Getting Into Cyber as a Junior

Recently I was fortunate enough to start a position as a junior security consultant with Galah Cyber. Galah is focused on Application Security which allows me to combine my passion for software engineering with my passion for cyber security, absolutely perfect!

If you were like me you might have found your passion in cyber security too, but getting started was always a bit of a grey area. I always wondered where cyber could take me and what I could contribute.

There isn’t a real set path to get into cyber security but hopefully sharing my journey can give an idea to those who were in my position. Here is what I did and my advice for anyone who might be interested.

Explore the field

After I knew that cybersecurity was the field I wanted to pursue, a big question arose…

Through all the incredible exploits people come up with, the amazing protocols and techniques used to protect us, as well as the models and procedures that people have researched to ensure business are secure…

Where could I contribute to cyber…?

The thing was, I wasn’t sure. I had no idea of just how large the field really was.

There are a lot of different areas in cyber security for example, pentesting, application security, training, governance and compliance just to name a few.

So I started to look into it.

Doing independent research definitely helped, things like looking at jobs, watching online tutorials and taking a general interest in cyber security. But the big factor was actually talking to real people in the field.

Going to meetups, joining online groups and just talking to people allowed me to truly learn what opportunities there are in cyber, especially locally, and the different areas I could pursue.

I went to the Newcastle Cyber Security Group’s monthly meetups and learnt from all the talented individuals there who were kind enough to share their knowledge and are always willing to help out others. It was there I found out about app sec, the ability to combine my passion for programming with my passion for cyber was a dream come true.

Knowing that I wanted to pursue that field was the next step forward, you feel much more confident knowing so.

Keep security in mind when programming

I still love software development but oversights in development is where a lot of security flaws can come from. So I try to keep security in my mind while developing software. The last thing I want is for someone to be compromised from a mistake or oversight on my part.

Learn from the plethora of information available to improve your code quality and security.

The OWASP is absolutely incredible for this purpose. They have clear information that developers can understand and put into practice.

Reading over the OWASP top 10 and taking the time to understand the vulnerabilities, will help you massively! Not only as a security professional but as a developer too.

The other thing that was incredibly useful were the OWASP cheat sheets, they provide clear concise information to developers on how to implement proper security controls.

The cheat sheet for a forgotten password reset was an incredible resource, helping me to feel confident that the method put into practice was safe.

There are many other cheat sheets to help with a lot of common dev tasks such as password storage along with cheat sheets to help prevent vulnerabilities such as XSS.

If you don’t understand some of the concepts on the page then go down the rabbit hole and learn! You will be surprised just how much information you pick up.

Learning

Take a proactive approach in learning the things you find interesting.

Read over cyber incidents but also try to understand them, what exactly happened? Why did it happen? What could the exploit be used for?

Learning from incidents that are currently happening in the world helps you understand real world mistakes so that you don’t have to make them.

Furthermore, learn from the plenty of resources out there, News, Youtube, OWASP, Udemy, etc…

I was gifted a Udemy course from a close friend who knew I was interested in security. It covered the practical methods of hackers and was a ton of fun.

The knowledge it provided me allowed me to assess security from a different perspective. Understanding the methods used by malicious users helped out a ton when trying to develop secure code.

Some of the most valuable things I picked up from talking to other professionals especially in meetups. Most of those people who go to meetup are fantastic people who genuinely want to help you out and see others succeed. You can learn a lot from others, especially the things that aren’t purely technical, that kind of knowledge is invaluable.

The other important thing to skill up is your wider knowledge of the tech world. A broad knowledge set helps greatly when looking at security because it is such a large topic. Not often will information go astray so don’t be afraid to learn something even if it is not totally security focused.

Working a year as a software developer, both through my work integrated learning taught me valuable concepts for software development which helps when considering security. For an app sec related field I found knowledge of software engineering to be super useful.

Other things that help are general knowledge of the tech world, even skills such as Linux environments, networking protocols, certain libraries / frameworks, will not go astray.

Seek out opportunities

Be active in the awesome community around Newcastle.

Help people out and learn from them where you can.

Network and build relationships with people, let them know you truly care about the field. Newcastle is a close community with some incredible talent, it is good to meet and talk to people.

If you are going to be performing something as important as security, people need to know they can trust you, show that to them.

Summing up

Thank you for reading and I hope I could help out some people who were trying to find their footing like I was.

Thank you also to Galah for allowing me to pursue my passion, I am thrilled to have this kind of opportunity in Newcastle.

Here are the key takeaways I think are important:

  • Be proactive in your learning
    • Investigate things that interest you and go down the rabbit hole
    • Read over the OWASP documentation
    • Read about cyber incidents and keep up to date
  • Network and meet people
    • Go to community events like meet ups
    • Learn from people, get to know them
  • Put what you learn into practice
    • Apply what you learn in your investigations to your personal projects
    • Reinforce the knowledge you learnt and keep it forefront in your mind
    • Aim to do the best job you can
  • Refine your goals
    • As you continue down your path set a clear goal as to what you want to achieve
  • Give back
    • Help others out where you can
    • Write blog posts
    • Contribute to open source
    • Security is a continuous effort, the more people helping the better
    • Helping others can also improve your own understanding