Cybersecurity involves protecting systems, programmes, and networks from digital attacks or cyberattacks. Such attacks are usually aimed at changing, or destroying sensitive information to extort money from users or disrupt business processes. Adith Sudhakar, a U.S-based security architect holds a BE from Madras Institute of Technology (MIT), Chennai, and MS in Computer Science from North Carolina State University, the U.S. He has nearly a decade’s worth of experience in security, and has helped numerous companies improve their security by finding and reporting critical vulnerabilities.
Sudhakar explains how he had been fascinated by hacking since he was a youngster. In 2011, he found a security issue in Gmail. This enabled him to get an internship as a consultant at a security services company, after which he was offered several security engineering positions. He chose the one in the Bay Area where he felt he could learn the most. As a security engineer (or a White Hat hacker), he is responsible for finding bugs in people’s software and getting them fixed before it can be exploited by an adversary. Over time, his role has evolved into Security Architecture where he guides and enables teams to design secure software.
n a day-to-day basis, he helps teams implement the ‘Secure Development Lifecycle’ (SDL). It is an add-on to the SDLC (software Development Life Cycle) that allows security teams to work with product teams to design, develop and deploy secure software. To do that, he creates Threat Models from the product architecture, performs code reviews, helps teams automate security testing and finally, performs a manual security test of the product. This effectively allows him, a White Hat hacker, to find bugs and get them fixed before adversaries do. He sheds light on what the field holds for those looking to pursue a career in cybersecurity.
Resources students can use to learn hacking
There is an overwhelming amount of resources you can find on the topic, however, here are some pointers to get started:
The Tangled Web
The Shellcoder’s Handbook
Stanford’s Course on Cryptography by Dan Boneh
ezines such as PoC||GTFO, Phrack
Apart from these books and resources, it is important to stay current and read the numerous write-ups by experienced security researchers including the blogs from Google’s Project Zero.
Requirements to get an entry-level security engineering job
A strong understanding of computer science fundamentals. You should concentrate on web applications, operating systems and network security. There are many certifications such as Certified Ethical Hacker and Offensive Security Certified Professional (OSCP). While these provide a structured way of learning hacking, these are typically not minimum requirements for a job. Security engineering is a specialisation, so it is useful to prove your skills by showing evidence that you have participated in bug bounties and Capture the Flag (CTF) contests.
Bug bounty programmes
Companies adopt bug bounty programmes to leverage the expertise of several independent security researchers at the same time. This allows the companies to obtain security reports on their product in exchange for money. Companies such as HackerOne and Bugcrowd allow researchers to sign up and start hacking. This is an excellent way to build your profile and also get paid. Bug bounties provide people a safe platform to report vulnerabilities to various organisations.
What are the different types of security engineering jobs?
Security engineering can be classified as:
Product security: Help teams ensure their products are developed securely by performing code reviews and security tests on the product.
Infrastructure security: Monitor the infrastructure for attacks, provide guidance on standards and compliance, and protect the infrastructure.
Security engineering developers: Software developers who are focussed on writing code for security features.
The writer is a Security Architect based in California, the U.S.