Security Testing - Where on earth do you start?

Hi,

I’ve been a tester for around 12 years now. I’ve got experience in API testing, UI Automation, Load Testing, Performance Testing etc. but I haven’t done any Security Testing.

I’ve bought a couple of books a while back, but I haven’t done a great deal with them.

  • Patrick Engebretson’s Basics of Hacking and Pen Testing
  • Occupy the Web’s Linux Basics for Hackers

I thought it’s about time to revisit and try to learn a little about Security Testing, but, and maybe it’s my age, the amount of information is overwhelming.

I don’t have a specific question, but more of a series of questions. Just starting with Penetration Testing, below are some general questions. Please feel free to answer as many (or few) as you wish. Just after some opinions and steer.

  • Training & Certification : Does anyone recommend any particular courses or certification?
  • Good websites : OWASP seems top of the pile, but again, it contains an incredible amount of information
  • Roadmap : Does any one have a general roadmap for getting started?
  • Kali : It’s covered a lot in one of the books above. What are your thoughts on it.

Beyond that, if you have any books, source material that you find indispensable, feel free to comment.

6 Likes

Maybe with Linux, and it’s terminal.

1 Like

Have you heard of The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws: Stuttard, Dafydd, Pinto, Marcus: 8601404288999: Amazon.com: Books

Follow Dan Billing and Santhosh Tuppad to start with. They might have a lot to share.

2 Likes

Very good question

The most important thing is to have fun, learning things goes twice as fast as long as you are having fun.

As you mentioned yourself OWASP is a good site to get some starting information. Security evolves fast and there is a lot of information, that’s true. It can be overwhelming but don’t get scared?

You can look into OWASP Top 10 API, Mobile and Web and learn about what kind of vulnerabilities go around and learn what they are so you can recognize it.

Roadmap? Euhm I don’t have a roadmap but that’s because security is sooo huge and I don’t know what you want to focus on. I only focus on Web & API security when I do bug bounty. I don’t do hardware or such. So it really depends on what your end goal is here…

If you want to learn security testing I would advice to check out some penetration testing labs and get the hang of that. TryHackMe has some good Boxes to hack, so does HackTheBox but I believe THM has some better guidance. There is also JuiceShop which you can install locally and go nuts! :slight_smile:

You’re going to want to use Burpsuite for hacking , they also have a lovely Academy:

Following security testers is “meh”, you’re going to want to follow Bug Bounty Hunters.
Bug bounty hunting = a platform which offers hackers money to find security holes legally.

Here you can legally search for security flaws at their clients:

Books:

  • Real World Bug Hunting: Real-World Bug Hunting | No Starch Press
    This is the most amazing book ever, real life disclosed hacks through bug bounty. You’re going to want to read this, thank me later! :stuck_out_tongue: This is the hackers point of view on how they hacked a target

Reading publicly disclosed reports is so mind blown on how other people think, it will help you think out of the box.

Here’s HackOne’s PD twitter bot:


Youtubers:

and so many more that I forgot… : /


Certifications

Please don’t get CEH certified XD
It’s just like ISTQB worthless, if you want to get some real certifications you need to focus on the hand on exams like OSCP & OSWA but these are hard AF :smiley: (exams usually take 48 hours)


Kali Linux is nice…very nice! :slight_smile: but not mandatory if you just want to learn the basics and just play around with burpsuite. Kali is just nice because 1 it’s linux and 2 it comes with everything pre-installed.

I hope it already helps a little bit, if you have questions or if you want to have a chat feel free to ask ! :- )


Inspirational video:

  • How i became a HackerOne MVH without writing a single line of python (Motivational talk)
  • How to get started in Bug Bounty

I forked some nice projects/lists you might want to use:

PS: Welcome back! :smiley:

8 Likes

Thank you , I’ll have a look at that book.

1 Like

Wow, just wow.

Thank you, that was just the sort of thing I was after. That gives me plenty to look into.

I really appreciate the time time you’ve taken to list all this.

2 Likes

No worries! That’s why we are here to share knowledge! :slight_smile:
If you have any more detailed questions about a specific topic, shoot!

3 Likes

@chris.adams

I forgot this one, The Advent of Cyber, it’s a very lovely challenge to do. There is always a brief explanation of what you are looking for and perfect guidance, if it doesn’t work out, there is a video tutorial available.

Very much recommended!

2 Likes

I am currently on the same journey. At my company I have access to LinkedIn Learning so I took lots of courses there. Would recommend starting with learning about common attacks and how they work and a theoretical level before diving into it. After several courses the OWASP pages suddenly make sense to me.

While I wouldn’t recommend taking the ISTQB course I think the syllabus was a good overview in under 100 pages: Security Tester - ISTQB® International Software Testing Qualifications Board

3 Likes

I have access too, and yes, finding it all very overwhelming. any courses you liked in the linkedin @sles12 ?
It’s almost like the pros can read your mind, but really they just have much much more experience and more context than the rest of us. I guess one has to start slowly.

2 Likes

Hi,
I’ve been enjoying the TryHackMe learning paths. Very beginner friendly and are organised in a way that you don’t leave you feeling overwhelmed.

I would also recommend checking out the book Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career.

4 Likes

I think you must slow down and takedown on each step of security testing, one after the other.

Before you jump on framing more technical understanding through books and technical resources, I think you must start in detail from the basic idea.

Being VP Delivery and Operations at a software testing company, we are dealing with the number of security testing projects. Here are a few links to the articles my team wrote on security testing along with some other informative third-party resources that you might want to consider.

Why Security Testing is Necessary for an Application?

What is Security Testing? Types with Example

Let me know if you find these helpful or else, we can plan a one-on-one interaction to discuss in detail how security testing works.

1 Like

Sorry, just saw this today.
I would start with the OWSAP Top 10 (learning path Master the OWASP Top 10 Learning Path | LinkedIn Learning, formerly Lynda.com). It’s about the version from 2017. There is also an update for the version from 2021 (Learning the OWASP Top 10 Online Class | LinkedIn Learning, formerly Lynda.com)
Then you could dive in deeper with the Ethical hacker learning path (Become an Ethical Hacker Learning Path | LinkedIn Learning, formerly Lynda.com). The course about SQL Injection was the first one where I understood what to do not just the concept.
I also started this more testing related learning path: Improve Your Application Security Testing Skills Learning Path | LinkedIn Learning, formerly Lynda.com

3 Likes

I pretty much echo @kristof with his set of resources. Nicely done sir!

I’m currently going through the TryHackMe learning channels as my company bought a pro license for me. For anyone who reads this and wants to add a friend I’m N0m3nP3nn4.

In addition to the many suggestions above, here are some other avenues.
The Beer Farmers on discord, twitter, and very community/n00b friendly conference. Click the link on their site.
The Cyber Mentor - check out the Youtube channel especially the Zero to Hero series.
Securityfwd on Twitch - livestream of hacks and news. Really interesting. Also on YouTube I think

Twitter -
Cybersec twitter topic
https://twitter.com/i/topics/1047123725525479425
BritFoSec curated list
My own curated list

Podcasts -
Smashing Security - weekly magazine-style podcast
Darknet Diaries - my personal favourite. Weekly podcast about various hacks “from the dark side of the internet”
Malicious Life - another podcast with stories and interviews around historic and recent hacks
Cybercrime Investigations - multi-episode “seasons” covering whatever Geoff White is working on.
Hacking Humans - another weekly magazine-style podcast
Security in Five - US-based daily security news
Cyberwire Daily - US-based daily security news
The Lazarus Heist - multi-episode series by the BBC about an attempted $1 billion bank heist
Host Unknown Podcast - a bit random but can be fun (not listened to in a while)

2 Likes

Many thanks to all who replied. I’ve been doing some reading, which is in the dry-side, but livening it up with a mix of TryHackMe, HackerOne and HackerOne’s CTF.

The push in the right direction was just what I needed.

Again, thank you.

Chris

3 Likes