Security is a weird topic. For once it does not consist of defined field of its own, but instead is a generic one found in other field. Meaning: It does not matter what subject within a computer you’re, it has always some sort of security implication and that makes it so odd to work with. Sure, there are some kind of stand-alone topics, however, most of the seem less likely to be really good useable.
Someone will point out that fuzzing is here a good example, however, while learning the tools in itself are great matter for security it’s important to see what it is doing in the end and that is helping you to points to faulty programs. It also requires you to understand in-depth what’s going and it won’t create a exploit for you. And while learning the tool might seem like a good security practices it is similar to learning Photoshop as artist. Knowing the tool does not make you an artist. Instead, it is just a different strategy to find flaw.
The point is you’re piggy packing on any other topic to seek out mistakes to make use of it and that is what we’re calling security. Making it often difficult to get into the topic in the first place, because the learning curve is quite high.
Additionally, there is the problem with the feedback one will receive out of the learned: It is often wicked, not kind. That seems a bit contrarian at first. But when you think about it you often seek out for mistakes other have made and try to make use of them. But this can go into the wrong direction, leading to a check-box type of security.
Not every mistakes can be exploited, not every flaw is useful, sometime flaws becoming even features. There are some pattern that might help you to find such flaws, however, I believe that you’re required to have a more deeper understand of the underlying problem to make good use of it. This requires a good amount of effort and it is not certain that this effort will lead to any return on investment, stressing ones frustration tolerance.
Another problem that complicated this matter, at least for me, is overlearning. I’ve tried to write about this matter before, but when you’ve seen so many talks about security you becomes stalled on topics. You look at something and try to re-do what you’ve learned. But this is not how you would work on that matter, instead, it adds much strain to the effort one makes then.
It is like playing baseball for the first time and expecting to hit a homerun and you become frustrated when you not even hitting the ball.
The most important part here is to have fun and not get lost. Both things I often have problem with when engaged with a topic that relates to security and other topics too, actually, because I can’t leave it to rest thanks to the Zeigarnik Effect. A friend of mine had a quite good tip: Try to define what you’re going to do and timebox it. Once you’re out of time move on. This the important part here. So I opened the first topic that I might like on my tweeter feed and going to spend some time on it. First stop kernel exploitation!
Looking forwards to it!