In addition, these platforms are great places to hone your skills at writing reports, which is key if you want to transition to pentesting at some point.
A useful site I’ve been using recently, on the recommendation of InsiderPhD, is Bug Bounty Radar. It updates every 5 minutes with the latest public bug bounty programs added to 10 different platforms. Since you only get credit if you find the bug before anyone else, being among the first to test a program gives you a significant advantage.
There are a few AppSec certs out there, including the Practical Junior Web Tester from TCM Academy mentioned earlier, as well as eLearn Security’s eWPT and more advanced eWPTX. HackTheBox Academy have their Certified Bug Bounty Hunter cert which is aimed at entry level bug bounty hunters and web app pentesters.
Finally, CTFs (Capture the Flags) present opportunities to solve security puzzles and learn from the community. Web based challenges are common, and often range in difficulty. In most cases the challenges aren’t 100% realistic, however they will still feature standard vulnerabilities, usually with some twist you need to figure out. The best site to find upcoming CTFs is CTF Time.
Conclusion
Embarking on an Application Security (AppSec) testing career in 2024 may initially appear overwhelming, given the vast array of content and resources available. However, by following the insights, practical advice, and resourceful tips provided in this blog post, you can demystify the journey and build a solid foundation of knowledge and skills. Remember to avoid content overload by organizing useful materials using tools like Obsidian or Sphinx. Mastering the fundamentals of web applications, learning programming languages like Python and Java, and delving into security concepts are essential steps. Leverage valuable resources such as Traversy Media, WebDevSimplified, PortSwigger Web Academy, and OWASP. Familiarize yourself with industry-standard tools like Burp Suite and explore free alternatives like ZAP, feroxbuster, gobuster, and ffuf.
Gain real-world experience through bug bounty platforms like Hackerone and Bugcrowd, and consider pursuing certifications such as the Practical Web Pentest Associate or Certified Bug Bounty Hunter. Additionally, participating in Capture the Flags (CTFs) provides opportunities for skill development and community engagement. Stay focused, organized, and committed to continuous learning to thrive in the dynamic field of AppSec.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.