7

I am a final year CS student, and would like to study info sec. Till today, I've been reading infosec mailing lists, some Phrack papers etc., but all in a very casual way.

I am interested in learning security in depth, and have gathered that there are some courses like Network+, Security+ etc that provide good exposure. But such courses are not an option for me due to the cost.

I found these to be of interest: Metasploit Unleashed, OWASP, Google Gruyere

How do I really start? Please provide pointers to any online resources if possible. As said earlier, I'm a CS student, and am pretty confident with my programming and networking.

fredley
  • 1,455
  • 1
  • 16
  • 25
yati sagade
  • 171
  • 1
  • 3

2 Answers2

4

Read Cryptography Engineering (an update from the bible Applied Cryptography) and keep it next to your bed.

Implement some of the code yourself, just so you understand what is behind most of the cryptography code. And then, start coding with OpenSSL.

Understand X.509, PKI and the core of the trust on the Internet. That's a must and you need to know it down cold

Know your network protocols as best as possible, and be able to start tcpdump/wireshark any time you need it, and follow a tcp/udp/ communication.

Security is about understanding how a system works to find its loopholes. Security is not about firing metasploit on random windows exploits and gaining a remote shell. That's for script kiddies.

Julien Vehent
  • 181
  • 3
3

Security Engineering is a good one. Much of it (and the entire previous version) is available for free online.

pdubs
  • 1,103
  • 6
  • 12
  • Yes I have the first edition with me, looks like a delightful read :) – yati sagade Sep 29 '11 at 17:35
  • The 2nd edition is well worth $30 for a used copy. Definitely more relevant, especially the case studies and modern OS architecture. See the [preface (PDF)](http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-pref.pdf) of the 2nd edition available online. – pdubs Sep 29 '11 at 18:49