My name is Nick and I’m a Web Security Analyst with SiteLock. After completing my first year in the cybersecurity industry I wanted to share my perspective on how to acquire the skills and knowledge necessary to break into this rapidly growing field.
The number one question for aspiring cybersecurity professionals is always some form of, “How do I get into cybersecurity as a career?” This question was the first thing I searched for in Google when I started looking in 2016, and I must have been pulled in a dozen different directions trying to get my foot in the door. However, as someone who didn’t have a traditional background in development, server administration, or cybersecurity, I needed to learn quickly to get up to speed. Along the way, I was fortunate enough to join the SiteLock team whose area of expertise is website security. My goal for writing this blog is to provide guidance for others who are interested in cybersecurity, especially website security.
Whether you want to test sites for vulnerabilities or build up the defenses that prevent attacks, becoming a cybersecurity professional requires being able to understand how a technology works, as well as its strengths and weaknesses. When it comes to website security specifically, cybersecurity professionals focus on the following technologies: Linux/Apache web servers, web development, and interacting with websites programmatically.
Before diving into why learning these topics is necessary, I want to preface the next section by noting that there’s a lot to learn within each technology, and each one of these topics is a career field in its own right. The amount of time you spend learning each subject is up to you, but in the long run, having a solid foundation for each will be worth your while.
A Linux operating system, combined with an Apache web server, is the most popular operating system and web server software combination in use. This means getting comfortable with Linux and Apache is a must. Learning the basics of server administration tasks and configuring web servers is going to give you a much deeper understanding of the infrastructure that runs websites at the server level.
Start out by installing Linux, which will be the base operating system of your server. Once this is complete, learn how to use the command line to perform tasks, such as manipulating files and directories, creating users and groups, and installing additional software and tools. After this, you can install the actual Apache webserver software and get it configured to start building your own websites.
The process of getting your server set up is crucial to understanding how theunderlying technologies provide the foundation that a website is built on.Learning how to use the command line is important as well, because many serversin a production environment do not use a graphical interface where you canclick around and work visually. Instead, they use a command line environment to performeveryday tasks. Installing and setting up an Apache web server yourself isgoing to help you understand what exactly a web server does and how it handlesserving content on the web.
Next, build a “dynamic” website that requires using a server-side language to handle backend programming logic and a database for data storage and retrieval. A very popular duo is PHP for server-side programming and MYSQL for database handling. Start by building something very simple, such as a small website that can take user input, then store that info in a database and retrieve and display it back on the web page.
After you’ve become familiar with the model of a dynamic website, it’s time to move onto a content management system (CMS). A CMS is a pre-developed framework or set of web programs that help a developer create websites and manage their web content as an easy streamlined process. I highly recommend starting with WordPress, as it is by far the most popular CMS on the web. Working with WordPress is really going to help solidify the dynamic website model as it is completely built around PHP and MYSQL.
Setting up your own websites will give you a deeper understanding of how popular models work for developing them. Along the way, you’ll run into problems that will help you understand how and why so many web applications and websites are vulnerable.
At this point, you should have a pretty solid understanding of web servers and basic web development. Your last task will be learning how to interact with websites via a programming language. There are many options, but I recommend Python as it is a very popular choice in the security industry, and its syntax is quite simple. The focus should be on learning how to craft custom HTTP requests and getting familiar with the responses a server sends back to you. Most security tools for testing websites and web applications are going to require understanding both of these topics. In order to get more familiar with web programming, you can perform simple tasks, such as building tools like web scrapers to collect data from a website, or building a script that will automatically log you into a website that you use regularly. Both of these will teach you a lot on how to handle and parse web responses as well as craft HTTP requests.
As you can see, we haven’t yet scratched the surface on web attacks. We first need to set up the foundation needed to practice and understand security concepts. Once you have these fundamentals down, it will make learning web security much easier, as you’ll know how websites and web applications work at a low-level. We’ll explore how to apply what we’ve learned to use actual security tools and testing websites for vulnerabilities. Stay tuned!