Tuesday, February 6, 2018

So you want to work in security? (and for some reason ended up here rather than reading other people’s posts on the topic).


A lot of people (including my colleagues from Google, Parisa and Michal) already wrote great posts on this topic, and I fully encourage you to read them. I expect there will be a lot of overlap with things already said, but every once in a while I get a question like this, so rather than typing something every time and linking to the aforementioned posts, I decided to write my own version that includes some of my own personal observations and experiences.

Take note that I’m an application security guy an am writing this from a vulnerability research / security review / bug hunting / hacking / whatever you choose to call it perspective. There are other career paths in security such as in secure development, malware analysis, infrastructure security and others with which I am not as intimately familiar and might not be the right person to give advice on.

So, who am I and why should you trust me with this topic? Well, first of all I'm not saying you should trust me because everyone’s experience and everyone’s path will be different. But just in case you are curious: I’m currently a member of Google Project Zero, I used to be a member of the Google Security team, I’m the author of several security tools and if you scroll sufficiently long down this blog (which hasn’t been updated in a while, see the GPZ blog for the most recent posts) you’ll see that I’ve been tinkering with this security stuff for over 10 years.

But my background is somewhat besides the point because people I know in security come from a variety of different backgrounds. For example, I also have a fairly strong academic background (with a Ph.D. in computing, having worked at an university a long time), but that is fairly atypical among my peers and certainly not a requirement to get into security. That is, of course, not to say that having any degree not useful and I do feel that my education gave me a solid foundation to build upon later. However, regardless of the education you choose or already have, there is one thing most of the people in security I know have in common, and here we come to the first tip:

Do stuff on your own

For the majority of people I know in the industry, security was a hobby first before it became a job. Of course, if you are just considering getting into security, telling you to do stuff on your own does not help you much without telling you how you can get started doing that. Keep on reading because we’ll get to that below. But first, one other thing you should be aware of (don’t let it discourage you, we’ll see how you can deal with it later).

Don’t look now but getting started is more difficult now than it was 10 years ago

I suspect not everyone will admit it, but security did improve rather significantly over time. Sure, if you dig enough you’re going to find pieces of software and hardware against which techniques from over 10 years ago still work. But take a look at, for example, web browsers. When I was working on my first Windows exploit (a heap overflow) I was getting frustrated because Microsoft recently introduced Safe Unlinking so generic well known heap exploitation techniques I read about no longer worked. 10 years forward and someone just getting started wouldn’t just have to deal with Safe Unlinking and stack cookies, but also SafeSEH/SEHOP, DEP, ASLR, CFG, ACG, a sandbox around every major browser and who knows what else. And it’s not limited to web browsers. If you take a look at the commonly used web application frameworks 10 years ago and now, you’ll also see significant differences in the security posture.

Don’t be afraid if the words in the previous paragraph mean nothing to you (yet).

So, how do you combat the increasingly steep difficulty curve?
Take advantage of the learning resources

While in general, the difficulty of getting started is higher, the fact is, there are also a lot more learning resources out there now than there were before.

But another word of warning: You need to be able to go out and learn on your own. Nobody is going to hold your hand or be your mentor (there might always be a master and an apprentice with the Sith, but it rarely works that way with hackers). If you prefer to follow a pre-set curriculum (like admittedly I did for the large part of my education) you’re not going to get very far in security.

Before you can get to the right learning resources, you need to start asking the right questions. Googling for “how to hack” and similar is still going to result in the same bullshit now as it ever did. Instead, try asking more subtle questions like:

  1. How does this piece of software/hardware I’m interested in work? What technology it is based on? Is there source code I can read? Tutorials? Books?

  1. Did someone already manage to break this piece of software/hardware I want to break? Did they publish writeups? Exploits? Conference presentations? Do I truly understand what they did?

It follows that you yourself must be rather technically savvy to understand how a real-world piece of software or hardware made by someone else works. While writing code and reading code are not exactly the same skills, there is a significant overlap so if you are not comfortable coding, this is something you might want to improve before digging further into security.

Don’t forget the second point. While I was reasonably good when it comes to technical stuff even before, my understanding of security didn’t come until I started reading vulnerability research and exploits published by other people.

Yet another word of warning: Don’t give up when you encounter things you don’t understand. Especially when getting started and reading various resources you’re going to encounter a lot of it. Skipping those parts is the easy path but it is also the wrong path to take. Instead think of encountering every bit of information you don’t understand as a clue about what else you need to learn.

Although I wrote that nobody is going to hold your hand, that doesn’t mean you should not ask questions. In fact, you should feel free to. People won’t do your job for you but they just might give you a nod in the right direction if you get stuck.

Use Twitter

Seems strange to endorse a specific social network, but the fact of the matter is that a lot of security community uses Twitter to share news, but more importantly links to recent research, vulnerabilities, PoCs, conference presentations, source and the like. I don’t really know how this came to pass, perhaps it’s the short message format that is more convenient for people to share links to resources without getting (too) encumbered by unnecessary long discussions. So find people on Twitter who work on or publish stuff you are interested in and check out what they tweet.

Besides Twitter, some other places you can find interesting resources are r/netsec and Hacker News (though it carries other stuff besides just security). Check out also presentations and recordings of talks from security conferences (there is a lot of them, but not all of them are good. Focus on the more technical ones).

Playing CTFs is a good way to learn

Another strange advice for me to give as I myself almost never play them, but remember what I wrote about the difficulty curve? CTFs can make your learning experience more gradual because challenges come in various difficulties (you can usually tell by the number of points each task is worth) so you can start with the easier ones and then build up from there. For example, sometimes there are exploitation challenges with some of the mitigations turned off. There is also some comfort in knowing that there is a bug / way to solve it.

There is a CTF somewhere almost every week, most of them can be played remotely and you can find the schedule here. If you fail at solving a task, don’t forget to check out the writeups from the people who did solve it.

CTFs can be a pretty gratifying experience but once you get better, don’t be afraid to go out and try yourself against a real-world target. You might surprise yourself!

Oh, and when it comes to real-world targets:

Don’t be afraid to fail. A lot.

Especially these days, vulnerability research can be a very frustrating experience. Most of the things you’ll try won’t work and you need to come to accept that, but don’t let it discourage you from trying it anyway. It doesn’t happen just to you, it happens to me and it happens to other experienced researcher as well. But it's easy to think it happens only to you because, after all, what you end up seeing from other people are their successes and not their failures. The important thing is, if your idea fails, learn why it failed before moving on.

You are smarter than you think (conversely: other people are not as smart as you think)

This might be a controversial point because other people gave advice along the lines of “you are not smarter than the developers”. While this is true in general and good advice for a lot of people people already in the industry, it might be the wrong thing to say to a lot of people who are just getting started or are just considering getting started. The thing is, after seeing what other smart people do, without having done anything in the field yourself, it is easy to doubt in one's own abilities. Let me give you a personal example:

It might sound strange to you now, but when I started doing security as a hobby I thought I was never going to be “l33t” enough to find bugs in Windows. And I might have never tried, except I found my first Windows bug by accident: I was fuzzing some crappy image library and after a while I had some samples that caused crashes. And when I accidently clicked one of those crashing samples in Windows, Windows Explorer crashed - and that was CVE-2008-3013.

Another case in point: When doing a review of a piece of software, you might have an idea and then think “nah, that’s stupid, the developers surely thought of that”. The thing is, they often haven’t. To be fair, that’s not because they are stupid, that’s because they thought about other problems at the time. But if the mindset of “I’m smarter than them” helps you break through the artificial limitations you set for yourself, then use it and to hell with being humble.

When you’re talking to other people, especially developers, then it is the time to drop it though. You’re going to have a much more pleasant time interacting with people if they’ll see you as someone who wants to work with them rather than an adversary. This doesn’t mean trusting whatever you’re being told though. Remember, they are the experts in their code, but you’re the expert in security.

What do I do once I’m ready to show my skills to the world?

To start with, you can do that while earning something at the same time: A lot of companies, both small and large offer bug bounties for skilled researchers who find bugs in their product. Google has it, Facebook has it, Microsoft has it as well as lots of others.

Even if you’re looking at something that doesn’t have a bug bounty, but it’s something a lot of people use and care about, finding a bug in it can be a nice way to showcase your skills and writing about your research can help other people get started as well as get you noticed.

While it sometimes gets disproportionally large amount of attention, publishing vulnerabilities is not the only way to contribute to the community - creating useful tools, doing defensive research etc. are cool as well!

What else do I need to know?

A life of a security researcher might not be as glorious as you imagine it. You’re going to sit in front of a computer. A lot. So if you find the idea of that off putting this might not be the right career path for you. It is also quite intellectually challenging and is pretty much the opposite of a routine job. Which means it can be quite rewarding, but also quite mentally exhausting.

37 comments:

David Wong said...

Thanks for the post! I can't agree more on everything you list.

> The important thing is, if your idea fails, learn why it failed before moving on.

Indeed, stopping at things that didn't work without trying to understand why it didn't work is a bad path to take! There's often a lesson to learn here.

And as you say at the end, this is an exhausting job. Everyday is always a new challenge, you always have to constantly learn new things.

rohan rj said...

Anybody make a wonderful spot generally remaining extend of one's. Nearly all lots of people couldn’t arrangement extra your complete difficulties. Applying this record today’s modern-day world, your personal strategy associated with a very problems may perhaps be minimized today’s kids. unarmed

Soaphorn Seuo said...

Good sharing

MD: Raju Ahmed said...

Well, this is interesting. I know a lot of about posture corrector from this post. Thank you very much.
posture helper

ramshu271 said...

I am very happy when read this blog post because blog post written in good manner and write on good topic.
Thanks for sharing valuable information.
Web Design Company Bangalore,
Digital Marketing Company

CIIT Noida said...

Nice looking sites and great work. Pretty nice information. it has a better understanding. thanks for spending time on it.

Best Industrial Training in Noida
Best Industrial Training in Noida

Kaashvi mohan said...

Awesome post! A very good step-by-step guide especially for a beginner like me. It’s overwhelming with information, thank you for making it easy and very detailed.. I’ll pop some questions here, if I need help, hope that’s okay.
3D printing companies in Chennai
3D printing service Chennai
3D printing service in Chennai

CIIT Noida said...

It was excellent and really informative.I also like composing something if my downtime. So I could find out something from your write-up. Thanks.

Best BCA Colleges in Noida

Jack Adok said...

Really something Grate in this article Thanks for sharing this. We are providing Online Training Classes. After reading this slightly I am changed my way of introduction about my training to people.

Best Cartoon Portrait Maker
Caller id apps download
Free Offline Fighting Games
Free Call Recorder Apps

Anonymous said...

Thanks For The post.
Web Development Services

cyber news said...

nice post.thanks for sharing the more valuable information.
Indian Cyber Army credibility in Ethical hacking training & Cybercrime investigation training is acknowledged across nation as we offer hands on practical knowledge and full assistance with basic as well as advanced level ethical hacking & cybercrime investigation courses. The training is conducted by subject specialist corporate professionals with wide experience in managing real-time ethical hacking/ cyber security projects. Indian Cyber Army implements a blend of academic learning and practical sessions to give the candidate optimum exposure.Ethical hacking training ,Ethical hacking course

kavita jha said...

Generic Daklinza
Daclatasvir 60mg
Natdac 60mg
Mydekla 60mg
Daclahep 60mg
Dacihep 60mg
Hepcfix 60mg

Avastsupport Number said...

Hello, It's amazing the way you write it. I really appreciated it that is helpful for me I got really important points from here. Thank you for share it keeps share this type of content.

Avast Desktop Services

getha said...

We can learn a lot about Why Deep Learning Works by studying the properties of the layer weight matrices of pre-trained neural networks. And, hopefully, by doing this, we can get some insight into what a well trained DNN looks like–even without peaking at the training data.
MACHINE LEARNING training in chennai

Roja Priya said...

Thank you for sharing your article. Great efforts put it to find the list of articles which is very useful to know, Definitely will share the same to other forums.
data science course in chennai quora | data science course fees in chennai | data science course in chennai velachery | data science course in chennai omr

sandy star said...

Hello! This is my first visit to your blog! We are a team of volunteers and starting a new initiative in a community in the same niche. Your blog provided us useful information to work on. You have done an outstanding job.

Best AWS Training in Chennai | Amazon Web Services Training in Chennai


AWS Training in Bangalore | Amazon Web Services Training in Bangalore


Amazon Web Services Training in OMR , Chennai | Best AWS Training in OMR,Chennai

Amazon Web Services Training in OMR , Chennai | Best AWS Training in OMR,Chennai


AWS Training in Chennai |Best Amazon Web Services Training in Chennai

Learn Amazon Web Services Tutorial |AWS Tutorials For Beginners

AWS Interview Questions And Answers

Vignesh G said...

I am really happy with your blog because your article is very unique and powerful for new reader.
Click here:
selenium training in chennai
selenium training in bangalore
selenium training in Pune
selenium training in pune
Selenium Online Training

janani said...

All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates.
Java training in Bangalore | Java training in Rajaji nagar

Java training in Bangalore | Java training in Marathahalli

Java training in Bangalore | Java training in Btm layout

Java training in Bangalore | Java training in Marathahalli

Ram priya said...

Have you been thinking about the power sources and the tiles whom use blocks I wanted to thank you for this great read!! I definitely enjoyed every little bit of it and I have you bookmarked to check out the new stuff you post
Data Science Training in Indira nagar
Data Science Training in btm layout
Python Training in Kalyan nagar
Data Science training in Indira nagar
Data Science Training in Marathahalli | Data Science training in Bangalore

Saro said...

Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

rpa training in velachery| rpa training in tambaram |rpa training in sholinganallur | rpa training in annanagar| rpa training in kalyannagar

thulasi ragini said...

I have picked cheery a lot of useful clothes outdated of this amazing blog. I’d love to return greater than and over again. Thanks! 
python training in chennai
python training in chennai
python training in bangalore

johnsy sai said...

Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
Best Devops training in sholinganallur
Devops training in velachery
Devops training in annanagar
Devops training in tambaram

vijay antony said...

I am really happy with your blog because your article is very unique and powerful for new reader.
Click here:
selenium training in chennai | selenium course in chennai
selenium training in bangalore | selenium course in bangalore
selenium training in Pune | selenium course in pune | selenium class in pune
selenium training in Pune | selenium course in pune | selenium class in pune
selenium online training | selenium training online | online training on selenium




sathya shri said...

Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

angularjs Training in bangalore

angularjs Training in btm

angularjs Training in electronic-city

angularjs online Training

angularjs Training in marathahalli

Techy Here said...

great one bro. very clean and detailed post!!

Best Android Launchers 2019

POCO F2 Launch date

Techy Here said...

nice!

best icon packs

Techy Here said...

hi, what an awesome post it is!!

Asus Zenfone Max Pro M2

Techy Here said...

how to get surveys in google opinion rewards

Apk mod said...

The next time I read a blog, I hope that it does not fail me just as much as this particular one. I mean, I know it was my choice to read, nonetheless, I actually believed you would probably have something useful to talk about. All I hear is a bunch of whining about something you could fix if you were not too busy looking for attention. How to hack facebook account on android , How to Hack Facebook Account



Spot on with this write-up, I truly believe that this amazing site needs much more attention. I’ll probably be returning to read through more, thanks for the information! How to hack facebook account without survey How To Hack Facebook Using Kali Linux

You are so interesting! I don't believe I've truly read through anything like that before. So wonderful to discover another person with a few unique thoughts on this issue. Seriously.. many thanks for starting this up. This website is something that is required on the internet, someone with a bit of originality!

How to hack Facebook messages 

Ananya Krishnan said...

Good job in presenting the correct content with the clear explanation. The content looks real with valid information. Good Work

DevOps is currently a popular model currently organizations all over the world moving towards to it. Your post gave a clear idea about knowing the DevOps model and its importance.

Good to learn about DevOps at this time.


devops training in chennai | devops training in chennai with placement | devops training in chennai omr | devops training in velachery | devops training in chennai tambaram | devops institutes in chennai | devops certification in chennai | trending technologies list 2018

Techy Here said...

Whatsapp Plus latest apk 2019

Techy Here said...

spotify premium apk 2019

Gunika Dawar said...

The content looks real with valid information. Good Work
https://www.ayevainstitute.com/

sachin.ogeninfo said...

cattle feed bags manufacturer

mounika said...

Nice post..

data science training in BTM

best data science courses in BTM

data science institute in BTM

data science certification BTM

data analytics training in BTM

data science training institute in BTM

Techy Here said...

El Corte Ingles Viajes

Admin said...

Viajes El Corte Inglés