This is a continuation of my resource series of posts. Application security is the field I found a lot of interest in. This despite coming from the operations side of IT not development. Using the resources below I was able to get a job in application security.

Websites:

I first realized I had an interest in appsec after reading a Troy Hunt post. Not only were things explained well, but I was also paying attention to every word in his blog posts. He has since branched out to more breach related content as the creator and maintainer of Have I Been Pwned. Still he has a lot of good appsec content. He has several courses on Pluralsight for beginners plus. He also does a weekly podcast that’s worth checking out.

The Open Web Application Security Project (OWASP) is the go to resource for AppSec. It’s a massive non-profit organization that has tons of projects, knowledge bases, cheat sheets, and more. There might even be a local OWASP chapter. There’s annual conferences to attend (I’ve never been). It’s the resource I recommend for people starting out.

Podcasts:

DevelopSec
Application Security Podcast

James Jardine puts on the DevelopSec podcast. The podcast is targeted at developers. It’s also consumable by security people. This podcast doesn’t release on a regular schedule. The Application Security podcast is also targeted at developers. It releases in seasons.

Training:

The first bit of AppSec training I got was the SANS SEC542 Web Application Penetration Testing and Ethical Hacking. It’s a lot of AppSec information, concluding with a Capture The Flag (CTF) exercise. I’d try to get your organization to pay for this as it’s several thousand dollars.

The Practical Web Application Penetration Testing course is a Tim Tomes course. He’s a former SANS instructor who puts on this training several times throughout the year in public and for organizations. It’s a great affordable course that Tim tries to keep up to date with relevant information.

The blog post first appear on Exploring Information Security

This is an ongoing blog series, which touches on my upcoming speaking and workshops on Social Engineering for the Blue Team. My current schedule is as follows: BSides Indy, March 20, 2018; I am an alternate at BSides Nashville April 14, 2018; and I will be doing a workshop on the topic at Converge and BSides Detroit, May 10-12, 2018. I hope to see you there.

"You're a Rockstar."

These were the words uttered to me after turning in my two-week notice at a previous place of employment. I know infosec rockstars are looked down upon in social media circles. I took this as a compliment. These were words from our CIO. He followed that up with, "Everyone seems to like you." Which I took as another compliment. Both compliments made me feel extremely good, because compliments are few and far in between in our industry. That's a topic for another blog post. For this blog post the compliments started me down a path of self discovery.

I always seemed to have a knack for getting along with others. I never knew why, though, and I definitely didn't feel like I was doing anything special. My early years of life were filled with a lot of happiness and joy. I loved school up until about the fourth grade. I was good at it, but I also had a lot of fun with my classmates. It wasn't until I moved midway through fourth grade that I started to realize the mean side of kids. We moved to New Jersey.

My dad served in the Army for 20 years. I moved a lot. I averaged two and a half years in places. Thankfully, after fourth grade we moved again. This time to Kansas. I had a much better time in Kansas. Middle school was pretty good. I had friends. I also had some enemies that used to be friends. We moved back to New Jersey for eighth grade and half of high school. This is considered some of my darkest years. I had friends, but I was also picked on. A lot.

My pants were to tight. My glasses were too big. All I wanted to do was fit in. My mom bought me baggier pants and scheduled an eye appointment to get contacts. My grades slipped in an effort to be part of the in-crowd. I moved my junior year of high school to Minnesota. I was picked on there for my baggy pants (remember JNCO jeans). I had girl friends, but in general I found talking to the opposite sex intimidating at first. While I missed out on the academic side of school, I was learning about human interaction.

I failed a lot at human interaction. That, eventually, led to me picking up David Deangelo's Double Your Dating series. This was after a six-month period in which: my girlfriend dumped me; my roommate bailed on me and left me with paying for a two-bedroom apartment; and a captain's mast for showing up an hour late to duty. Technically, I was supposed to go to captain's mast after three write ups. Being late was my first one and something everyone did when they only had a few weeks left at a duty station. In this case I was being made an example of by the new commanding officer. Still I had failed, because I wasn't viewed as a good sailor. Something need to change.

Studying Deangelo's content I realized that I wasn't just learning interaction with women, but people in general. I was getting self-improvement tips and techniques. I picked up (on the recommendation of Deangelo) Feel The Fear And Do It Anyway by Dr. Susan Jeffers. This was the turning point. I started honing my soft skills. I did this for life quality reasons. After I was told I was a rockstar and people seemed to like me, I started to understand how. This was just a few years ago. Last year I read Social Engineering: The Art of Human Hacking by Chris Hadnagy and it opened my eyes to the how.

I've excelled at my roles party due to my technical prowess, but mostly due to my ability to build strong relationships with people. I see that as the key to my success in building security programs, processes, and improving the security culture of an organization. My current role has me sitting with developers. I am successful there because of the relationships I've built. Leadership wants to hire me away from the security team. The developers are making good security decisions without my input.

We talk about the talent shortage quite a bit in our field. A lot of solutions start with improving security programs in school and mentoring juniors in our field. I think those are good solutions. It will take time for those solutions to be fully realized in our industry. I also, don't have much influence there. Where I do have influence is in the better relationship realm. I think if we can interact better with other departments we can make strong improvements in security.

That's why I've put together this content. I'm really excited about the idea. I've had a lot of success with it and I think others will too. More to come.

This blog post first appear on Exploring Information Security.