From Pentester to AppSec Engineer
The only thing worse than a pentester is a bug hunter. This blog post is to help pentesters elevate their skills to those worthy enough of the title of Application Security Engineer. There is no hope for most bug hunters, sorry.
Disclaimer: I have never been a pentester, this blog post is mostly to help provide some insights on skills that I use on a daily basis working in AppSec. This blog post was requested by one of my Twitter followers.
The happy Pentester
The first phase of your journey will be that of the “happy pentester.” You are happy-go-lucky wanting to hack the world and nothing can stop you... except all those damn ethics sections from trainings and books that were shoved down your throat against your will. Finding and exploiting vulnerabilities is super fun and getting root is always most satisfying. Hopefully you know all the major classes of vulnerabilities, as well as how HTTP and TLS works.
In the grim darkness of the far future, there are only vulnerabilities
One day you will realize that everything is vulnerable and all is hopeless and futile. The internet looks dim and dark. All of your favorite websites are vulnerable as all hell. You lose all hope in humanity because nobody can fix their damn vulnerabilities.
Everything is meaningless, so learn to Dev
You look and see a light out in the distance, is it… no it is not DevSecOps, it is Development. I am not talking about learning to code. You should be decent at coding, but no need to be super amazing or anything. Being able to write applications, read code, and speak to developers without sounding like a dumbass is actually super important. But that last point is the most important. Finding a vulnerability, telling them how to fix it, providing code to fix it will get you a lot farther than just saying “fix this vulnerability.” You should know the tools the Devs use and how to use them! Being a developer isn’t just coding, as a matter of fact, for some reason, all Devs want to code more than they actually do.
There is a lot of pointless process in the Dev cycle, whether they are doing waterfall, agile, kanban, or whatever stupid shit they decide to do. Documentation, diagrams, and all the other shit that you will never want to actually do, but you will have to, not because someone will read it (they probably won’t), but because someone might accidentally stumble across it and read it.
The world has meaning again
You are now coding like a champ, or at least reading code. You understand the developers processes and tools. The developers are fixing the vulnerabilities in their code and less vulnerabilities are being created because you are teaching them how to design and write secure applications. Your security program is maturing and you can show your bosses actual meaningful metrics. You are finally able to reach out to the business and not just the developers, and there is support from most places in your org. All is well in the world.
- Learn code and read code (reading code is probably more important)
- Learn how to write good documentation (lots of practice is needed)
- Understand and write company security policies
- Understanding of web application security issues
- Learn how to read and create design and architecture diagrams (UML, Dataflow, Sequence)
- Learn how to learn things quickly and filter out the shit that you don’t need (there will be new tools, libraries, etc. that Devs will want to use, and you will need to advise them how not to shoot themselves in the foot with their new toy)
- Know how to threat model
- Understand risk and why the business shouldn’t fix everything and how to prioritize what to fix
- Understand the business and why they make the decisions that make no sense to you
- Communication (good communication skills are hard)
- Learn Dev tools and processes
- Follow smart people on Twitter, watch conference talks on YouTube, read all the blog posts, and steal all the ideas
- Be a team player (the Devs don’t work for you, you will need them on your side)
Note: This blog wasn’t written to tell you how to do all this stuff but skills you should work on to become a more well rounded application security engineer.
“No one can construct for you the bridge upon which precisely you must cross the stream of life, no one but you yourself alone.”
― Friedrich Nietzsche
Resources to help you level up