
How I started in web security - gkop
https://medium.com/@homakov/how-i-started-in-web-security-400b80824e86
======
hamhamed
Likewise, my story about how I got into and out of security: it really just
takes basic programming knowledge, understanding reverse engineering concept,
and constantly testing shit.

When I got kicked out of college for my hack (rm
[https://news.ycombinator.com/item?id=5090007](https://news.ycombinator.com/item?id=5090007))
all I did was spam URLs with different IDs and test if they returned 200 or
404.. and bam press coverage + job offers. Sometimes the simplest of stuff can
lead to nirvana.

I'm no longer in security since it was getting very addicted (I would start
testing every website I'd visit for vulbs)..and I had to change and decided to
jump into the startup world.

~~~
fmavituna
> ... I had to change and decided to jump into the startup world.

You don't have to choose one of them. I was in a similar position about 6
years ago, software + security background and passion for startups which led
me to start my own company
([https://www.netsparker.com/](https://www.netsparker.com/)), we're building a
tool to automate web app security and advancing the automated scanning in web
apps, it's really fun stuff if you are into security.

Security industry is great for startups and new comers, another option is
obviously working for a security startup, there are tons of them.

~~~
kjax
I've actually heard about your product, as someone was using it against a
customer's app portal (on one of our servers). It didn't find an exploit per-
se, but it helped us to discover a performance/DoS issue when it would
occasionally start crashing + restart a vhost. So, indirectly, thanks for the
great product!

------
kriro
"""Use your own brain. After all any book is just a list of thoughts of
another guy, who might be wrong."""

"""The text above is preface to a little security book I write for newbie
hackers and web developers."""

I chuckled.

~~~
tbastos
Just goes to show his honesty :-) "One is not to trust my teachings implicitly
but to test them oneself and evaluate their effects." — Buddha (thus making
Buddhism perhaps the only "religion" not plagued by faith and dogma, and kind
of disseminating the scientific method)

~~~
nsomaru
Buddhism is not the only religion not plagued by faith and dogma.

Faith and dogma exist wherever people have outsourced their ability to think.
'Buddhists' do this too, just as some adherents to other faiths do too.

On a side note, the intellectual portions of Vedic literature often emphasise
the need for viveka (knowledge, discrimination) and prashnena (questioning)
which are requisite qualities of a shisya (student). Arguably, much of
Buddhist metaphysics is based on these Upanishadic texts (Vedanta).

~~~
tbastos
Buddha himself was clearly against faith and dogma, and also considered
metaphysics irrelevant to the human condition. If you consider Buddhism to be
the original teachings, then it's obvious dogma has no place in it, and a
person afflicted by dogma could always be pointed to the original teachings.
More religious branches of Buddhism exist, but they are blatant
bastardizations of the original teachings. This is very different from the
situation in other religions, where the original scriptures are the main
sources of dogma galore.

------
daguava
Neat article, interesting that suggestions for sane defaults in rails were
more-or-less ignored until the problem was demonstrated to easily impact a
wide user-base.

~~~
jldugger
That was the source of lolz at the time it happened. If anything, the article
demonstrates how little you need to know to break things. In a way, it's a
miracle anything works around here.

~~~
jacquesm
"If engineers built buildings and bridges the way programmers write software
the first woodpecker that would come along would destroy civilization."

~~~
chrisan
That is kind of unfair :)

Typically infrastructure engineers get to (or rather have to) over-engineer
things. When you build a bridge you don't build something that is _just_ good
enough to hold X cars. You design it to hold X + Y% and/or have Z redundancy

Most software doesn't put peoples lives in danger and thus doesn't get the
budget/resources to put in NASA like engineering in software

~~~
tonyarkles
A lot of engineering is about meeting requirements while keeping costs down.
As the joke goes... "Anyone can build a bridge that stands; it takes an
engineer to build a bridge that just barely stands"

~~~
enraged_camel
I realize it's a joke, but even then it's not a good one. The reality is
actually the other way around. Anyone can build a bridge that barely stands,
but it takes an engineer to build one that still stands after an earthquake.

~~~
tonyarkles
Uhhhh... see
[https://en.wikipedia.org/wiki/List_of_Roman_bridges](https://en.wikipedia.org/wiki/List_of_Roman_bridges)

I'm not sure if the original designers intended for these to have multi-
millenia design lives, but I bet that they could have been made much
cheaper...

~~~
enraged_camel
If they were made much cheaper, they likely would not be standing today.

~~~
tonyarkles
Precisely! Engineering usually isn't about designing the best X, it's about
designing the cheapest X that meets all of its requirements.

Edit: even if the requirement is for X to be the best in the world (which, as
a non-quantifiable requirement, makes me uneasy), the goal would still be to
do it as cost effectively as possible.

------
dkhar
I remember when that whole snafu was on the HN front page! :)

(This isn't the exact link I remember seeing, but
[https://news.ycombinator.com/item?id=3666564](https://news.ycombinator.com/item?id=3666564)
)

------
hackaflocka
I was very intrigued by "Oh, also avoid certifications."

I'm planning to become a solo, freelance, contract worker in IT security.

I have no certs. (I do have a PhD. in a computer related field, though.)

So, how do I convince organizations to hire me in this cert obsessed world?

