By lcamtuf, the author of "The Tangled Web : A Guide to Securing Modern Web Application".

1. Always question the assumptions that make systems work. « What if assumption X is not true? »
2. It's a protoscience, nothing holds true forever.
3. Be humble, challenge your knowledge, be honest with the people you're protecting.
4. You're not better than the others, no better than the other software engineers.

By Parisa Tabriz.

1. There is no perfect path or curriculum.
2. Different skills and tasks are required (offensive, defensive, monitoring).
3. Programming is about building softwares using layers of abstraction, security is finding the flaws in the assumptions in those abstractions.
4. You need to understand how people work and how they use the softwares.
5. Practice a lot, in work, in a club, by yourself.
6. Write code.
7. Break code with debugger, fuzzer, your brain, etc.
8. Share your knowledge with others in blogs and in conferences.
9. Practice your communication, you need to be able to teach non-technical people the security issues that affect them.
10. Expect to work hard, and to fail often.
11. (Try to) Be optimistic, do not let all the flaws and issues affect your motivation to improve the whole situation.
12. Ask for help.

https://noncombatant.org/2016/06/20/get-into-security-engineering/

1. Know your reasons. Why do you want to work in this field :
   • intellectual challenges
   • you want to help people
   • you want the money
2. Get started right now!
3. Alternate between security engineering and software engineering, they're both engineering tasks.
4. Doubt abstractions and dependencies. A software engineer build something that works, a security engineer is worried until s/he knows a few ways in which it doesn't work.
5. Abstractions are lossy and vulnerable. Find the tensions between the abstraction and the layer it abstracts.
6. You need some skills :
   1. Foundations
      • 1 programming language in depth
      • it's standard library in depth
      • networking in depth
      • 1 OS in depth
   2. Progressing
      • master more languages
      • contribute to its implementation
      • learn about cryptography
      • learn about hardware engineering
      • lean about programming language theory
      • Branch out into platform security engineering (changing platforms, and developing new platforms, to better serve application security needs)
      • Study distributed systems theory
      • Learn about perfomance engineering
      • Learn about experience design, bad applications are badly used and are security problems.
7. A reading list
   • Saltzer and Schroeder’s The Protection Of Information In Computer Systems is a foundational text.
   • For web security, I recommend The Tangled Web by Michal Zalewski. Zalewski also has another excellent book, Silence On The Wire, about techniques for passive surveillance in a variety of domains. Zalewski is also the author of American Fuzzy Lop, an excellent fuzzer.
   • Cryptography Engineering by Ferguson, Schneier, and Kohno is a good introduction to applied cryptography.
   • For understanding C and doing reverse engineering, you’ll want a good assembly language book, such as Art Of Assembly Language by Hyde.
   • Ross Anderson’s excellent omnibus, Security Engineering, is available online and on paper.
   • Another great book is The Art Of Software Security Assessment by Dowd, McDonald, and Schuh.
   • There are many also good blogs and magazines. A random sampling might include the Project Zero blog, PoC||GTFO, Joanna Rutkowska’s blog, and Matthew Green’s blog.

By Charlie Miller.

• Government agencies provide good training, but you don't have much to show because it's classified.
• Government agencies don't pay as much as private companies.
• Know your tools and be able to use them without thinking about them (fuzzer, debugger, valgrind, etc.)
• Certifications aren't as important as a portfolio. If a company wants you and you don't have the required certifications, you can pass them when needed.
• Be passionate, would you still be doing this job if you didn't had too (being a millionnaire).

By Richard Steven Hack. (comment1, comment2)

1. Download everything on security from alt.binaries.ebooks.technical
2. Download all SANS and CEH courses from Bittorrent.
3. Download as many talks from infosec conferences and watch them. You'll see the good, the bad and the ugly. Especially anything by Joe McCray and Jason Street.
4. Download every security tool you can find and run it. Make an inventory of the tools in an organized way, with notes so that you can use it when you need to.
5. Think about security.
6. Think about what you want to accomplish in the field, what kind of companies you would like to work for, those that you don't want to work for.
7. Finally, remember what Robert Ringer said in one of his books. Don’t work your way up the ladder. Leapfrog it and start operating on any level you want. Just be prepared to be knocked back down the ladder if you’re not really able to operate there.

By Ryker E (comment1)

1. Read and watch online courses securitytube.com, /r/netsec, etc.
2. Read books such as 1597496553. WAHHv2, owasp testing guide, CISSP study guide for good overview of different security areas
3. Attend local, national and international infosec meetups. (DefCon groups, ISSA, OWASP, Derbycon, defcon/blackhat, BSides, etc.)
4. Find the what interest you in infosec and target your knowledge to it.

By Richard Bejtlich.

Build a lab to experiment with a lot of tools. That's it.

By Jeremiah Grossman.

1. Find a niche that you want to know about, you can't do everything, at least you can't do everything right.
2. Find area in your current job where you can do security related stuff.
3. Web applications security, finding 0day, working for governments are are in which infosec skills are required and in demand.
4. Much, if not all current exploits aren't new techniques, they're all old techniques based on new 0day. The methods aren't new, only the way to use them.
5. Finding 0day is probably a larget part of the future of infosec.
6. Practice, either with hackme-like sites or applications, or by looking for bugs in bug-bounty programs.
7. Attend infosec conferences.

By Bruce Schneier.

1. There is a lot of subspecialities in infosec (making secure sotfwares, protecting softwares, hacking softwares or networks, cryptography, viruses development, policies, etc.)
2. Study online courses
   • https://www.offensive-security.com/metasploit-unleashed/
   • http://www.backtrack-linux.org/tutorials/
   • https://www.hackthissite.org/
   • https://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents
   • https://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
   • https://spi.dod.mil/re_training.htm
3. Read books
   • Cryptography Engineering : Design Principles and Practical Applications
   • Security Engineering: A Guide to Building Dependable Distributed Systems 2nd Edition
   • The New School of Information Security 1st Edition
   • Crimeware: Understanding New Attacks and Defenses 1st Edition
   • The Mac Hacker's Handbook 1st Edition
   • The Giant Black Book of Computer Viruses Paperback – June, 1998
   • Secrets & Lies : Digital Security in a Networked World
   • The Hacking Exposed Series
   • Robust Control System Networks Hardcover – September 15, 2011
   • Managed Code Rootkits: Hooking into Runtime Environments Paperback – October 28, 2010
   • Intelligence: From Secrets To Policy, 4th Edition 4th Edition
   • The Hacker Crackdown: Law And Disorder On The Electronic Frontier Mass Market Paperback – November 1, 1993
   • Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide
   • The Rootkit Arsenal: Escape and Evasion: Escape and Evasion in the Dark Corners of the System Paperback – May 4, 2009
4. Do. Practice as much as you can.
5. Show. In your blog, on mailing list, in conferences, etc.
   • https://lists.sans.org/mailman/listinfo/dfir
   • https://lists.sans.org/mailman/listinfo/gpwn-list
   • https://www.lightbluetouchpaper.org/
   • https://www.cigital.com/podcast/
6. Have the right mindset : engineering is about making things that work, security is about finding flaws in them.
   • http://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html
   • http://www.schneier.com/blog/archives/2012/06/teaching_the_se.html

By Thomas Ptacek.

1. It pays well, and the fun jobs are well paid.
2. Appsec is the bigest field with the biggest interests.
3. Practice with available tools such as Nessus. https://www.tenable.com/products/nessus-vulnerability-scanner
4. Read The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition
5. Install old wordpress version
6. Grab https://www.owasp.org/index.php/WebScarab_Getting_Started or https://portswigger.net/burp/
7. Find bugs in wordpress

By Daniel Miessler.

1. Know your basics : Development, Networking, Adminstration
2. Build your lab
3. Have projects, show the world what they are.
4. Have an online presence.
5. Get some certifications (CISSP, CISA/CISM, SANS GSEC/GPEN/GWAPT)
6. Network at conferences and local groups
7. Find a mentor, offer to do some of their work for them
8. Go to conferences (DerbyCon, ShmooCon, ThotCon, CactusCon, HouSecCon)
9. Contribute to Open Source softwares
10. Participate to conferences
11. Mastering professionalism
12. Understand the business
13. Having a passion
14. Become the guru

Fundamentals, Education, Fields and niches

https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/

Blue Team & Red Team careers

https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/

Self-study options

https://tisiphone.net/2016/02/10/starting-an-infosec-career-the-megamix-chapter-6/

Landing the job

https://tisiphone.net/2016/08/26/starting-an-infosec-career-the-megamix-chapter-7/

1. Get your fundamentals right : programming, networking and administration.
2. Get certifications if you can afford them, but don't ruin yourself over them.
3. Pick a team, learn your role, and switch!
4. Get a lab
5. Practice at CTF
6. Build a network with conferences and local group
7. Read books
   • Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition)
   • Rtfm: Red Team Field Manual
   • Hacking: The Art of Exploitation, 2nd Edition
   • Windows Internals, Part 1 (6th Edition) (Developer Reference)
   • Social Engineering: The Art of Human Hacking
   • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
   • The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers 60282nd Edition
8. Follow blogs
   • There are an immense number of amazing security blogs out there, but a very short list of my favorites includes Dark Reading, Krebs on Security, McGrew Security, Graham Cluley, Naked Security, Lenny Zeltser, Troy Hunt, Andrew Hay, Threatpost, and Andy Ellis.

The chapter 4 and 5 describes different positions existing in infosec, in both blue team and red team. So far, the secure development seems to be the one I would like to pursue.

By Lance Miller.

Not much interesting in it.

On corelan.

1. Learn your fundamental.
2. Get a network.
3. Get your hands dirty (practice, do not hack without authorization).

https://digi.ninja/projects/breaking_in_part_1.php, https://digi.ninja/projects/breaking_in_part_2.php

1. Know programming
2. Certifications can help
3. Go networking
4. You need to be able to interact with people, and to write good report.
5. Practice and study hard.
6. You need passion, to keep it up.
7. Don't be afraid to ask for help.

https://www.welivesecurity.com/2015/06/16/beginners-guide-starting-infosec/

https://strikersecurity.com/blog/getting-started-in-information-security/

http://blog.talosintelligence.com/2013/01/how-to-become-infosec-expert-part-i.html A great compilation of interesting documents.

https://room362.com/start/