What is required to work in web penetration tesing jobs ?
Wondering how to get a job as a Web Application penetration tester?
That was the topic of our forth webinar series “What is required to work in cybersecurity jobs”. This time we invited Ebrahim Hegazy, a senior security consultant at deloitte to discuss with us what is required to work in web applications cyber security jobs ? and to discuss his personal experience in the field.
How to start?
1) Understand the technology
In order to get started in the web pentesting field, you need to get familiar with the web technologies and how they are related to each others like how the servers operate, how the internet work and what are the technologies used to create and deploy a website. Also a basic knowledge in networks would be great. Ebrahim also mentioned that in order to be a good web pentester you need to understand how developers make mistakes that lead to security holes and learn how to exploit those bugs.
2) Learn a programming language
Ebrahim added, In order to be a good web application security researcher, you must have a good proficiency in programming languages. He suggested to start with PHP as it has a great documentation, awesome community and used by many companies including Facebook. Also he suggested to learn Python to be able to write your own tools and automate the process of the pentesting because while doing sometimes you might encounter situations where you have to to write a script or a tool to help you with your task.
As for the web technologies, you first need to start with the language of the web which are: Html, Css and Javascript. HTML provides the basic structure of sites. CSS is used to control presentation, formatting, and layout. JavaScript is used to control the behavior of different elements.
3) Build something of your own
Using the programming languages you learned, try building a simple website that has a login form, signup form, about page and home for example.
4) Read web security books
If you have no experience don’t worry. Start reading The Web Application Hacker's Handbook which starts from the very basic concepts till the most advanced attacks.
5) Participate in CTF competitions
By now, you would have a decent exposure to web technologies which means that you are ready to get your hands dirty. Start solving web security challenges and competing in capture the flag competitions to get practical experience in the field. Also if you got stuck when solving a CTF challenge, have a look at the solution (writeup) and try to understand the approach and learn from it.
CTF challenges:
6) Bug Bounty programs
Finding bugs in real companies through the bug bounty programs are the real deal. CTF’s are great but you need to start hacking real targets and finding security holes in real companies and this can be done through the bug bounty programs.
Bug Bounty Platforms:
Where can I find jobs in web security?
Ebrahim said that there are many websites to start searching for web security positions like: linkedin, irishjobs.ie, monster.com.
What is the future of Web Security?
He also indicated that the future of web security will be Automation. Automating the process of searching for bugs and security holes is now a critical topic that could be important in the near future ebrahim said.
Courses
Today, Ibrahim is developing a free online course for Web Application Pentesting which will begin from scratch and will go through advanced attacks and demos. You can access the course materials by clicking here.