Who can get into security testing?

I’d like to get answers to the following things:

1 - What kinds of security testing are there?
2 - What are the prerequisites that one needs in order to get started in security testing?
3 - Does it matter how you learn the basics i.e. by getting a CS degree or self learning?

I get the feeling that there are people and courses out there which make it seem (intentionally or not), that anyone can become a security tester by just taking a few random courses, by getting some certifications or by mastering a few security testing tools. I am skeptical about this.

I am sure that most testers could do some kind of security testing. But, I don’t know if they can become experts. Are there some kinds of security testing jobs for which a CS degree and/or certifications should be mandatory? Are there any kinds which don’t really need degrees/certs? What are the career prospects for someone who does jobs which don’t really need degrees/certs?

PS - Related post How to get started in Security Testing?


I’ll try and answer these as best I can.

1 - What kinds of security testing are there?

Well, that answer entirely depends on context. You can test UI for security, API, Databases, networking, infrastructure. Pretty much any component of a system or service can be subject to security risks and testing as a result. Examine your context from the perspective of Security, to see where your risks are. Perhaps do some threat modelling to develop the types of testing you might need to do.

2 - What are the prerequisites that one needs in order to get started in security testing?

Are you working with HTTP, mobile, web, or other protocols? What is your technical stack?

I would ensure that you have a safe environment to do your testing, and that you have the support of your team and leadership. It might not be the priority for your team, but ultimately be good for your organisation. You don’t want to cause any damage to your organisation internally, but also you might want to highlight where there are gaps in your understanding and knowledge of the security of your stack. Also, it’s worth talking to your developers and architects to discuss their perspectives and opinions. Be cautious though, as some might not take kindly to having security be questioned on their application code.

3 - Does it matter how you learn the basics i.e. by getting a CS degree or self learning?

None. I had no security qualifications, and I don’t have a CS degree. I’m self taught, and have learned from other professionals. I later did a CREST certificate in web application security testing. There are plenty of training opportunities for security, but it’s worth deciding how far down the rabbit hole you want to go. Depending on your context, you might want to explore what training opportunities might be good for you.

I hope this helps. Drop me a line if you need any more assistance. There are some great resources, books, online learning and other material out there. Best of luck! :slight_smile:


Daniel mentions a few of the types of security testing but there are so many more. There is software, hardware, social engineering, network, IoT, …

The key is to pick 1 of these and start a deepdive, don’t try to do them all together or you’ll get lost.

I mean it helps if you have an IT background but what really matters is motivation and the willingness to learn. People often say you need to code to be a good hacker but that’s not true. You don’t create your own word or OneNote to write something down right? To become a superhacker yea then you’ll need it to create your own “stuff”. But yea it does help to know a bit to understand what’s going on at some point, depending on the field of choice.

I think you’ll like this video from Stök:
How i became a HackerOne MVH without writing a single line of python (Motivational talk)

The video below: HOW TO GET STARTED IN BUG BOUNTY by Stök - Why do I link this? It’s about security testing explaining his journey. Also very motivational.

Anyone who is willing to learn can do it.
Certifications are just tests so that you can prove that you sort of know what you are talking about. So focus more on the Hands On part.

Elon Musk once said

“I hate when people confuse education with intelligence, you can have a bachelor’s degree and still be an idiot”

Also: Google is your friend in security testing :wink:

If you want to get started, you’re going to have to learn about vulnerabilities and there is no better way to do it then hands on or reading reports from bug bounties.

That way you can see how others think and what others do to get the job done.

Hope it helps a bit, if you have more questions, shoot!

Kind regards