3

I'm a web developer with about 7 years experience, but for the last 12 months I've been getting into cyber security so I've started implementing secure code practices and OWASP good practices at work. I've been preparing to do my OSCP an I've done a few CTFs because pentesting seems really interesting although I think application security is more me.

I've noticed app sec guys dont have/require large collections of certifications like pentesters do.

1) apart from reading web app hackers handbook,  implementating OWASP secure methodologies and doing CTFs, how else can I get into application security without purchasing pwk course (OSCP)?

2) Is it worth taking OSCP to become an  application security specialist or any other cert?

3) What's the big difference in terms of daily job tasks between network penetration testing and web application security?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
N3000
  • 59
  • 1
  • 4

1 Answers1

4

1) Try the 'Natas' wargame on OverTheWire.org, it is good for learning concepts and getting to learn them in action. They have a bunch of insecure applications that you can practice exploiting. Also OWASP has a practice (insecure) application to test called WebGoat.

2) The same company(offensive security) who offers the oscp also offers the OSWE (Offensive Security Web Expert). I would definitely recommend taking the OSWE if you are looking to go the application route. The OSCP touches the application side but is more focused on the network.

3) Application security engineers are going to be working strictly on applications/code. Network testers work with the entire network. A network can consist of PCs, Servers, Routers, Firewalls, Switches, etc. So they are going to focus more on the network design, how an attacker can move around the network and exploit the machines on it. Application will be solely focused on a specific application/software.

Webgoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Natas: http://overthewire.org/wargames/natas/

OSWE: https://www.offensive-security.com/information-security-certifications/oswe-offensive-security-web-expert/

nd510
  • 1,738
  • 1
  • 10
  • 15
  • Thank you for that info. ive used Webgoat and vulnhub but i'll check out Natas. The OSWE is only available a few times a year and held in USA unfortunately as im in the UK this is not a possibility but it does look really good. I might stick to the OSCP for now or CREST, as CREST is highly recommended in the UK I guess. Do web app security specialists generally have to place shells on systems and escalate privileges or are these things maily what infrastructure pentesters do? – N3000 Mar 18 '17 at 10:01
  • @nathan123 no, you won't being doing that as a web app security specialist, that would be for the network pen testers. But if you were to receive your Oscp, you would definitely be qualified to do that stuff. I don't see how the Oscp could hurt by taking it for you, it'll be a step in the right direction and prove you have a deep understanding of more than just applications. With the combination of the Oscp and your coding background, you should have no problem landing a job as an app sec specialist – nd510 Mar 18 '17 at 10:48