Security Testing - Where on earth do you start?

Very good question

The most important thing is to have fun, learning things goes twice as fast as long as you are having fun.

As you mentioned yourself OWASP is a good site to get some starting information. Security evolves fast and there is a lot of information, that’s true. It can be overwhelming but don’t get scared?

You can look into OWASP Top 10 API, Mobile and Web and learn about what kind of vulnerabilities go around and learn what they are so you can recognize it.

Roadmap? Euhm I don’t have a roadmap but that’s because security is sooo huge and I don’t know what you want to focus on. I only focus on Web & API security when I do bug bounty. I don’t do hardware or such. So it really depends on what your end goal is here…

If you want to learn security testing I would advice to check out some penetration testing labs and get the hang of that. TryHackMe has some good Boxes to hack, so does HackTheBox but I believe THM has some better guidance. There is also JuiceShop which you can install locally and go nuts! :slight_smile:

You’re going to want to use Burpsuite for hacking , they also have a lovely Academy:

Following security testers is “meh”, you’re going to want to follow Bug Bounty Hunters.
Bug bounty hunting = a platform which offers hackers money to find security holes legally.

Here you can legally search for security flaws at their clients:

Books:

  • Real World Bug Hunting: Real-World Bug Hunting | No Starch Press
    This is the most amazing book ever, real life disclosed hacks through bug bounty. You’re going to want to read this, thank me later! :stuck_out_tongue: This is the hackers point of view on how they hacked a target

Reading publicly disclosed reports is so mind blown on how other people think, it will help you think out of the box.

Here’s HackOne’s PD twitter bot:


Youtubers:

and so many more that I forgot… : /


Certifications

Please don’t get CEH certified XD
It’s just like ISTQB worthless, if you want to get some real certifications you need to focus on the hand on exams like OSCP & OSWA but these are hard AF :smiley: (exams usually take 48 hours)


Kali Linux is nice…very nice! :slight_smile: but not mandatory if you just want to learn the basics and just play around with burpsuite. Kali is just nice because 1 it’s linux and 2 it comes with everything pre-installed.

I hope it already helps a little bit, if you have questions or if you want to have a chat feel free to ask ! :- )


Inspirational video:

  • How i became a HackerOne MVH without writing a single line of python (Motivational talk)
  • How to get started in Bug Bounty

I forked some nice projects/lists you might want to use:

PS: Welcome back! :smiley:

9 Likes