Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New to Internet Security: Need advice - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New to Internet Security: Need advice
Hi there, I work as an programming director for a marketing company. My focus is back-end development for web applications. I'm interested in increasing my knowledge of internet and web app security. My knowledge is hands on experience only. Right now I'm the go-to person on staff, but many of our clients are in the financial sector and usually do audits of our IT policies and coding practices. Sometimes they ask if we have certifications on security which we do not.

Trying to find out.

1) Some good resources for training either online. Recommended courses. I was looking at the online SANS ones... are they any good? They are expensive so just wanted to be sure.

2) 1-2 basic certifications we could get. Any after completing training?

3) Some good scanner programs out there for web applications (pen testing). I'm aware of and have used acunetix. Was wondering if there are any better tools out there.

4) Any advice to increase my knowledgebase.

Thanks,
Brian
bb2j

2 Posts
Are you looking for offensive or defensive security?
SANS provides good trainings oriented to web security with different skill levels. Once you attended a training, you can pass the corresponding GIAC exam to become certified.
The OWASP project is also a good sources of information.

About tools, there are commercial and free ones. It's up to you to select the one which fits your requirements (technical vs features vs price). The ISC will be recommend you a specific solution. Usually, pentesters are also building their own toolbox.

The best advice I can give is to read and learn as much as possible!
Xme

478 Posts
ISC Handler
Quoting Xme:Are you looking for offensive or defensive security?


I guess it would be defensive security. It's basically a good knowledge of how to protect the web applications we develop from being hacked.

So if I could pick 3 courses to get me started. Looking at the SANS site. These look the most applicable in this order.

1) SEC401: Security Essentials Bootcamp Style
2) SEC542: Web App Penetration Testing and Ethical Hacking
3) DEV522: Defending Web Applications Security Essentials
bb2j

2 Posts
This is a classic list yes. Unfortunately, I can't help you more at this point. Review carefully the content of each trainings and check if they meet your expectations.
Good luck!
Xme

478 Posts
ISC Handler
I agree with the list you've chosen, and as a former Security+ instructor and current 504 community instructor, I'll add what I tell every class:

1) Read ISC daily
- Not everything will apply to you, but it's important to get a holistic view
2) If the current day's diary is unintelligible or uses terminology you don't know or understand yet, jump to Wikipedia or TechNet and look up the topics
- Get familiar with the issue
- Reread ISC article
- Rinse, repeat
3) Twitter is a good curator of security / tech blogs
- Find a few security experts you trust / understand and follow them on Twitter
- See who they follow/retweet and daisy chain to other people to follow or other blogs to read
- Keep the list short to avoid too much information
- Look for patterns - if @edskoudis, @MalwareJake and @viss are all talking about the same topic, pay attention!
- feel free to mine my list @airforceteacher
Juice

12 Posts
I am new to Internet Security. Please share some knowledge regarding it. Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!