Transitioning from software development to security
I’ve been a software developer for about 8 years, but as of last month I’ve made the switch to infosec and now I’m a security engineer on the application security team at GitLab. When I started thinking about making this move I looked for someone with a similar background documenting their experience and didn’t find much so I’m writing this for the next person who’s going to do the same thing. This isn’t a step by step guide, but rather just things that helped me and might help you.
The uniform at your next job
Note: My new job is still very much related to code, it’s just that I review it instead of writing it. Your mileage may vary if you’re looking for a pentester job.
Some context about me
- I’m in my early 30s
- I write code for fun, play hacking games and have been an enthusiast of this whole field since the early 2000s
- I write code as a job since 2012
- I have a Computer Science degree (I don’t know if it mattered to get my job, I suppose at this point my experience was more important?)
- I have no certifications
If you’re a senior developer/software engineer/whatever-you-call-it you probably don’t want to move to a junior role in your new career. The good news is that you don’t have to! It’s possible to build relevant experience while you’re doing your developer work. Here are the things that helped me.
Be the security person at your job
This might be harder in larger companies, but I worked in small-ish teams that had no dedicated security department. This is a great opportunity for you, the security-minded developer, to take on some security-related projects and have some real-world professional experience to talk about in your interviews.
Practice (CTF, Wargames, Bug Bounties)
How you do it doesn’t really matter, but get your hands dirty and practice some hacking. It will help you stay on top of what’s new in the security world and make you a better (more aware) developer too so it’s a win-win situation.
Learn how to defend
If you’re going to join a company’s security department you’re most likely going to need to know how to defend against the vulnerabilities, exploiting them is not enough. For web applications, taking the time to learn how to mitigate the OWASP Top 10 would be important. The toughest interview questions (at least for the type of role I was interested in) will often revolve around how to protect againt vulnerabilities and not how to attack them. Hopefully if you are a security-minded developer you were already doing this anyway!
Talking to people, sharing stories and helping each other is a great way to make friends and have fun but also to consolidate your knowledge. Chatting about your favorite CTF levels, writing a report about the great bug you found or explaining the basics to a newcomer will all help you have a firmer grasp on what you’re talking about. Go to conferences (a small, local one organized by a few enthusiasts is perfect, no need to go to defcon), join a security slack/discord/whatever channel, discuss on reddit, anything!
If you’ve made it here and you’ve been doing all of this already I believe that the takeaway is that you’re probably ready to make that move already so stop reading blogs and just go for it and apply for that infosec job. :)