People who are at the top of their games such as Formula One engineers, neurosurgeons, stunt pilots and so on have one thing in common: they all have finely-tuned technical skills. This is not just specific knowledge of what they do but knowledge about many other subjects in support of what they do. Working in the fields of information security and software development/quality is no different. If you want to be at the top of your game when it comes to Web security, there are certain technical skills outside of Web security you must possess. Here are the ones I believe you need to succeed:

1. OSI model – merely a way to represent how a computer system works. If you can wrap your head around the OSI model and understand every layer involved it will help you tremendously. Seeing the big picture – not just the application layer – will not only help you find the vulnerabilities that matter and translate them into business risks in your unique environment but also allow you to talk when dealing with developers, project managers, executives, vendors and so on.

2. TCP/IP – building on the OSI model, the suite of protocols and network addressing schemes for connecting the world in which we live and do business today. Understanding the differences between TCP and UDP as well the concepts around IP addressing are essential skills to have. This is, hands down, one of the greatest skills you’ll ever possess working in IT.

3. Binary – the digital ones and zeroes that computers use to communicate. You don’t have to be a math whiz (I’m certainly not) but understanding the basics of counting in binary and the hexadecimal representation of numbers is an invaluable part of understanding how applications work and how to manipulate them to uncover security flaws.

4. Programming – the beginning phase of an application’s lifecycle that provides job security for so many of us. Most people have been exposed to programming basics at some point in their education. That’s good but it really helps to know more. If you can get to the point where you can grasp the meaning behind variables, inputs, compiling, debugging and so on you’ll be better equipped to analyze Web applications more in-depth. You don’t have to go back to school and get a degree in computer science but you do need to delve into the fundamentals of HTML and JavaScript – at the very minimum. Beyond that, the more you can learn about languages such as C, PHP, Java, and even assembler the better off you’re going to be.

It’s simply not enough to know how to run a scanner and understand which vulnerabilities to look for. You have to continually focus on the rest of the story – the technical skills that form the basis of everything you do. Pay close attention to these four areas – they’re the key to becoming a more well-rounded Web security professional.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.

Comments are closed.