Novice hacker wrote:How many years of experience do you need in an IT job before you can land an infosec one?
Thanks for the remaining answer and those links too :)
I'm still improving slowly, but it seems that Web Security turns up everywhere I turn....guess I will have to sharpen my skills on that?
Is it possible to just stick to systems, networks etc?
Zero years, you could get directly into a junior position, but having worked in another IT-job such as sys admin or tech support increases your chances.
With a sys admin job you'll hopefully learn how to set up systems correctly ( ) and with tech support, you'll learn great patience, soft skills and what customer satisfaction is really about
Well, Web App Sec, has become bigger over the last couple of years. Mostly because of Anonymous & LulzSec primarily, because before them, /i/, Internet Hate Machine, and so forth, before all these, we had script kiddies, and of course the well known zf0, r3m and other black hat groups just having fun or making profit in the dark, but even the script kiddies weren't as aggressive as they are nowadays. and it seems like there has been an extreme growth of these after all the media coverage about Anonymous and other hacking incidents.
So naturally, we need more people able to protect against the most common types of attacks (that are also more advanced now when you take a look at the highly targeted and not random attacks) and of course we also need to reconfigure the servers properly. This evolutionary problem has two sides. On one of the sides, Pentesting gets bigger, more companies that previously never wanted a pentest or vulnerability assessment, are suddenly willing to spend money on pentests, and on the other side, we have the massive influx of script kiddies that are often easy to defeat. (Nothing is 100% secure though.)
It's amazing though, that some companies still don't want their security assessed, and within 1 month to ~2 years, they will experience a breach in their security. The companies that gets a pentest done, may not know, that security is also about the users, so they end up getting compromised by a user getting phished or infected. (In fact, this has happened quite a lot recently, because the spammers, scammers, phishers, etc., are getting smarter in tricking users, some of their e-mails looks more and more legit, as they are not only spoofing the e-mail too, they are also writing more correct english, and they use the target sites design as well.
Some even takes it a step further, and calls random users in selected areas, the so called Microsoft Tech Support scam, that e.g., seems to originate from somewhere in India. (This actually compromised a rather large company not long ago, and some, if not all of the users even had training on what social engineering is. Amazing.)
Sooner or later you'll have to get to know about web app sec, but you can let it wait for now of course, and focus on systems, networks, etc., which are important to know about too, if you want to get a good understanding of web app sec as well