19 Nov, 2014

The AppSec Newb’s Journey Part II: Lessons I’ve Learned

by Marcus Richardson

In the AppSec Newb’s Journey series, I want to provide a starting point for those interested in AppSec but may not know where to start. This is the second part of the blog series, so please read Part I if you haven’t done so already.

This past year has led me on an incredible voyage through the world of Application Security. I’ve had so many new experiences, gained so many skills and so much knowledge, and established a foundation for me to further build my career and passion. Naturally, this journey had many bumps, but that’s necessary in any learning process. These are a few critical lessons that you should take to heart when starting out in this field. In no particular order…

Record Everything!

After months of reading, coding, hacking on various goats ( WebGoat, RailsGoat, WebGoat.NET), and research, it was time for me to finally get my feet wet as a full-fledged AppSec Consultant.

As I edged into the waters of fuzzing, payloads, and injections, applications would often break, disclose sensitive information, or result in other unusual behavior the app’s developers didn’t intend.

Awesome. But wait, how did I do that?

One of the key elements of conducting AppSec assessments is documenting everything, whether it’s a screenshot, the payload you used, sensitive data revealed, or anything else that may be valid to the assessment at hand. It’s important to remember that this is the information that assists you when writing a report or officially disclosing results to the app’s developers.

It sucks to have to retrace your steps or search through huge logs trying to figure out what you did. It’s even worse when you need this info to replicate a valid finding in order to capture a screenshot.

I document interesting cookies and their values, notable directories, language, frameworks and their versions, valid payloads, pretty much anything interesting that may add value to my testing and reporting phases of the assessment.

So remember, take copious notes!

Watch Convention Talks Online 

I’ve had the benefit of attending multiple security and development conventions this year. These events provide a great platform to learn, contribute, and network in the various communities within the security realm. They have definitely expanded my horizons, and I encourage you to attend at least one of the many conventions out there. They are wonderful, but it’s rather difficult (and quite expensive) to try to attend them all. YouTube, of course, contains an endless treasure trove of interesting talks from various conventions from around the world. And it’s FREE!

You get to sit back on your couch and watch talks from DEFCON, AppSecUSA, and DerbyCon spanning years of content. As if you were there, you get the opportunity to learn about new tools, techniques, and vulnerabilities directly from the folks driving the AppSec industry.

I’ve watched many talks on YouTube, and they have all inspired me!

Learn Multiple Frameworks/Languages

You don’t want to be a one-trick pony, so explore the different languages available out in the wild. Even if you’ve mastered a particular language, you should explore the different frameworks that implement it.

Working with various clients who all utilize a diverse range of frameworks and technologies, you will encounter everything. Even if you’ve never fully used the language an app is developed in, you may have used a similar one, and having some knowledge will give you an edge and a starting point.

I started out coding in Ruby and then jumped to Rails to dabble in web application development, but recently I’ve started diving into Objective-C and Swift to gain more knowledge in the iOS app space. After being introduced to Docker (thanks to my colleagues Mike McCabe and Patrick Cooley), it piqued my interest in the Go language.

The name of the game is versatility, and that curiosity helps maintain your value as an AppSec Consultant.

Don’t Get Discouraged!

I’ll be the first to admit that there have been times during my AppSec journey that I felt like I wasn’t cut out for this line of work, or that maybe I wasn’t learning fast enough, and started to second guess myself. These feelings often manifest alongside the bumps in the road, but you have to remember that your hard work pays off in the end. It all leads to that magical moment when you break an application into pieces but are there to help guide the developers rebuild their app stronger than before. These moments reaffirm that all your hard work is making an impact on the AppSec community.