People who are at the top of their games such as Formula One engineers, neurosurgeons, stunt pilots and so on have one thing in common: they all have finely-tuned technical skills. This is not just specific knowledge of what they do but knowledge about many other subjects in support of what they do. Working in the fields of information security and software development/quality is no different. If you want to be at the top of your game when it comes to Web security, there are certain technical skills outside of Web security you must possess. Here are the ones I believe you need to succeed:
1. OSI model – merely a way to represent how a computer system works. If you can wrap your head around the OSI model and understand every layer involved it will help you tremendously. Seeing the big picture – not just the application layer – will not only help you find the vulnerabilities that matter and translate them into business risks in your unique environment but also allow you to talk when dealing with developers, project managers, executives, vendors and so on.
2. TCP/IP – building on the OSI model, the suite of protocols and network addressing schemes for connecting the world in which we live and do business today. Understanding the differences between TCP and UDP as well the concepts around IP addressing are essential skills to have. This is, hands down, one of the greatest skills you’ll ever possess working in IT.
3. Binary – the digital ones and zeroes that computers use to communicate. You don’t have to be a math whiz (I’m certainly not) but understanding the basics of counting in binary and the hexadecimal representation of numbers is an invaluable part of understanding how applications work and how to manipulate them to uncover security flaws.
It’s simply not enough to know how to run a scanner and understand which vulnerabilities to look for. You have to continually focus on the rest of the story – the technical skills that form the basis of everything you do. Pay close attention to these four areas – they’re the key to becoming a more well-rounded Web security professional.