security.md

Security

Projected Time

90-180 minutes

Prerequisites

• How the Internet Works
• Intro to Security

Motivation

Apprentices will learn about security roles, typical challenges, and how to break into the field.

Objectives

Participants will be able to:

Specific Things To Teach

Materials

• Techtonica's Roles in Tech Video Presentation(security section starts at 2:57)
• Slideshow - Roles in Tech: Security

Understanding the Field

What Kinds of Security Jobs Are There?

As a software developer of any kind, you'll need to know the basics of securing your code. But there are also specialized roles in security.

• Cybersecurity job titles and short descriptions

• Many organizations, no matter their domain or product, have positions that are specific to security. If you wanted to specialize in security, there are security roles at all kinds of companies.

  • Eventbrite, a python shop whose product handles event registration and promotion, is "looking for a Security Engineer to assist with security initiatives, project consultation and risk assessments. You will assess threats and vulnerabilities, analyze data and code, oversee testing and deployment, and ensure ongoing monitoring."
  • Sample systems security job description [Workable]
  • Organizations also often need non-engineering roles to govern the security or trust of their software. Trust & abuse teams solve problems relating to misuse that can deter other users from the product. Large companies often have risk & governance positions to identify a company's largest risks; A "cybersecurity risk & governance" professional will assess a company's software risks to prioritize security work accordingly.
  • Forensics and investigations.

• Other companies focus on security. These will have security roles, R&D roles, as well as more general software developer roles. If you wanted to work on security, such an organization might make sense. Or if you're interested in security, but still want to work as more of a generalist, you could work on a product that's security-minded.

  • Endgame needs security engineers and researchers, since it's a provider of enterprise security software, but it also has a web team for its product.
  • Still other organizations deliver "white hat hacker" services such as pen testing. "White hat" hackers are hired to attack systems to discover vulnerabilities before "black hat" hackers find them, and deliver such findings to their client in a report. These systems can be software the company has developed or is bringing in from outside; they can also be internal or external tests of a company's network. This is even more specialized, but interesting!
  • Security consulting firms will often offer many roles as contract services or managed services embedded within a client organization, including pen-testing, code auditing, network analysis, system design, and reverse engineering.
  • Research-oriented work can range from threat research and bug-hunting to application, protocol, malware analysis. Example analysis of MQ software used by backend systems.

• Bug bounty programs usually include security vulnerabilities.

  • One aggregator of bug bounty programs: bugcrowd

Common Mistakes / Misconceptions

Guided Practice

something step-by-step & straight-forward

Independent Practice

something to do on your own or with a partner

Security Conferences

• WiCyS, Women in CyberSecurity, annual, various US cities
• DEF CON, annual, Las Vegas, NV
• Black Hat, annual, Las Vegas, NV
• RSA Conference, annual, SF, CA
• Lists security and hacker conferences on Wikipedia
• InfoSec Events Directory
• General software conferences often have security tracks, or at least sessions on security topics.

People to Follow

• @malwareunicorn. Also see her workshop on reverse engineering windows malware.
• @bcrypt