So... You want to be a Security Consultant?

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/december/so-you-want-to-be-a-security-consultant/[7/13/2015 1:01:46 PM]

So... You want to be a Security Consultant?

Home > Newsroom & Events > Blog > 2012 > December > So... You want to be a Security Consultant?

What's a Security Consultant? What do they do? Thinking of getting into the security profession but don't know how? Looking for resources that can teach you the basics? If you are searching for answers to these questions, then this blog post is for you.

What is a Security Consultant?

You're interested in a career as a computer security consultant. Great! What does that mean, exactly?

For our purposes, a computer security consultant is someone who assesses software, networks, and computer systems for vulnerabilities.

Security consultants must play the role of both the attacker and the defender; we are required to find and potentially exploit vulnerabilities, but we also have to figure out the best way to eliminate the vulnerability. We pride ourselves in recommending practical security fixes and enhancements that make sense for each individual client.

Why Security Consulting?

Why would someone want to become a security consultant? Some enjoy the challenge of thinking outside the box to find application flaws in the deepest layers of the code. Others enjoy the freedom to research topics that interest them and present their findings at conferences all around the world. Some people simply like to find flaws in commonly used software, while others appreciate the opportunity to learn from a myriad of deployments and architectures.

You will have a lot of creative freedom to approach problems your own way while also learning at an incredible pace. As a security consultant, you will be exposed to all different types of programming languages

Select your

country

United States Client login

Our Services Our Research About Us Contact Us

So... You want to be a Security Consultant?

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/december/so-you-want-to-be-a-security-consultant/[7/13/2015 1:01:46 PM]

which inherently bring different attack surfaces into the picture. In addition, you'll also deal with the different ways software and systems are put in use by organizations. This exposure to different technologies and products is a huge advantage and distinguishing factor of being a security consultant. Our work is also meaningful. In a short period of time, we identify vulnerabilities and help customers fix the issues. Customers listen to us and even a short engagement can lead to significant security improvements. In a year, you would likely work with 15-25 different customers and cause four to six years' worth of engineering effort that fixes critical security issues. Plus, being a security professional is cool... at least we think so!

Sounds Great! How do I get started?

Apart from the basic knowledge of systems, security, networks, protocols and other computer science topics, being competent in one or two of the below mentioned categories will be helpful in getting a start in the industry.

Practical Development using C#/Java/Python/Ruby or any other major languageWeb Application SecurityNetwork Security AssessmentMobile Device SecuritySource Code ReviewLow-Level Application SecurityBinary Reverse EngineeringCryptographic AnalysisExploit Research and Development

One nice tool in your toolkit is the ability to write scripts or programs in a language of your choice - this will help you when no existing tool fits your need exactly. Python and Ruby are examples of scripting languages that can help automate tasks, analyze data, and create proof of concept exploits.

If security consulting is something that entices you, but you don't know where to begin; here are some resources that can help you get started.

The following books contain generic information and cover a broad range of topics on all things security:

The Art of Software Security Assessment: Identifying and Preventing Security Vulnerabilities, ISBN-10: 0321444426Grey Hat Hacking: The Ethical Hackers Handbook, 3rd Edition, ISBN-10: 0071742557Security Engineering: A Guide to Building dependable Distributed Systems, ISBN-10: 0470068523Secrets and Lies: Digital Security in a Networked World, ISBN-10: 0471453803

Once you have chosen a particular track and want to get deeper into it, the following resources contain more targeted information:

For Web Applications

You should know about The Open Web Application Security Project (OWASP)

So... You want to be a Security Consultant?

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/december/so-you-want-to-be-a-security-consultant/[7/13/2015 1:01:46 PM]

The Web Application Hackers Handbook: Finding and Exploiting Security Flaws, ISBN-10: 1118026470The Tangled Web: A Guide to Securing Modern Web Applications, ISBN-10: 1593273886

For Binary Reverse Engineering

A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security, ISBN-10: 1593273851Reversing: Secrets of Reverse Engineering, ISBN-10: 0764574817Hacking: The Art of Exploitation, 2nd Edition, ISBN-10: 1593271441Malware Analyst Cookbook: Techniques for Fighting Malicious Code, ISBN-10: 0470613033

For Network Security

Network Security Assessment: Know Your Network, 2nd Edition, ASIN: B0043EWVC4Hacking: The Next Generation (Animal Guide), ASIN: B002OFAY5ANetwork Security: Private Communication in a Public World, 2nd Edition, ISBN-10: 0130460192Metasploit: The Penetration Tester's Guide, ISBN-10: 159327288X

For Cryptographic Analysis

Dan Boneh's online course on Cryptography 101Practical Cryptography, ISBN-10:0471223573Modern Cryptography: Theory and Practice, ISBN-10: 013288741X

Getting some hands-on experience always helps. Apart from the lab work done in courses at school, there are other common resources which can help you gain some experience, like participating in Open Source projects (security or otherwise). Moreover, competing in "Capture The Flag" tournaments is another great place to start. They challenge your skills, help you develop specific interests and are becoming increasingly popular. Competing in CTFs will introduce you to the tools of the trade and show you how to use them. A comprehensive list can be found on the Reddit sub-forum located here. If you are new to CTFs, start with NYU: Poly's CSAW CTF, which is designed specifically for beginners but ratchets up in difficulty the better you do. There are application and tutorials available online which could be useful in understanding the basic concepts. Here's a short list to get you started:

OWASP WebGoat

Smash the Stack Wargames

Google Gruyere

Lena's Tutorial for Reverse Engineering

Metasploitable

Damn Vulnerable Linux

Over the Wire Wargames

Hack This Site

So... You want to be a Security Consultant?

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/december/so-you-want-to-be-a-security-consultant/[7/13/2015 1:01:46 PM]

CryptoOMG

Security Tube

The security field is constantly changing as new technology emerges, so you need to stay up to date with the latest information. Twitter is an awesome way to get current information extremely quickly. There are numerous security lists which provide current information. The Information Security News and Discussion subforum on Reddit (/r/netsec) is another good read. There are sites such as Packet Storm Security, Offensive Security, InfoSec Institute and SecList which provide a lot of useful information. The BlackHat security conference is a top-tier conference to follow - it's expensive to attend on your own, but every year they publish the talks in their archives. Another way to aggregate information and keep up to date is following RSS feeds. (You can build a good RSS feed by collecting the feeds from interesting posts in /r/netsec.) Dan Guido, a former iSEC employee and security professional, teaches a few courses at NYU: Poly and publishes the course materialsonline. This course covers a wide variety of topics which include web hacking, network penetration tests, fuzzing, reverse engineering, code audits, and more.

The security community is relatively small compared to the rest of the technology industry; networking with people at local conferences and meet-ups can be beneficial. Not only will it build up your professional and social networks, but it can also bring you up to speed on the latest talks, research, current topics, tools, and techniques. OWASP has chapters all around theworld, and there are city-specific meet-ups as well: NYSEC in NYC, ChiSec in Chicago, BaySec in SF and BeanSec in Boston are example of local security groups. You can always search online for conferences and meet up in your location. Some of the conferences across the USA that are great casual atmospheres for meeting folks are Defcon, DerbyCon,SummerCon, ToorCon, AppSecUSA and at local Bsides conference. A more comprehensive list of conferences can be found here and here.

I'm Interested! Where can I sign up?

If you've made it this far and this work sounds exciting, you should consider applying for the open positions that interest you. iSEC Partners is a great computer security consulting company that primarily doesapplication penetration testing. We value employees who not only have deep technical knowledge, but actually care about helping companies improve their security, and in turn helping end-users. We want people who love thinking about security, want to learn new things, and have a passion for technology. At iSEC, you will be working on a wide variety of projects ranging from web and mobile applications to infrastructure tests and native applications. As mentioned earlier, a security consultant is exposed to a wide variety of systems and software, written in different languages, and with variations in their architectures and implementations. Every consultant at iSEC gets the benefit of exposure to the wide variety of applications and networks we're exposed to and the opportunity to grow your knowledge and skills accordingly - an opportunity you won't get in many other places.

Published date: 18 May 2012

Written by: Anson Gomes