Possible transition from Software QA to Cyber Security roles
Discussion
I have been in Software QA for a long time now and now i feel rather bored with it as it has become repetitive and mundane at times
I have an interest in Cyber Security and would like like to know if the scope is good and also if I were to take it up seriously what sort of a program/course/certification that I would need to do gain entry into it?
What type of a role can I expect when transitioning from QA and any idea of the pay?
I have an interest in Cyber Security and would like like to know if the scope is good and also if I were to take it up seriously what sort of a program/course/certification that I would need to do gain entry into it?
What type of a role can I expect when transitioning from QA and any idea of the pay?
carboy2017 said:
I have been in Software QA for a long time now and now i feel rather bored with it as it has become repetitive and mundane at times
I have an interest in Cyber Security and would like like to know if the scope is good and also if I were to take it up seriously what sort of a program/course/certification that I would need to do gain entry into it?
What type of a role can I expect when transitioning from QA and any idea of the pay?
Software QA has a lot of similarity to app pen testing, but the latter is a lot more technical (usually). Its a realistic transition - you could get some practice with common pen test tools (burp proxy is defacto) and you might be surprised at how many more QA issues you find, particularly being able to intercept and modify requests. App pen testing is also quite (very) repetitive but can lead on to other things too - software security architecture for example.I have an interest in Cyber Security and would like like to know if the scope is good and also if I were to take it up seriously what sort of a program/course/certification that I would need to do gain entry into it?
What type of a role can I expect when transitioning from QA and any idea of the pay?
Been out of app sec a few years now but in the past had often pushed the case that security is an implicit aspect of quality - you do not have quality without security, and by definition many security issues are really just defects/bugs. I've had a lot of success in pushing some aspects of pen testers work into the QA function as there is quite a bit of overlap and it helps the pen test team focus on more intricate stuff like authorisation bypasses, code injection flaws, etc. Its a mindset shift of trying to break something vs proving it works as expected, but lots of alignment too.
If you work in company (rather than consultant) it might be an idea to see if you can get into the app pen testing team (if there is one - often is these days) as your knowledge of apps and formal processes will/may benefit the app team. Or apply for a job there. I'd have absolutely no issues with QA test flagging security findings to the pen test team for example, and build a relationship that way.
Also definitely worth checking out owasp website, and understanding the common flaws.
My lad will be starting a cyber security apprenticeship role after taking a gap year and has been advised that a very good foundational qualification is the CompTIA Security+
For learning resouces ITPro.TV is a fantastic site and it's quite easy to find a discount code if you have a look around on Youtube.
Can't comment on role or pay as not my area but it's a growth area so would expect plenty of opportunities and good rates.
Good luck!
For learning resouces ITPro.TV is a fantastic site and it's quite easy to find a discount code if you have a look around on Youtube.
Can't comment on role or pay as not my area but it's a growth area so would expect plenty of opportunities and good rates.
Good luck!
As someone who started his career in Auditing and is ending it in Cyber Security there is one common similarity that you would need to accept - you usually end up being the person who says 'NO'.
A lot of cyber security is about stopping people doing something and often all they then do is try to find a way around it.
If you're comfortable in that sort of environment then there is a lot of scope to specialise in specific software areas such as Vulnerability Management / Monitoring & Alerting / Threat Hunting or general Information Security Management.
As for quals there are lots out there CompTia is the main one but understanding frameworks such as NIST is also a useful way in. Having worked in the area for the last 6 years it has been interesting - especially when we got hacked by the Russians !!! - but it can also be frustrating as lots of recommendations go unheeded until the worst happens and then its all hands to the pump to remedy it but your still not allowed to say 'I told you so' - because apparently thats 'unhelpful'.
A lot of cyber security is about stopping people doing something and often all they then do is try to find a way around it.
If you're comfortable in that sort of environment then there is a lot of scope to specialise in specific software areas such as Vulnerability Management / Monitoring & Alerting / Threat Hunting or general Information Security Management.
As for quals there are lots out there CompTia is the main one but understanding frameworks such as NIST is also a useful way in. Having worked in the area for the last 6 years it has been interesting - especially when we got hacked by the Russians !!! - but it can also be frustrating as lots of recommendations go unheeded until the worst happens and then its all hands to the pump to remedy it but your still not allowed to say 'I told you so' - because apparently thats 'unhelpful'.
cheerfulcharlie said:
As someone who started his career in Auditing and is ending it in Cyber Security there is one common similarity that you would need to accept - you usually end up being the person who says 'NO'.
A lot of cyber security is about stopping people doing something and often all they then do is try to find a way around it.
If you're comfortable in that sort of environment then there is a lot of scope to specialise in specific software areas such as Vulnerability Management / Monitoring & Alerting / Threat Hunting or general Information Security Management.
As for quals there are lots out there CompTia is the main one but understanding frameworks such as NIST is also a useful way in. Having worked in the area for the last 6 years it has been interesting - especially when we got hacked by the Russians !!! - but it can also be frustrating as lots of recommendations go unheeded until the worst happens and then its all hands to the pump to remedy it but your still not allowed to say 'I told you so' - because apparently thats 'unhelpful'.
Name checks out A lot of cyber security is about stopping people doing something and often all they then do is try to find a way around it.
If you're comfortable in that sort of environment then there is a lot of scope to specialise in specific software areas such as Vulnerability Management / Monitoring & Alerting / Threat Hunting or general Information Security Management.
As for quals there are lots out there CompTia is the main one but understanding frameworks such as NIST is also a useful way in. Having worked in the area for the last 6 years it has been interesting - especially when we got hacked by the Russians !!! - but it can also be frustrating as lots of recommendations go unheeded until the worst happens and then its all hands to the pump to remedy it but your still not allowed to say 'I told you so' - because apparently thats 'unhelpful'.
Agree with some of that, and certainly over my career its been a mixed bag of both. When i did consultancy work, without doubt that absolute worst s
t show waste of timers were the public sector particularly councils. I now work for a large US firm doing cyber stuff and find the majority of business lines work very well with us, and for all the others - big audit shaped sticks exist !
Thank you
in QA too our advice is not always heeded and No we dont say 'i told you so' either -
cheerfulcharlie said:
As someone who started his career in Auditing and is ending it in Cyber Security there is one common similarity that you would need to accept - you usually end up being the person who says 'NO'.
A lot of cyber security is about stopping people doing something and often all they then do is try to find a way around it.
If you're comfortable in that sort of environment then there is a lot of scope to specialise in specific software areas such as Vulnerability Management / Monitoring & Alerting / Threat Hunting or general Information Security Management.
As for quals there are lots out there CompTia is the main one but understanding frameworks such as NIST is also a useful way in. Having worked in the area for the last 6 years it has been interesting - especially when we got hacked by the Russians !!! - but it can also be frustrating as lots of recommendations go unheeded until the worst happens and then its all hands to the pump to remedy it but your still not allowed to say 'I told you so' - because apparently thats 'unhelpful'.
A lot of cyber security is about stopping people doing something and often all they then do is try to find a way around it.
If you're comfortable in that sort of environment then there is a lot of scope to specialise in specific software areas such as Vulnerability Management / Monitoring & Alerting / Threat Hunting or general Information Security Management.
As for quals there are lots out there CompTia is the main one but understanding frameworks such as NIST is also a useful way in. Having worked in the area for the last 6 years it has been interesting - especially when we got hacked by the Russians !!! - but it can also be frustrating as lots of recommendations go unheeded until the worst happens and then its all hands to the pump to remedy it but your still not allowed to say 'I told you so' - because apparently thats 'unhelpful'.
Gassing Station | Jobs & Employment Matters | Top of Page | What's New | My Stuff