Wondering how to get a job as a Web Application penetration tester?
That was the topic of our fourth webinar series “What is required to work in cybersecurity jobs”. This time we invited Ebrahim Hegazy, a senior security consultant at Deloitte to discuss with us what is required to work in in web applications cybersecurity jobs? and to discuss his personal experience in the field.
How to start?
1) Understand the technology
In order to get started in the web pentesting field, you need to get familiar with the web technologies and how they are related to each other like how the servers operate, how the internet work and what are the technologies used to create and deploy a website. Also, a basic knowledge of networks would be great. Ebrahim also mentioned that in order to be a good web pentester you need to understand how developers make mistakes that lead to security holes and learn how to exploit those bugs.
2) Learn a programming language
Ebrahim added, In order to be a good web application security researcher, you must have a good proficiency in programming languages. He suggested to start with PHP as it has a great documentation, awesome community and used by many companies including Facebook. Also he suggested to learn Python to be able to write your own tools and automate the process of the pentesting because while doing sometimes you might encounter situations where you have to to write a script or a tool to help you with your task.
3) Build something of your own
Using the programming languages you learned, try building a simple website that has a login form, signup form, about page and home for example.
4) Read web security books
If you have no experience don’t worry. Start reading The Web Application Hacker’s Handbook which starts from the very basic concepts till the most advanced attacks.
5) Participate in CTF competitions
By now, you would have a decent exposure of web technologies which means that you are ready to get your hands dirty. Start solving web security challenges and competing in capture the flag competitions to get practical experience in the field. Also if you got stuck when solving a CTF challenge a look at the solution (writeup) and try to understand the the approach and learn from it.
6) Bug Bounty programs
Finding bugs in real companies through the bug bounty programs are the real deal. CTF’s are great but you need to start hacking real targets and finding security holes in real companies and this can be done through the bug bounty programs.
Bug Bounty Platforms:
Where can I find jobs in web security?
What is the future of Web Security?
He also indicated that the future of web security will be Automation. Automating the process of searching for bugs and security holes is now a critical topic that could be important in the near future ebrahim said.
Today, Ibrahim is developing a free online course for Web Application Pentesting which will begin from scratch and will go through advanced attacks and demos. You can access the course materials by clicking here.