10 Steps To Kickstart your Web Application Security Career:

Hi, I’m Amol Bhure, a Security Researcher at Attify, where I work on breaking into the most secure Web and Mobile applications.

Since I got into Infosec a couple of years ago, there have been some key learning points which would have been really valuable for me, have I had them at the time of starting out.

For everyone who is getting started into Web application security, I believe these learning points which I have shared below would be extremely useful for you to kickstart your career and become a web application security practitioner in no time.

Obviously, it would require enough time and effort commitment, but trust me, if you have a plan laid out in front of you of what you are going to learn and how you are going to learn, you are already a step ahead compared to the rest.

As the famous quote says, It’s not only about the hard work you put in, it’s the smart hard work that matters.

With that, here are the 10 Steps to kickstart your Web Application Security career:


I can’t emphasize this enough. If you are starting out in Web application security it’s highly recommended that you make yourself comfortable with Linux. This might mean ditching your Windows instance (if you want) and move completely to Linux.

This is because often during penetration tests, you will encounter environments built on top of Linux. Yes, there are a number of Windows servers out there, but Linux popularity can not be ignored.

I made the switch 2 years back from Windows to Linux as my full-time environment, and it has helped me both while using various tools and scripts, as well as when I have compromised a web application and I would need some additional exploitation to gain more control of the target.

You could use Kali Linux, but you might also consider starting up with the Ubuntu as your full-time OS and learning the various nitty gritty of the things that come with Linux and getting yourself familiar with the basic tasks such as installing new packages, configuring tools, writing automated scripts and Cron tasks and more.


I can absolutely understand the enthusiasm and the rush that comes when you jump into security — you want to learn everything and then there are 100s and 1000s of blog posts mentioning how a particular “security researcher” compromised a given target.

Yes, you will need to learn all of that, but it needs to be in a plan and not all at once, especially when starting out.

Try to start from the basics of web application security focusing on looking for common security issues, applying that knowledge on vulnerable targets and then moving to having the real world web applications as your target.

It is also recommended to find a mentor who has gone through the entire journey himself and can guide you on what kind of things you need to focus on.

With that being said, have in mind that the mentors, given at what role they are, they won’t be able to spend a lot of time guiding you but just giving you bits and pieces of what’s the recommended path. You need to become an expert in taking those bits and pieces and using online resources to look further into that topic of interest.

There are a number of Youtube channels, Blog posts and articles and online educational resources to help you with this. You should also engage in online discussions and various forums in order to get comfortable with the community and sharing what you’ve learned and learning from other people’s experiences firsthand.

Remember — If you ask for help from a person at each and every point of time, it will slow you down. Take things into your own hands and go out online to learn.


As an interested learner for web application security, you might have come across the term OWASP Top 10 a number of times.

Based on my experience while starting out, I would highly recommend you go through both OWASp top 10 and Penetration Testing Execution Standard (PTES) to give you a much clear and in-depth picture of the what and how of web application security.

I’ll also recommend you to join a local meetup group of OWASP or any similar and relevant security community and SHOW UP for the meetups. Once you feel that you have an interesting topic and experience to share, ask the meetup organizers to give you a speaking slot for the next event. You will receive tons of honest feedback, criticism and learning points, which will take you way ahead in being a better web application security researcher.

Remember — Taking Action is the first, second and third step to succeed.


In order to be a good web application security researcher, you must have a good proficiency in programming languages. Even if not writing full-blown applications (which you could learn more), you need to have enough knowledge and understanding to at least figure out what is a particular code block is intended for.

In pentest, you might encounter situations where you have the source code of the application (white box pentest) or you want to bypass the application whitelisting or break regex, all of this needs hands-on experience with the programming languages and a decent familiarity with it.

The reason being that most of the times, you won’t find a direct answer online to what you are trying to solve, and you need to come up with your own solutions to break the application’s security.

The programming experience can also come in handy later on once you want to write your own tools or scripts.


As you might recall, in the very first point I mentioned that you could start your journey in Web Application Security using Ubuntu itself and not necessarily Kali Linux.

The reason for it was once you are on Ubuntu, you will get a better sense of understanding of how various tools work and how you could fix bugs by yourself in case something doesn’t work on the first go.

You might later make a switch to Kali Linux once you feel you’re confident enough, but always keep in mind that it’s not about the tools, rather how you use the tools.

In the numerous pentest I have conducted over the past couple of years, I never rely solely on tools. I use an approach where tools are just an aid of what I am working on.


As someone who is just starting out in Web Application security, try your hands-on with various web application security and exploitation techniques on vulnerable targets.

These days there are a number of vulnerable web applications which you can exploit in order to get familiar with web application security concepts. DVWA and bWAPP is a good example of what I would recommend to you for your early days as a Web Application Security researcher.

Move from one vulnerable target to the other with tougher exercises.

Read, Practice and Repeat.

7. 1 VM PER DAY:

In order to build a successful career and expertise in Web application security, goal setting is vital.

Here’s what I did — I prepared a list of all possible targets which were available as a Virtual Machine. Refer to Vulnhub or PentesterLab’s Web for Pentester for a good list of available targets.

I set a goal for myself to exploit one Virtual Machine every day for the initial 30 days to get myself a good exposure of various techniques I could use in order to exploit Web applications.

If you get stuck at any point of time, you can also refer to the walkthroughs and keep going from there. You can also refer to multiple walkthroughs once you have completed the exercise to learn about what all different ways you could have used to achieve the goal.

If you do it for a 30 day period, trust me, you will yourself realize the confidence and skillset that you have gained in Web application security.


Moving from VMs, it’s time to go to the real world.

Create an account on HackerOne, BugCrowd and start looking at the websites for any bugs that you could find.

One of the approach I have found useful for myself is to go for lesser famous websites in order to increase your chances of finding bugs.

It also helps if you jump into finding bugs for a particular website as soon as they launch a bug bounty, rather than do a bug bounty program which is let’s say a couple years old.


Ensure to read a new piece of content every single day.

Subscribe to the various newsletter from security websites, follow all relevant blogs, follow twitter accounts which tweet about web application security, refer to recently disclosed bugs and most importantly, try to understand the thinking process which would have went into finding those bugs.

Some of the useful links which you could follow:

Attify Blog

GitHub Resources

GitHub Bounty

FB Bounty

Roy Castillo Blog

Labs Detectify


Seanmelia Blog

Geekboy Ninja Blog

Bugcrowd Tips


Homakov Blog

Bitquark Blog




Insertco articles

Josipfranjkovic Blog








By now, you would have a decent exposure of performing Web application security assessments and penetration tests.

Here comes the next part, based on your experience, build something which you think would be useful for you. Just focus on what can you build in the next 10 or 20 days, which could help you in the bug discovery or exploitation process.

Once done, you could release the tool as open source or use it internally within your organization — it’s up to you.

The key thing is to Build something applying your knowledge and skillset of what you’ve learnt.


I listed down all the possible learnings from my initial journey of when I got into Web Application security. It’s upto you now to take these 10 points and work on them, and be a better security researcher.

If this post helped you, give me a shoutout at (@amolbhure) or share this with anyone whom you think could use this into building a career in web application security.

Signing off.

Amol Bhure.

Attify — Simplifying security.




Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How is Ternoa using TEE technology to maximize security?

{UPDATE} Brain Mix - Rätselspiel Hack Free Resources Generator

Security Challenges in Adopting DevSecOps Unveiled

AWS — awsS3 Security

{UPDATE} African Safari Hunting Simulator 3D Hack Free Resources Generator

10 Simple Cyber Security Tips

How to Reset CELKON A401

How I Learned Cyber Security By Being Attacked By Reddit Trolls

Joe Rezendes — Cyber Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Amol Bhure

Amol Bhure

Security Researcher

More from Medium

Let’s learn WebApp Pentest from basic on DVWA. From setup to hack. Part4. CSRF (low to high).

Is my Linux server vulnerable to Apache Log4j Vulnerability or CVE-2021–44228?

iOS Source Code Scanning (Fortify)

Learning SQL Injection in Oracle Databases