Whichever domain you choose in the Cybersecurity umbrella like Application Security, Cloud Security, or DevSecOPs; there are common skills that one must learn to excel in this domain. I have explained what you need to learn in those common skills here
So, I will explain where to study and how much time you should devote to learning those concepts in these common skills so that you are job-ready and interview-ready too!
These 5 common skills are:
- Linux (1-2 weeks)
- Networking (2-4 weeks)
- Programming Fundamentals (4-8 weeks)
- Cloud Computing Fundamentals (3-4 weeks)
- Essential git commands (1 week)
- And remember Networking matters
It should not take more than a week to be comfortable with basic Linux commands to do day-to-day activities. Once you are comfortable with basic commands, go for networking and other security-related command in little depth.
Bug bounty hunters, Penetration testers, and almost all tech-focused security professionals use O.S. like Kali Linux, Parrot OS, or BlackArch Linux which have lots of security tools to play with. But for that, you would need to know the basic workings of Linux and commands.
- awk
- cat
- cd
- chmod
- chown
- cp
- curl
- dig
- du
- df
- echo
- export
- find
- grep
- head
- history
- host
- ifconfig
- kill
- less
- locate
- ls
- man
- mkdir
- more
- mount
- mv
- nslookup
- ping
- ps
- pwd
- rm and rmdir
- scp
- sed
- service/systemctl
- sort
- ssh
- sudo
- tail
- tar
- top
- touch
- uname
- uniq
- wget
- whois
- whatis
- w
- wc
- zip
What else can you think of as common Linux commands for everyone?
- netcat
- nslookup
- host
- dig
- netstat
- traceroute
- nmap
- nikto
- fierce
- dirb
- install/uninstall/update/upgrade
- find
- grep
- ifconfig
- learn the basics of regular expression as well.
- start and stop services
- basic understanding of /opt /tmp and log server locations
- comfortable running scripts written in various languages like Python, ruby, go, etc.
- Introduction to Linux Commands and Scripting
- Linux Fundamentals for Security Practitioners: Recommended
- Linux for Ethical Hackers: Recommended
- Hacking for beginners: Linux and Common Commands
- 50 most popular Linux and Terminal Commands
Except for the Audit and Compliance role, I assume almost every security professional needs to have a basic to intermediate understanding of Computer Networks to excel in its domain.
What to learn and what interview questions related to this are already mentioned in what you need to learn in those common skills
- IPv4/IPv6
- concept of CIDR
- IP addressing and subnetting
- Public vs Private IPs
- TCP/IP Model
- DMZs
- Zero Trust Networks
- Common ports and protocols like 22, 25, ssh, https and so on.
- Understanding of common cryptographic modules and functions
- How DNS works
- How SSL works
- What are the common network threats around these
- MiTM
- Network sniffing
- Various TCP attacks
- DoS and DDoS attacks and its preventions
- Common ideas on firewall or Software-defined networks
- Basic network troubleshooting like why the internet is slow or down, why wi-fi is not working, open network issues et al.
- See if you know basics as mentioned in this presentation
- Computer Networking: A Top-Down Approach by Kurose and Ross: Recommended
- Networking All-in-One For Dummies
- Computer Networking by georgia Tech on Udacity: Recommended
- Bits and Bytes of Computer Networking by Google on Coursera
Recently, it has become a mandatory skill for any tech security job role to have a decent knowledge of at least one programming language. Common Programming languages that attract security folks are:
- Python (recommended)
- Go (gaining popularity)
- Ruby
What you should try when you are learning any of these programming languages:
- Learn basic concepts
- Try a few basic projects like
- connecting to DB and get some data
- extracting data from a webpage
- display some info from the cloud like AWS Instance details region-wise
- automate few security stuff like docker monitor, get public IPs, server details, etc
- See if you can find any task related to CSV, JSON
- Learn the use of crypto modules
- simulate a few Linux or other commands to be comfortable with the language like a small nmap simulation
- Understand the OOP concept and at least you should understand others' code comfortably
- Try to review the source code from a security perspective
- Read Python Security Best Practices
- Learn Python 3 the Hard Way - Recommended
- Violent Python
- Black Hat Python - Must Read
- Full Stack Python Security - Must for AppSec Professionals
- Masterting Python for Networking and Security
- Python Security Best Practices
- Security Checks for Python Code
- Intro to Python for Security Professionals
- Python for Cybersecurity Specialization
- SEC573: Automating Information Security with Python
- Python for Pentesters
Cloud Computing is everywhere these days be it Industrial, Pharma, Finance, IT etc. Sooner or later, it will be a mandatory skills to have for any cybersecurity job roles.
Learn any of the famous CSPs like AWS, Azure or GCP and
- try to understand the use of it to solve various traditional challenges and
- then try to understand what are the new security challenges added because of Cloud concepts.
- Understand various service and deployment models
- Shared Security Responsibility
- Microservices
- IAM functionalities (Must understand very well)
- Data Encryption
- Cloud Networking concept is very important to succeed in Cloud Security
There are separate plans for Cloud Security Study Plan as listed below:
- Cloud Computing for Dummies
- AWS in Action
You must understand any of the Version Control Software and git is one of the famous one at present. Don't go for gui version like sourcetree rather try to learn and understand common git commands at terminal level.
- git clone
- git add
- git commit
- git branch
- git pull
- git fetch
- git merge
- git push
- git config
- git log
There are many job roles/titles which make it as a mandatory skill, such as:
- Application Security
- Penetration tester
- DevSecOps
- API Security
- Security Engineering
- Pro Git by Appress - Highly recommended
- Beginning git and github by Apress
- github cheatsheet
- git and github for beginners - crash course by freecodecamp
- git fundamentals for beginners - full course for free by Flexmind
- Git Fundamentals for everyone on Udemy
- Version Control with Git by Atlassian on Coursera
- Learn git and github by codecademy
Once you are on track and now understands the heat, it's time to:
- Make some good LinkedIn contacts from the application security domain.
- Find a mentor or follow someone who shares blogs, tutorials, talks on these topics.
- Make connections through various security conference online/offline
- Publish some good appsec articles, may be basic concepts, but you must publish. Choose medium.com or something of your choice.
- Join webinars, conferences, newsletters.
- Help someone who is still a beginner or struggling to understand appsec concepts. You will even learn better while guiding/helping others.
By the time you cover all these checklists, you will be already on a way to have a good start in a web security job role. All the best!