How to improve as a security expert

This is great that you are doing so much learning on your own. You are on the right track. Your enthusiasm to learn on your own will put you a step above a lot of your competition. Kudos.

My main advice would be: don't worry too much about planning out a path through all the material you want to learn. You don't need a carefully thought-out plan. Instead, get your hands dirty, play around, don't be afraid to explore. When you see something that looks cool, follow up on it opportunistically. At first you might be overwhelmed but in the longer run I think you'll find it a valuable experience.

I think one good experience is to engage in a security evaluation of a software system. This would be a fun experience for you. You could pick an open-source web application or web programming framework and do a security evaluation of it: do an architectural risk assessment (what Microsoft calls "threat modeling", with STRIDE and the like), read the code and do security code review, try out some static analysis tools. Then, write up your results and post a blog entry with your evaluation. Do this a few times and I think the experience will be extremely helpful for you.

Another very good experience for you would be to build a non-trivial web application or two. I like web2py as a web programming framework for its ease of learning curve, but alternatively picking something that's more popular (e.g., Ruby on Rails, PHP or one of its frameworks) might be good experience to see what the issues are with common frameworks. Write a web application, with some client-side JavaScript code. Play around learning how to use jQuery or the like. Maybe experiment with Node.js. I think this will be a fantastic way to get exposure to some of the challenges and mindset that web developers are likely to face.

Depending upon your personality, you might find it fun to create a blog and write down fun things you have learned, as you learn them. For many people, the act of writing something out solidifies it in your brain and forces you to understand it better.

You mentioned practicing hacking a web application. Learning how to hack a web application is fun, and it is worthwhile up to a certain point. It's good to have some hands-on experience hacking a web application, to help you think about the risks and to make the concepts concrete. However, I wouldn't make it the primary focus of your learning. Web penetration testing is a lower-end activity these days, with less promising career opportunities, so I wouldn't advise trying to focus your energy on learning to be a web pentester. That's not how I'd advise you to position yourself, if you have the choice (and it sounds like you do).


I can identify with your situation :-)
I've been buzzing around the infosec community for a while now, basically trying to get going with the things you want to do as well. These are some of the pointers I've picked up on how to get your hands dirty.

eLearnSecurity
For me personally, I've decided to go ahead with the course at eLearnSecurity.

http://www.elearnsecurity.com/course/penetration_testing/

It's gaining a lot of traction in the security community for being very practically minded. They also have a setup which they call 'The Colosseum', where you have a playground of vulnerable web apps at your disposal.

This isn't one of those 'certifications for the sake of HR' ones. It's properly useful.

DVWA
You can also take a look at the Damn Vulnerable Web App, created by a mate of mine called Ryan Dewhurst: http://www.dvwa.co.uk/ - sort of like Owasp's WebGoat, but in my opinion better. For example: it shows you the vulnerability, and then the PHP code on how to prevent this.
A list with other ones like this: https://web.archive.org/web/20160527115615/http://punter-infosec.com/vulnerable-web-applications-to-learn-web-application-testing-skills

Agnitio
This is a checklist-based tool for security code review. You can learn a lot from it. In general, take a look at SecurityNinja's (David Rook) blog, it's full of good stuff.

https://web.archive.org/web/20160427080011/http://www.securityninja.co.uk/application-security/agnitio-v1-2-released-today/

EH-NET
Check out http://www.ethicalhacker.net, there are tons of good pointers in there.

Challenges/wargames
These are good for obvious reasons: practice, practice, practice. There are a lot of them, and the good ones have levels for both beginners and beyond.

http://www.thehexfactor.org/
https://web.archive.org/web/20160406111843/http://www.iriss.ie/iriss/hackeire.htm

I hope some of this can be of use to you. Cheers!

P.S.: Sorry about the links not being links, apparently I'm not allowed a lot of links because my reputation isn't high enough (this is my first answer).


http://google-gruyere.appspot.com/ provides some practical problems you can work through.

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

  1. How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
  2. How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.