This article is not a guide. It is more of a reflection that may include some guides. The transition from Web Development to Cybersecurity can be challenging, but its difficulty varies based on your background and the desired cybersecurity position.
Background
After a decade of building web applications, transitioning to cybersecurity has been an eye-opening journey. Since cybersecurity domain is vast, and roles here are diverse: digital forensics, security analyst, security engineer, pentester, application security engineer, security architect, and the list goes on depending on the size of the company and how the roles and responsibilities are shaped.
My transition was guided towards security architect role. And gladly, as learning opportunity, I’ve experienced several and roles, with the focus on red teaming and blue teaming.
Red vs Blue?
Blue
My preferred role in cybersecurity remains offensive security (red teaming), even though defensive security has its positive aspects of being able to program more and keep close to the software development lifecycle. The transition from web development, with knowledge of DevOps towards defensive security, is the easier choice, even though the amount of information that needs to be learned is more or less the same as in red teaming.
While blue teaming is easier to transition and requires more or less same knowledge about the infrastructure, server, and client, the there are differences. While on web the developer focuses mostly on the browser, server and how the data is transferred, a defensive specialist needs to go in deep in network architecture, monitoring and focus on maintaining security baselines rather than deploying new functionality.
Diferentiators:
- Security Information and Event Management (SIEM) platforms like Splunk, ELK Stack, or QRadar form the first layer of defensive security. Depending on the solution and integration of it, it may require DevOps knowledge and programming.
- Endpoint Detection and Response (EDR) solutions require understanding of system internals, process behaviors, and malware techniques. Here we dive deep into the system’s OS and deeper into its kernel.
- Network architecture takes on a whole new meaning in defensive security. Managing complex firewall rules, IDS/IPS systems, and understanding how to build resilient network defenses can become a role in it itself, because of how much work is required to keep a large application or company secured.
- Incident Response frameworks (like NIST or SANS) and instead response is something that can seem similar, only it’s on steroids. In a similar fashion with how you can discover a critical bug and need to redeploy fast, in incident response, you need to think about business continuity, disaster recovery, and communication plans. It’s a more proactive approach in which you prepare exactly for the inevitable.
- Threat Intelligence is again something that easily spirals from a tip of an iceberg to vast amount of information. Understanding MITRE ATT&CK frameworks, and being able to understand raw intelligence, and of course keeping up to date with cybersecurity news.
Red
Red teaming (or offensive security), at first glance is more quality assurance oriented because it is usually explored in the testing phase or after deployment phase, with the main differentiator being that coding knowledge is still a plus and the bugs found are usually uncovered vulnerabilities. This is, however, where similarities stop, because on top of this, and the domain knowledge, we have:
- (Kali)Linux knowledge is a must. Because the most important and best penetration testing tools are usually command-line based and Linux-native. Tools like Metasploit, Burp Suite, Wireshark, and Nmap are fundamental to security work and require comfort with Linux environments.
- Speaking of command lines, advanced bash scripting becomes essential for automation scripts, or even working with various tools and syncing them together.
- As old school developers, comfort with text-based tools and log analysis is something that ethical hackers are used to.
- Understanding network protocols beyond HTTP/HTTPS, packet analysis and traffic inspection, not to mention familiarity with VPNs, proxies, and routing. These are necessary to be able to understand the network services and uncover their vulnerabilities.
- Legal and Ethical Framework is the type of top of the iceberg that uncovers thousands of pages that need to be understood. Understanding legal implications of security testing helps not only with documentation and reporting requirements but also to understand scope and boundaries of a pentesting service.
Similarities with Web Development
Understanding Attack Surfaces Comes Naturally
As web developers, we already think about many security-adjacent concepts. Every API endpoint we create, every form we validate, and every database query we write is a potential entry point. This mindset translates directly to threat modeling in security.
However there’s a shift in mindset, we call it shift to left, instead of thinking how to program a API endpoint and then how to secure it, we either integrate security within the development lifecycle or even start with security principles first, and then think how to develop it.
In DevOps, the shift to left approach in security translates to DevSecOps.
Code Review Skills Are Invaluable
Years of reviewing pull requests trained me to spot potential issues:
- SQL injection vulnerabilities look similar to basic SQL syntax errors
- XSS vulnerabilities often hide in the same places we look for React rendering bugs
- CSRF attacks exploit the same mechanisms we use for state management
This familiarity gives an edge and vulnerable code is easier to spot after years of coding, and even if we look for something else in the code, familiarity with security headers is something that will not make you look like you are a junior cybersecurity specialist coming from a senior role.
Infrastructure Knowledge Is The Best
Provided you don’t think “I am frontend developer, why do I need to know DevOps“. And I have thought the same for a few days after taking over some tasks that felt ‘outside of my area of expertise’, only to come back (tired) and with a new skill-set under my belt, and a better understanding of how a modern web application is built nowadays, with all the DevOps pipelines.
Keeping in mind that I had worked for so long years ago, I performed my first deployments by dragging and dropping files from FTP clients, and I named the backup folder ‘backup’.
The backend colleagues are easier launching into unknown territories, especially when discussing deploy step and the pipeline itself.
Back to infrastructure. Understanding how web applications are built and deployed gives you unique insights into:
- Container security and isolation
- CI/CD pipeline vulnerabilities
- Cloud service misconfiguration
The Frontend Perspective
Frontend expertise provides unique value in security that can help offensive and defensive security as well:
- Understanding DOM manipulation is required, because it helps grasp XSS attack vectors
- As stated previously, knowledge of browser security headers becomes weaponized
- Experience with authentication flows reveals common implementation flaws
Overall, is a great perspective that can help you make the transition faster, and focus on fundamentals of cybersecurity more.
Areas Where You Need to Level up
We saw differences; we saw similarities. Now what’s the next step?
Network protocol understanding beyond HTTP
This one is tough without having a comp sci background. The volume of information can be overwhelming, because other than networks, knowledge extends to OS, kernel and hardware in some cases.
Lower-level system architecture
This covers process management, system calls, and kernel operations. This knowledge is necessary for malware analysis and detecting system compromises.
Binary analysis and exploitation
This means working with assembly language, memory management, and CPU architecture. Using IDA Pro or Ghidra for reverse engineering, understanding buffer overflows, and analyzing how code executes at the machine level.
Regulatory compliance requirements
These also contain a lot of information. From the classic GDPR, to Cyber Resillience Act, we will have DORA. There’s the nist2 framework. And it all depends on the project, where the project will launch.
And the new compliance requirements are not that far away from inserting cybersecurity concepts. Compliance nowadays means inserting security in development lifecycle, penetration testing as a requirement, in some cases threat level penetration testing, but also lots and lots of verifications such as SBOM (software bill of materials).
Further steps?
It’s inevitable that you’ll need to put in some time. It would be fantastic if you could create a learning schedule. If your work schedule doesn’t allow for it, prioritize reading the basics in your free time or on weekends and then decide if you want to commit to this journey.
These are advices you get everywhere, but here is no different, because:
The most important aspect, you cannot really skip the fundamentals, and covering those gaps will help a lot to get up to speed with the role, and not feeling ‘always having to keep up’.
One innevitable aspect is
Certifications
If you are serious about this leap, now is the time to prepare by experiencing hands-on work and in the meantime, try to secure a certification. For web developer transitioning we do recommend CSSLP.
There are however, alternatives, and usually I don’t recommend certificates over hands-on work. But we are traversing some stranger times that we are used with, and a proper certification not only boosts your confidence and CV, but shows you are dedicated to embark on a new journey.
Hands-On practice
We have a lot of ways to actually get hands-on experience, and I must say it’s more diverse than learning web development. Just to name a few:
- Tryhackme. A good platform where you can learn fundamentals for both offensive and defensive. And a great tool to practice hands-on.
- OWASP project juice shop. A platform where you can try to learn offensive security.
Nevertheless, if you are techsavy, you only need a VM on a computer (or two), and learn either how offensive security works, or a real pentesting works, or in the other side of the spectrum, learn how to defend against various attack patterns, by leveraging open source defensive tools.
The step by step learning from development translates perfectly in cybersecurity:
- Install VMWare
- Get Kali Linux
- Install tool (eg: Nmap)
- Practice
Photo by Farzad on Unsplash.