We’re about to talk about some top secret Illuminati Deep State infosec sauce. Protect your virgin ears (eyes?).

99% of infosec books are useless. They were written so the author can charge more for seminars they give to Fortune 500’s.

What about the other 1% — the books everyone recommends on /r/netsec and StackExchange? You won’t retain much by reading them or even taking copious notes.

Maybe if you rewrite the whole book on a blackboard a dozen times. Go ahead. The Web App Hacker’s Handbook is 900 pages long.

“No, Randy, NO! I’ve spent thousands on security books!”

You bought a lot of porn.

Who knows more about sex — the porn addict or someone who’s done it once for real?

Some things in life you only really learn by doing. OWASP has an obnoxious amount of intentionally vulnerable apps for you to audit as practice.

I’m not saying the $40 Web App Hacker’s Handbook doesn’t have value. It’s just you’ll get way more out of free exercises.

Now, unlike a book, you can’t put those apps on the coffee table so Dad knows you’re a l33t haxxor.

But all it takes is getting stuck on the Security Shepherd integer overflow challenge once for you to never forget integer overflow again. Your brain barely processes watching and reading compared to doing.

Go forth and do, Young Security Man. It’s free.

Randy Gingeleski - GitHub - gingeleski.com - LinkedIn