Notes inspired by this page.
á Large Enterprises: Usually Fortune 1000 companies
á Federal Sector (DoD): NSA, DISA, CIA, etc.
á Federal Sector (non-DoD): FDA, DoE, DoJ, etc.
á Big consulting non-specialized: Usually personnel that work on a lot of different things (E&Y, Crowe Horwath, Deloitte)
á Big consulting specialized: Usually personnel who work on specific teams (NCC Group, IOActive, Optiv)
á Small consulting: Usually specialized by virtue of their size. Dozens of companies check out AMA #1 and #2 for some of the best in the US. More likely red-team/pen-testing rather than defense.
á Security Software Product/SaaS: Attack driven turnkey solutions to combat APT and improve your ROI to reduce the threat landscape in the cloud *barf* (FireEye, Tenable, HP Enterprise Security, etc.)
Most common enterprise roles
á CISO/CSO
á Team Managers
á AppSec SDLC
á App Security Architect
á Assessments: Code audits, app pen-tests, full-scope pen-test, network pen-tests, WLAN, etc.)
á Compliance
á Forensics
á Server/Endpoint security engineer
á Incident Handler
á Network Security Engineer/Architect
á Policy
á Fraud Team (E-Commerce)
á Researcher
á Reverse Engineer
Most common consulting roles
á Service delivery consultant (junior/senior/manager)
á Customer relationship managers/account managers
á Sales/new biz development
á Non-delivery roles (PM, tech reviewers, schedulers, etc.)
á Marketing security research
How to learn web application securityÉ.do these things well:
1. Know everything in
these books backwards and forwards: http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470[1] http://www.amazon.com/The-Tangled-Web-Securing-Applications/dp/1593273886[2]
2. Know all the major points of HTTP. Read the O'Reilly HTTP book,[3] or get crazy and read theHTTP 1.1 RFC
[4] (highly recommended)