I want to be web security consultant?

Question

If I want to be very good at security and especially web security, then must I learn languages? I mean things like PHP, C#, java, etc? If not then what should I learn exactly? and do you know any good book for a beginner?

Answer 1

Security is a complex topic. It involves being able to understand complex systems, work with people, and solve problems with technical, social, and business solutions.

For books, I liked "CISSP All-in-One Exam Guide" by by Shon Harris. It covers the basic theory of security and many sub topics. A great history of IT Security theory can be gleaned by reading Early Computer Security Papers.

I would prefer security experts to know a broad range of relevent topics, because failure to understand a relevent domain can lead to subtle vulnerabilities. However, I was taken to task by Graham Lee, who pointed out diminishing relevance in my list of topics.

First off the three essential components of security are availability, integrity, and confidentiality. Others would add in authenticity and non-repudiation, but I would focus on the first three for someone who is just getting started.

Web security covers all the components, actors, and processes involved in web applications. The major components are the web server, the web browser, and the network connecting web browsers to web servers. The major actors are the web browser user, the web site administrator, the network administrator, and the web application creator. Note that there are typically many people filling a specific role, and there are many more roles.

I'm trying to keep specifics short, so I won't include everything. Specifics are as of this posting (mid-2011).

Web browsers

• the web browser application: popularity, features, vulnerrabilities, etc
  • Specifics: Internet Explorer, Firefox, Chrome
• user's operating system (what the browse application runs on)
  • Specifics: Windows XP, Windows Vista, Windows 7, Ubuntu Linux, Mint Linux, Fedora Linux
• browser layout engines
  • Specifics: Trident (Internet Explorer), Gecko (Firefox), WebKit (Chrome)
• Javascript engines
  • Specifics: V8 JavaScript engine (Chrome), TraceMonkey (Firefox), Chakra (Internet Explorer 9), Jscript (Internet Explorer 8)
• Java virtual machines
• Operating system theory: execution environment, process control, memory management, filesystems, IPC
• user's network stack: IPv4, IPv6, TCP, UDP, ARP, RARP, DNS, HTTP, HTTPS, FTP, WebDAV
• user's network connection: ethernet (IEE 802.3), WiFi (IEE 802.11),
• cryptography: symetric key cryptography, public key cryptography, certificates, certificate revocation lists, Certificate Authorities, and hashing.
  • miscellaneous: black lists, white lists, sandboxing, downloading, password management, caching, and updating.

Network

• network hardware: router, switch, bridge, hub, firewall, proxy, Network Attacked Storage (NAS), Wireless Access Point, SIP servers, VPN servers
• network protocols: ethernet (IEE 802.3), TCP, UDP, IPv4, IPv6, IPSec, IGMP, WiFi, ARP/RARP, ICMP, IGMP, BGP, RIP, SNMP, SMB, DNS, DHCP, FTP, HTTP, LDAP, MIME, NetBIOS, POP3, RADIUS, SSH, SIP, SMTP, SOAP, WebDAV)
• network configuration and architecture

Web server

• http servers
  • Specifics: Apache, Microsoft IIS Windows Web Server, nginx, Google Web Server, lighttpd
• operating systems (what the http server runs on)
  • Specifics: Windows Server 2008, Windows Server 2003, Windows XP Professional, RedHat/CentOS, Ubuntu/Debian, SuSE/openSuSE
• programming languages (used to write http servers, operating system, frameworks, etc)
  • Specifics: C (Apache), C++ (IIS), Java, JavaScript, PHP, C#, Python, Perl
• business impacts (usability, updates, changes, software life cycle, user avoidance and circumvention, user education)
• databases (relational, objet oriented, architecture, distributed, transactional, SQL, management, security)
  • Specifics: MySQL, Oracle, Microsoft SQL, PostgreSQL
• cryptography (symetric encryption, public key encryption, hashing, random number generation, salts, digital signatures, HMAC, AES modes of operation, initialization vectors, key generation, key distribution, key revocation, certificates)
• network (firewall rules, DMZ architecture, proxys, load balancing, Single Sign-On authentication passing)
• server management (user accounts, patches, upgrades, logging, log review, Intrusion Detection Systems [IDS])

Communication

In my opinion a good consultant (of any kind) is an effective communicator.

• Technical design presentations and reviews
• Solution pitches
• Business case reviews
• Whitepapers
• User education presentations

Other nice to have areas:

• computer hardware architecture (CPU, RAM, Disk drives, video displays)
• peripheral busses (USB, FireWire, RS-232, I^2C, PCI, SATA, SCSI, Bluetooth)
• CPU architecture (operating states [protected mode], I/O bus, registers, MMU, TLB, pipelines, and interrupts)
• operating systems theory (kernel types [Monolithic, Microkernel], drivers, memory management, file systems, process control, threads, scheduling)
• programming language theory (interpreters, compilers, machine language, symbol tables, dynamic libraries, dynamic linking)
• executable file formats (ELF, PE, COFF, a.out)
• database theory (relational, objet oriented, architecture, distributed, transactional, SQL, management, security)
• file systems (fat32, NTFS, ext2, ext3, linux swap)

Answer 2

It depends on what 'good at security' and 'good at web security' means to you.

If you want to help people find flaws in their work, then you'll want to know the languages they use at least on a level comparable to theirs (though presumably with a different focus)

If you want to analyze systems, then you'll want to learn how systems interact (again from a security perspective). In this case the specific languages don't matter as much as the details of the interactions (APIs / protocols)

As far as 'a good book', I would recommend reading as wide a variety of books / documents as you can. IMHO 'good' security comes from experience / breadth and depth of knowledge. If there is a book that you think might impact on something you're interested in, read it. Even if you only skip to the 'good bits', having another viewpoint will have benefit.

I personally would suggest reading things by Dan Kaminsky and Bruce Schneier for mind-opening takes on security. Mr. Schneier is probably a bit easier of a read, while Mr. Kaminsky has deep knowledge and sometimes breaks my head. I like to think of security from a systems perspective, so this selection might show a little of my bias (notably neither of the above authors has a strong focus on 'web security' per-se.)

Answer 3

A great book for a beginner are the Security+ preparation books as they provide a great, broad discussion of many different topics in the security field.

As far as a language is concerned a great security professional knows a vast majority of languages as it allows them to react to different needs. If it is your first language, I would recommend C++ and then later Python. There is a fabulous book on Python and its use in security titled, Gray Hat Python: Python Programming for Hackers and Reverse Engineers. I might also recommend the CEH test book and the CCNA test prep. These are a few books I couldn't go without.

Hope this helps.

Answer 4

This looks promising: http://mdsec.net/

"Online training labs from the authors of The Web Application Hacker's Handbook"

"Do the online labs contain learning materials such as slides, videos, solutions or other training documentation?"
"No, at the present time we only provide self-service labs demonstrating numerous types of security vulnerabilities. We recommend that you work through the labs while reading The Web Application Hacker's Handbook as a study aid. In future, we may offer additional learning materials on a subscription basis."

Answer 5

You have to learn how to build web applications before you can become "very good" at web security. That means you need to know how to build LAMP (Linux Apache MySQL PHP) applications. That means writing not only PHP code, by SQL query statements.

But you can't stop there. You also need to build ASP pages on top of Microsoft SQL.

But that's just the server side. Hacking the web is also about attacking browsers. You need to learn how to play with JavaScript to manipulate the DOM, and make XML queries to the server application.

Once you know how to build these things, you'll have the knowledge to secure/hack them.

Answer 6

To be very good, you will need to invest some time in web languages. You can do many things, without, however.

I would suggest that you become able to read HTML, JavaScript, PHP, Java, Python, C#, and Ruby, at least at a high level. Choose at least one (in addition to HTML) to be able to write. Not only will it help with your understanding of web applications, but it will help you to automate your work, change application code, and script exploits & reports.

As to your book question, it's unclear whether you mean for programming, or for security. If security, there are excellent free resources available at the Open Web Application Security Project (OWASP). See the Development Guide, Code Review Guide, and Testing Guide. These are available digitally (for free) or print-on-demand through Lulu.