Pushing into AppSec
Here it is! My first blog post and boy is it a doozy. I promise I will try to be more concise next time. Coming from a non-developer background, I wanted to give a little insight into how my journey started in AppSec. I didn’t just happen to fall into it, and it didn’t come without its discouraging moments, but that doesn’t mean stop trying.
Where to begin?
It sucks to suck. Take gaming, for instance, I have been avoiding competitive video games because I know I do not want to invest the time right now to not suck. First, it was a full course load on top of a full-time job, and now, after graduation, I’ve dedicated that coursework time to AppSec and python. I know that if I cave and launch that video game, I’m going to want to do better—must…avoid…temptation! So here I am, not playing Dead by Daylight nearly as much as I’d like. Sucks to suck.
When I decided to pursue a career in IT, I knew to be an expert, AKA not suck, finding a specialty was imperative. With my nature being both a bit competitive and a bit paranoid—I mean that of little trust (wait, is that better?), cyber security appeared to be the perfect fit. Thus began my pursuit of a BS in cyber security. However, it quickly became apparent I would need to further specialize. After this realization, my goal for each course, second to grasping the material, of course, was to determine if that subject was a viable specialization.
I Graduated! Now What?
Let's fast forward to graduation, what did I finally decide to specialize in? *Crickets* Okay, I still didn't know. Fortunately, there were a few topics in my courses I seemed to gravitate toward slightly more than the rest: forensic computer science (who doesn't have a healthy true crime obsession?), programming (wait, that's not security, right?—my whole degree would be for nothing!) and pentesting (but I'm not a hacker!). I started with forensic computer science as my first post-graduation effort to find my specialty.
I felt reading a book on the subject would be a reliable test to gauge initial interest. I used to feel compelled to finish any book I started, including fiction, even if I found it incredibly uninteresting. It was an unnecessary matter of principle. When there is another book out there that will capture my attention, why finish one that's not? Applying that same logic to my search for a specialty, I started reading, reading with every intention of finishing. I didn't. I don't even remember when I stopped reading it, it wasn't an active decision, it just happened. Forensic computer science was not “the” specialty I was looking for.
Programming was second on my list. At that point, I began to question my degree, should I have majored in Software Development instead? Spoiler alert: actually, probably. I heard from several professionals in the industry that people often “fall into” their specializations. Unfortunately, I had yet to “fall” into anything, and I much prefer to have a direction and a plan so, needless to say, that was not the advice I was hoping for.
The Perfect Job
During this time, the department I worked in began to shift its focus more heavily on development. After discussing the direction of these new projects with my manager, I decided, as the security professional on the team, I had some learning to do. I immediately set my focus to AppSec. I scoured the internet for advice on where to begin, landing on a Reddit post that praised a book called Alice and Bob Learn Application Security, written by Tanya Janca of WeHackPurple. I ordered the book that day. I had an overarching interest in security, but I also found I very much enjoyed the short stints at work where I was able to write a little code, so much so I considered changing my major at one point. When I read Alice and Bob Learn Application Security, I was thrilled. This was it. Application security was a combination of my interest in security and code. Who said the perfect job doesn't exist?
Disregard the Naysayers
Despite discouraging opinions across the internet, "you cannot be an AppSec engineer without first being a software developer," or "you have to get lucky and land in a company that develops you into the role"—I pushed on. I quickly joined OWASP and completed the WeHackPurple's Application Security Foundations Level 1 OWASP edition course. This was pivotal.
Having thoroughly enjoyed both the book and the course, I joined the WeHackPurple community. It was there I learned about #CyberMentoringMonday. I'm not an avid social media user, and I didn't even have a Twitter at the time, but I was told that was my best shot at finding a mentor. So I created a Twitter and shot my shot with #CyberMentoringMonday. Silence. Again, I pushed on. I continued working through TryHackMe labs until the next Monday rolled around. Time for another #CyberMentoringMonday tweet. This time, someone DM’d me! The message said something along the lines of "look, in my experience, no one is going to waste their time mentoring you." [Insert sad trombone here.]
Their claims, however, were quickly discredited. That same day, an almost-overwhelming number of amazing, helpful people in the industry reached out. I promptly created an "AppSec Roadmap" board on Monday.com (love this task management tool), started throwing all their advice into tasks, and began prioritizing. Not only did I receive an abundance of actionable advice, but I was also fortunate enough to find an incredible mentor. As I said earlier: pivotal. It was, and still is, truly invaluable to have an experienced professional in the field guide me in the right direction, offer tool recommendations, provide guidance on how and when to use said tools, walk me through any questions I might have, and make assurances, as a former software developer himself, that this is possible to accomplish despite not having that background.
Pushing into AppSec
So, I didn’t “fall into” a specialty like I was told I would, but I have found one that I’m pushing into. I can't say I know it all, and I can't even say I know a lot of it, but what I can say is that I am excited and motivated to continually learn about this ever-changing, ever-growing field—because it sucks to suck, right?