I just finished my first year working as security engineer and wanted to give a recap of all the things I did to get into my current role. Breaking into any industry is a mixture of luck and preparation.
I was in college, studying computer engineering with the goal of focusing on cybersecurity. While I was studying I got an internship working for a small startup with one other developer.
I was their part time while in college when Covid-19 hit. I was continuing my studies until I got a job as a Jr. Full Stack Developer. It was my first salary job and ultimately I made the decision to drop out of college once I finished my semester.
I found the job through a referral and never thought I’d have a chance at success. I managed to do really well on the technical challenge (to the point were they thought I cheated). The challenges tested skills that I had learned from my part time developer job, and studying a new language the week prior.
As a Developer
I told my boss during the interview that my goal was to join the security team. Shortly after joining I met with the security team and asked what I could do to learn more about cybersecurity.
They recommended I check out PortSwigger, as they have a variety of learning materials and hands on labs. It was incredibly helpful and taught me a lot. I haven’t finished all the labs and still go back when I get time.
It was great that I found a good boss that took my input to heart, and my future manager was very helpful throughout the whole process.
1 Year Later
Nothing really happened. I spent a year as a developer learning when I had time and no progress was made. I decided to remind my boss of my goal and he started to give me more security cards to work on. They were simple vulnerability fixes and security features.
After working on security related things I started to talk more with the manager of the security team and telling him about my interest in joining the team.
My First Vulnerability
I found a business logic vulnerability that was a P2. It was a great feeling. I wrote a giant report in my excitement (haven’t written one that in depth since). Sent it to my boss and the security manager. They were pretty very excited for me and let me fix the vulnerability within that same week.
Due to all the practicing on portswigger academy I was able to identify the vulnerability and make a PoC using the tool, Burp Suite, I had been learning to use.
It was very eye opening, and soon after finding the vulnerability I reached out to my boss again. I asked about my upcoming promotion from the Jr Developer. He told me that he already had a plan.
Within a week, the security manager invited me out to a security team outing. After a few months, my end of year promotion turned into the role I am currently working at.
To reiterate, getting into any industry is a mixture of luck and skill. You just need to be prepared to execute when you get a chance. I got a lucky chance to move into a full time role while doing great on the technical interview. I got lucky to be in a company that allowed me to move to different team. I got lucky to have a boss that allowed me to do security stuff while in my role.
My recommendation would be reach out to people you know who can refer you or give you a helping hand. Using your network is one of the easiest ways to get any job. You can also follow my twitter for a post about the next time we are hiring.