Roppers Blog

All the Writings of Roppers

Home Roppers Main Site

The Ropper's Guide to Breaking Into Security

Roppers How to Break Into Security

While there are less resources on breaking into security than there are on breaking into the tech field, the fundamental problem remains the same: If a new student is pointed at a list of resources and told they should be able to teach themselves, no benefit has been provided to anyone.

There are arguments in defense of finding the answers yourself, and that is why Roppers does everything we can not hold your hand the entire time. However, we point at exactly where your next step in the journey should go and give you the best resources possible. If you want to skip this rant and get directly to my list of things worth doing, click here.

Because reading things makes us feel good and we learn things, if you are going to read anything on starting a career in information security, my recommendation is you read this series of essays by Lesley Carhart.. (But don’t read it now yet, wait until you finish this article. Please.)

For a fun fact about Roppers Academy, it originally started as a Google Doc named “what jobs can you do” and the first link was the one above. The next step from that Google Doc was deconstructing what Lesley (and all other 500 people who have written one of these articles recommends). 6 years later, I’ve deconstructed it into a repeatable, self-guided, and most importantly free pathway.

If you want to read a second article, here is one from Daniel Miessler.

Now reading those feels good, but listen to me, take everything that they say to heart, and don’t look for any more articles on starting an infosec career. When one pops up in your browser, ignore it. When someone posts a list of resources, ignore it. As much fun as they are to read and bookmark, they won’t improve your ability.

What will improve your ability is to follow this path I am about to lay out for you.

  1. First things first, learning computing fundamentals comes before breaking into security. You need to ensure that you have a good technical baseline in at least programming, Linux, and the web before you try to teach yourself security specific knowledge. It is largely agreed that the best way to prepare yourself for the unique challenges of people, processes, and technology that infosec creates is spending a few years in a help desk role. You should seek out those roles if you can, but because that might not always be possible, the best way to learn the fundamentals on the internet is my Ropper’s Computing Fundamentals Course. Don’t think there is a right way or wrong to enter the field, just make sure you can tread water technically before jumping into security.
  2. The next thing is to learn networking, and I mean actually learn networking. Do the Roppers Learn Networking with CTF course. It’s not done yet, but the brief “Do this Now” section is the best start.
  3. The next step after attaining enough technical knowledge to be dangerous is to build a home lab. This doesn’t mean you need server racks, just at least a computer that can run 2+ VMs at a time. Do this: CyberWox Home Lab Course
  4. Alright, that stuff was great, but now it’s time for you to really dig down and spend time on the stuff the VM Labs Training went over. I gave you a nice short tutorial last time because I wanted you to do it. Now for the actual work: Dedicated, deliberate practice over a long period of time. This doesn’t require anything more than setting up a Security Onion VM and learning how every tool on it works, then downloading Kali and launching attacks from it and looking at the logs created in the Security Onion VM. Doing nothing more than that consistently will make you an expert in a short period of time. However… there is a significantly better way than trying to teach yourself. You’re here because I point you to the best resources, and the best resource is @da667s Building Virtual Machine Labs: A Hands-on Guide (Second Edition). It’s pay what you want and there is literally nothing out there that compares to this book. Find what seems interesting, set it up, then attack it. Focus on the defensive tools, create logs, look at logs, and get to know your network. This book uses Splunk instead of Security Onion, but guess what. The real world uses Splunk, so you’re training the right way. There isn’t a company in the world that wouldn’t be impressed by someone who used this book to train.
  5. Finally, you are going to get very good at Python and write a couple of tools in it that have a security theme and will make you learn how to program well. As a side benefit you will learn how all the tools on Kali work under the hood (unlike everyone who uses Kali).
  6. As you go, do writeups, throw them on your portfolio website and once you’ve hit a good plateau point, update your resume. Send me your resume, I’ll give you feedback, and if I am happy with the quality of work you’ve done, you put me down as a contact for your job search. Deal?

For links and more information, check out the Roppers list of things worth doing.

Now you might be thinking… “what about CTFs? Isn’t that this guy’s whole bit?” Well, I’ll be honest here: CTFs won’t get you hired, and you definitely don’t need to do them to be good at security. Sure, the average person who spends their free time on a computer doing CTFs will be more technical than someone who doesn’t spend their weekends in a dark room, just as a function of time put in. CTFs and their contrived problems are far from the most efficient way to learn, but for me and many other CTFers, it’s the most fun way to do it. So no, officially, I do not recommend playing CTFs to get hired. Do it to challenge yourself, do it to make friends, do it because you want to learn, but don’t do it because you think it will help you get a job. Enjoy your weekends, please, you deserve them.

I know this was a bit of a rant, but this is what you need to do. If you do these things, you will be more than qualified for any entry level job, and you will crush any interview you get.

It’s a lot of work, but you know what to do, you can do it, and I’m here to help.

If you have thoughts, questions, comments, whatever, hit me at d.m.devey@gmail.com or on Slack.

Stay stoked, Dennis