Ask HN: Switch from development to security?

Unless you want to recant to people the OWASP top 10 and generally be useless don't listen to anyone telling you that certs (especially CISSP) are useful for breaking into (hah) the security field.

Generally security has 2 major schools, offensive (red team) and defensive (blue team). To be good at the latter you first need to understand the former. This means what you should instead be doing is learning the basics of exploitation. OSCP that was mentioned here is excellent but it's also not easy to complete right out of the box, you will want to start with easier stuff and work your way up to it.

One thing worth noting though is that it can be hard to transition from a build to break mindset. Which might mean even after you learn some decent exploitation techniques, binary analysis etc, that you might be better off batting for the blue team. Blue team mostly revolves our mitigations and defense in depth, which is why it's crucial you know red team to start... you can't put walls in right place if you don't know where the enemy is coming from.

Of course this really depends on if you want to be a real security expert and be damn good at what you do or if you just want to get paid for being in "security". If the latter you can ignore everything I said and just get the certs and tell people they need to tick X checkboxes.

There are some development jobs in security, which would obviously be an ideal position as you could leverage 100% of your skills. That's how I got my role. Some larger companies will have development teams that create tools for their security org.

Also, every security company out there - Mandiant, CrowdStrike, Kaspersky, etc hires developers all over the place. That would be a good spot to get a start.

Past that, there are a couple of possible options.

Larger companies will also have Threat Intel teams and those teams may work on custom solutions and require developers to help them with it. But it may be sort of tough to find a role without any security knowledge.

If you have a good amount of system admin knowledge, you could also look an Analyst role, and work as someone who responds to security alerts for an org. The problem is that you will likely take a pay cut for this type of role. The more senior level roles would probably pay you similar to what you're making now (I think), but that'll be 3-7 years of work.

I made the transition from software to security over a decade ago.

I took the academic route, and did a Master's degree in Information Security. I tried to get more security experience in my work.

Wasn't a fast transition for me, but I was fascinated by the subject, and wanted to really study it.

There's other and probably faster routes, but it really depends what interests you. It's a broad subject.

Offensive security can be good to learn, maybe look at doing something like OSCP.

A bunch of great answers.

I've been in offensive security for ~10 years now and am a staff at one of these billion dollar SV tech companies now.

If you want to do pentesting (though i prefer the team offensive security) my advice is to learn the basics of web app security with something like portswigger's course https://portswigger.net/web-security.

Since most tech is really API's and web apps this course would be able to get you productive and probably a jr level skillset. OSCP is also good but I find network hacks are not as applicable today thanks to the cloud, though the thinking process and creative puzzle solving could be worth it.

I would particpate in as many CTF type challenges as possible (http://www.xssgame.com) then apply to jobs. Make it clear you are a junior but good at Burp and web testing.

Good luck!

I would say that your mindset as a developer is a plus. You could start focusing on how to apply security knowledge on CI/CD pipelines which should be right now your daily business anyways (from a developer’s perspective). So how to make containers safe, dependencies always up to date. These are already hard problems to solve and your developers mindset and skill will help you: how to implement this stuff for yourself and also keeping a developer’s perspective in t CI/CD process.

Shift left on security. Make it a win-win situation for everybody

Answers might be more helpful if OP was a bit more specific on what they had in mind with "security", which is awfully broad.

So it is possible to make the switch (IMO) but, in Europe, I think you may struggle to find a matching salary when starting out in security.

To give you some idea https://twitter.com/tazwake/status/1451702586348818435?s=20 is actually (IME) pretty close to UK Infosec salary ranges.

Past that, if you're still interested, I'd say you want to focus a bit on what sort of security work you want to do, there's a massive range, and the qualifications and experience vary.

With a dev. background, something like Appsec work is likely to be the closest, or maybe DevSecOps. The advantage of both those paths is that they kind of sit between development and security, so you can leverage your existing development experience, when looking at roles.

Are there any possibilities for you to first work at a company doing full stack dev in a way that allows you to interact with security teams? Stuff like implementing the OWASP top ten? That was how I built up a skill set and knowledge base in security.

As with any lateral change you should consider if you'd really enjoy the change. Security is a very interesting landscape but it turned out I really enjoy having a more direct impact on product development so I haven't totally made the switch. But security experience has definitely made job searches easier, recruiters specifically target folks with product/security experience and there a lot of opportunities in the space.

Handy cert for pentesters is OSCP.

Train via hackthebox.eu

Most comments seem to focus on active security testing. My experience is that this is just 20% of what companies call Security.

80% of the effort is compliance, regulations and getting "holes plugged".

For one to be successful in corporate security, you better be good at PowerPoint and selling ideas / wishes.

Currently my role is managing a bug bounty program for a largish company. Getting a service on-boarded (explaining the benefits and expectations) is 40% of the work, agreeing with the service owner on the CVSS scoring 10%, getting a service fix a finding about 20% and the rest of the work is the cool stuff (validating findings, communicating with the hackers & setting a bounty).

So my "advice" to you would be, figure out what exactly you want to do "in Security". If you like to get your feet wet in the technical space, sign up to a Bug Bounty program and start searching. If you want to be administratively involved, by all means apply for any of the "looking for security officer / manager" job offerings.

My suggestion would be to move to something security adjacent that still uses your software skills.

Options:

   * devops (mentioned in other comments)
   * auth (lots of needs for crypto and other security knowledge)
   * cloud security (gobs and gobs of need for this)

You could do this by trying to transition internally, but that will be difficult because of your position as a contractor. You could try to get hired as a FTE by your current company.

Another option would be to seek out a security company that has dev needs. You could do this with a smaller company (like r2c), a medium size company (like snyk) or a large company with security needs (like github). At each of these companies, they'll probably want you full time.

I don't know about certs as a means for getting hired, but they certainly have helped me dive deeper into a topic (a forcing function, if you will). If you were into the cloud security option, for example, I'd probably get the AWS arch cert and then the security specialization.

HTH.

I moved from fullstack development to pen testing. I don't have any certs, but I'm working towards one purely because clients prefer it.

Previously I had worked for a startup in the finance space and had increasingly been more involved in the security aspects of our development process. I was impelled to make the jump to security because I wanted to dive deep into the topic and I knew I wouldn't get the depth of knowledge from my SWE job.

The majority of people in security I come across have a surface level knowledge of many topics and depth in perhaps one topic, which will give you an advantage in your previous domain (i.e. web applications).

In my country, the pay for pentesters is lower than for developers by 10-15%. In my experience day rates for testers ranges from 800-1400 EUR.

The easiest way to transition is to transfer internally in a company you already work for. However that doesn't seem like something available to you.

Try maybe looking for roles labelled "software security engineer" - those might be more likely to take a pure software background.

> I’m currently trying to get a CompTIS Security+ certificate.

Certs are not respected in the security industry, especially the easier ones like security+, to the point wherr its almost considered negative signal on a resume. Some of the harder ones like cssip are controversial in that it depends where you're applying whether or not its worth anything.

As a general rule, i would not bother with certs, but they can be useful as a general study guide sometimes, if you're not sure where to start.

We (Workiva) currently have an open rec looking specifically for people like you: engineers who are interested in pivoting into security. You're more experienced than the baseline that rec is designed for, but that's where negotiation comes into play :)

I hope you check us out: https://workiva.wd1.myworkdayjobs.com/en-US/careers/job/Ames...

If not with us us, then I have no doubt you'll find other companies looking for something similar. People in your shoes are in high demand.

There is a lot of talent missing in security. You are ahead of those that have no operational experience with your programming background. Check out the certs others mentioned. Also decide what you want to do (or start with) in security? Risk management, vulnerability management, incident response, pentester/red-teamer, social engineer, SOC, etc. Also realize that you may have to start at an entry level. Tier I/II SOC work, for example, would give you some experience to leverage for other roles.

Recommended reading: https://securityhandbook.io/

Since you know Python... what about Threat Hunting?

I work with a Data Scientist turned Threat Hunter (which means you model and find stuff using data gathered for security).

Warning: like most data science-related jobs this can be a "lonely" position. I mean, very little people will understand you and your job but will buy the results.

CISSP.

A buddy of mine is KILLING it in security - and he got a 30% raise and a $100,000 sign on bonus from his new gig plus a $40K sales bonus less than six months after joining.

But you have to actually need to be interested in security to succeed.

how do you even make 120k per year? what kind of software are you developing? what country are you based in exactly? how did you find your clients? sorry for asking so many questions, but I found it difficult to charge such a rate.