How to become a Security Engineer

I am regularly asked how to get into the security space. I love being asked this because it means these people want to get better at security which in term means we will make more secure products! This post is a summation of what I tell those interested folks and some of my other thoughts around thriving in the cybersecurity space. 

I believe that being a Security Engineer is an immersive life choice. By that I mean that the way you get great at Security Engineering is to surround yourself with cybersecurity. From the news articles you read, the feeds your scroll through, the water cooler conversations you have at work, your personal hobbies, to making secure a key aspect of each project you drive at work. As you do this, you will discover that you start to spot potential for abuse in many aspects of your life, from getting your covid-19 vaccines (Did the nurse really leave me alone with a the stack of blank vaccination cards?) to projects you simply hear about at work (They are putting too much trust in the client and likely not validating state mutations sufficiently server side). 

A key thing that everyone should know: Becoming a great security engineer does not require special college degrees or any formal security training, in fact one of the best security engineers I know never attended college. Security engineering is like any other skill you get good at it by practicing it. 

So for this post, I’m going to focus on ways you can to start practice and how to start to immerse yourselves into the cybersecurity world.

Blog/newsletters

Many security issues apply in different situations or reoccur in different contexts. So reading about issues or incidents occurring in other industries will help you spot risk in yours. Additionally, I like to keep track of situations that are no too dissimilar to a problem I am dealing with. It is very difficult to estimate the likelihood of a security incident occurring, so having some real world examples and an understanding of the frequency of the occurrence is a key component of how I make likelihood estimates.

• Krebs on Security - Does not cover all the news but instead provides in depth analysis on particular topics of interest. 
• Google’s Project Zero - Tends to provide easy to follow technical explanations for the amazing vulnerabilities that the Project Zero team finds
• Schneier on Security - Will have interesting happenings with a bit of Bruce’s own analysis put into the mix. I tend to really enjoy the way Bruce looks at the world, so I like to soak in Bruce’s analysis whenever I can.
• Daniel Miessler - Has a paid for weekly analysis newsletter. The newsletter includes a good selection of interesting security news. I filtering of all the news is definitely worth the cost to help get a more curated feed of the news that highlights the signal and reduces the noise. 
• Troy Hunt - A generally awesome person. Runs “Have I been pwned” and tends to have interesting takes on many security reality topics. 

Podcasts

• Darknet Diaries - A really well produced podcast with awesome stories. The podcast does a great job of not just telling the story and over indexing on the technical details but instead talks about the motivations of attackers and challenges attackers faced. Which is a prospective I feel like is overlooked.
• Risky Biz - A good summary of each weeks security news with a bit of analysis and linking events together. 

Books

I don’t tend to like books for an up to date analysis on any particular topic but instead like books for a wider bit of analysis. Such as psychology of humans, in depth stories, etc. Things that can be a bit more timeless. Books tend to be out of date with the latest in a science by their nature. So always keep that in mind when reading these books. 

• Applied Cryptography by Bruce Schneier - This was one of the first security focused books I read. So it has a special place in my heart. The crypto is mostly out of date at this point but Bruce didn’t present anything as absolutes so you can still read it to get a deeper understanding of the basics of using cryptography in systems.
• Building Secure and Reliable systems - I contributed to this book. It is a good read to understand how Security and Reliability work hand in hand. Lots of good practical examples.
• American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road - A good story on how the creator of the Silk Road was caught
• Social Engineering: The Science of Human Hacking - A great combination of stories, examples, and provides a deeper understanding to the techniques used in social engineering.

Courses 

Coursera in general has a lot good classes. Some that have served my team well:

• Cryptography - The class will give you a really good understanding of cryptography. As always, remember Never Crypto Alone!
• Secure Coding Practices - Talk about how your code can be written more safely and learn to spot risky patterns in code

Bring Security Discussions into your workplace

I have found that many people in the technology space love talking about security. It is a topic area that dominates the news and has a certain amount of excitement that doesn’t quite exist in many other places in software development. You can leverage this naturally occurring interest and use it to up level your own abilities and everyone around you. I’ve successfully done this by:

• Creating a mailing list or a chat that is dedicated to security topics. This should include both topics inside of your company and news topics.
• Start a weekly or bi-weekly "Security Hangout" meeting. Invite anyone who is interested in discussing security topics. I've found this meeting works best as a discussion around a particular topic rather than a standing "training" session. Try to encourage questions and open ended topics where everyone can share their thoughts.