Need some guidance/advice for beginning my carrier in web-security

Server Config
1

hi guys,
first of all i am a newbie to this forum,
I am student in IT,

At first i am interested in professional networking and Network security related things like pen testing and ethical hacking,but at a stage i got bored on it,when i asked about the job opportunities related to the Network security based on certifications like CEH bla bla One of the security guy advised me that those kind of things like "network pen-testing " is dying,you still can do CEH and get a job,but to our standards it wont be a challenging thing to learn and also it don’t have a bright feature as like web-application security "…

Also i am much more fascinated in learning things related to web-app security and i tought it would be challenging for me and also it seems this field has a bright feature while compared to Network-pen testing and ethical hacking…

even tough i am a IT student i studied coding related things just to pass the exams,I didn’t studied knowledge-fully as during those stage i am much fascinated in Network and Network security related things,

But as now i am realizing that i had made a wrong choice,so i am willing to start my carrier in web-application security related side and also want to sharpen my knowledge on this field

now here are my questions which needs to be addressed

1)where should i build the basic knowledge about the web-applications and web-application security ?

2)As a beginner in this field what are all the languages i should learn in the starting stage? because i know there are many languages like html,php,asp,java script,vb script…

which one will be easy for a beginner like me?

3)Is there any course/CBT videos out there for understanding the basics of these web-application security ?can you guys suggest me any best videos for beginners like me?

4)tell me from your experience,depends on our interest level how long it would take to learn a few of these languages ? because i need to learn them quick ,so that i can try to get a in this field as soon as possible…

5)Is there any others suggestions/advice you got for me ?

hope my concerns will be addressed in this forum…

2

Hi @manoj9372 and welcome to the web app sec world!

The OWAPS community is a good place for your first steps in the application security world. It addresses the problem from the programming side (less the pen-testing side) but provides a comprehensive source for the problems and code based solutions. Also you can get a lot of answers in the forums and mailing lists.

There are some basic books you might find useful:
Amazon.com: Developer's Guide to Web Application Security (9781597490610): Michael Cross: Books
Amazon.com: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (9780470170779): Dafydd Stuttard, Marcus Pinto: Books
Amazon.com: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (9780596514839): Paco Hope, Ben Walther: Books

I dont know what to tell you about languages. Most assessment companies do not limit themselves to a specific technology. PHP is the most common web site language though… However, before all those I would recommend building a good understanding of HTTP and the common vulnerabilities and threats for web applications (those are usually common to all languages). You might find this also useful:
The Web Application Security Consortium / Threat Classification. The WebAppSec consortium is more commercial then OWASP (and thus very biased) but you will find some good resources on it.

To see more advanced techniques you can download BlackHat presentations here: Black Hat ® Technical Security Conference // Home.
These are usually cover the state of the art exploitation techniques.

As you can see web application security is a very diverse and broad field. Perhaps you should take a basic course locally or online to get the feeling of this world and where you should be heading in it (there are many options). The best thing is to find a job in a place that will be open to teaching you what you need to become an expert in web application security - but this is usually easier saying than doing :slight_smile:

Good luck!