Re: starting

[krymson () gmail com]

This really depends on knowing yourself a bit, first. What do you already know? What are you interested in? What do you 
want to know to strive for? Getting a focus isn't something you *have* to do, but it certainly helps to have some areas 
you can say you're good at, and maintain many of the other areas beyond it. Trying to be good at all aspects of 
security will burn you out (unless you're 14 and have 8 years more of little responsibility!).

I'd suggest people starting out gravitate first towards sources that blitz you with information. The Hacking Exposed 
series, in particular the main tome [1] is a great resource to blitz many topics. Not only does it blitz them, but it 
can be actionable in bite-size doses.

Beyond that, branch out either into the network, desktops, servers, programming, Windows, Linux, web apps, database, 
wireless, mobile. The area with the least barriers to entry may be the web app space these days. For that, check out 
OWASP, get involved in a group if you have one local. Desktops are also a common starting point, jobwise.

Sign up for several security blog RSS feeds and see what they talk about; find out if you prefer rubbing shoulders with 
analysts, managers, or the guys in the trenches. Don't just read! Comment and ask questions. A good single starting 
point is the Security Bloggers Network [2], but be open to adding people they link to, or commentor blogs that are not 
actively a part of that circle. Browse their link menus. If you prefer people more trenchlike, try Hak5's forums, 
perhaps? [3] If you prefer slightly more professional forums, give the SecurityCatalyst forums a try. [4]

Attend a relatively inexpensive con to see firsthand some of the security culture. I suggest Defcon or Shmoocon to 
start out.

Get a lab with some test systems. If you want to learn or are interested in web app sec, put up an IIS and Apache 
server each, put some pages on them. A huge part of being able to secure (or break!) things in our area, is first 
knowing how to administrate them. Get hands on, screw things up, fix them, tinker, play, be curious. Same thing goes 
for the other areas.

Participate and ask questions. While places like the Full-Disclosure mailing list and some forums can be abrasive and 
abusive at times with heckler/troll kids hiding in the shadows, it does help to just be a part of the community rather 
than a silent lurker. Even if you're wrong, you'll be learning, and the people that matter truly do understand that.

Someday you'll find that you've turned a corner and are no longer asking questions, but giving other people the 
answers. :)


[1] http://www.amazon.com/Hacking-Exposed-5th/dp/0072260815/ref=pd_bbs_2?ie=UTF8&s=books&qid=1203632287&sr=8-2

[2] http://networks.feedburner.com/Security-Bloggers-Network

[3] http://www.hak5.org

[4] http://www.securitycatalyst.org/forums/



<- snip ->
Hi! this is my first mail in this list.
Sorry for begin to "noob" but i want to start reading and learning
about securty holes, exploits, how to fix if or take advantage of
then...well anything about web servers, proxy's, networks, etc..and i
don't know where start. Can someone please recommend me some good
text, book or web page?

Many thanks, cheers!