I am Parbati sahoo. i already completed my MCA Last year. till date i don't have any job. i am just tring.can u suggest me how can i utilise my free time . i had done 3 project in .net. (C# & Vb).i have intrest in knowing about network security, ethical hacking & web service .
sainath's Advice on Sunday, December 06, 2009 :
All I can say is, practise hard. You have to be prepared for the opportunities which head your way. Someone has defined luck as the point where opportunity meets preparation, so preparation is of utmost importance.
In the answer to your earlier question I have already outlined the basic steps to be followed.www.dotnetfunda.com/advices/a59-about-my-career.aspx
Assuming that you are done with the basics of .Net, OOAD,design patterns,UML,etc you can start targeting more specialized areas. As you have stated that you are interested in the data security space, I can suggest the below things:
The area of Web application security is itself becoming a very specialized domain - the recent incidents wherein the online banking application of a leading Indian bank got hacked and the more recent incident of 'identity hijacking' happening on Facebook makes this a pain area for all companies who have an online presence - and more so for financial entities for whom online transactions are a given.This leaves very little choice with companies but to shore up with defenses with respect to their web security, or more correctly, information security.
There is a huge gap between the availability of skills and the actual requirement - both of which are in a state of evolution right now. Enterprise level information security comprises of many things - at the infrastructure level, policy level,etc of which application security is an important subset. Enterprise level IS decisions are made by the CISO (Chief Information Security Officer) who reports to the CEO and not the CIO (Chief Information Officer) ideally. This is interesting because remember, if the organization is weak in it's safeguards then the CEO is well aware of the risks he is sitting on as the CISO reports directly to him and not the CIO. In the latter case, there is the possibility of risk information not reaching the business head i.e the CEO in its entirety.
In case of leading software companies, the application security becomes important if you consider the risk implications. Suppose if, a software system developed is hacked into after it goes live. Many contracts and agreements built by clients factor this risk and penalize the respective companies who built the system should a breach happen. Which is why it becomes imperative that the application software vendor builts adequate safeguards into the system at the development stage itself.
In its publications, Microsoft admits that it did not give this risk enough importance earlier. However, all that has changed now. There is an interesting term being talked about nowadays - "the security development life cycle". Basically, application architects are saying now that the applications security safeguards and development standards need to be handled at the development stage itself by being more proactive rather than later on in a post-haste manner. Let us consider some of the common vulnerabilities:
(i) SQL injection
(ii) Cross-site scripting
There are many others - however, the point being illustrated is that if strong input validation is done these 2 vulnerabilities will never come into existence. To answer your question, this is the point where the technical architect will play a critical role in ensuring that application security development standards are defined and implemented properly. Microsoft has brought out many interesting publications which provide very good details:
Application security related patterns and practicesmsdn.microsoft.com/en-us/library/aa302415.aspx
The SDL blogblogs.msdn.com/sdl/
The Microsoft Security Development Lifecycle (SDL): Process Guidancemsdn.microsoft.com/en-us/security/cc420639.aspx
The Microsoft Security Development Lifecycle (SDL): Tools Repositorymsdn.microsoft.com/en-us/security/cc421514.aspx
OWASP(Open Web Application Security Project)www.owasp.org/index.php/Main_Page
Of late, the Microsoft IS team has been a hotbed of activity, check out the below link:msdn.microsoft.com/en-us/security/dd547422.aspx
The recently released Web Protection Library (WPL) CTP is going to significantly change the way secure application development is done.
Going through the above links, you will realize that it's quite an ocean and hence is fast becoming a specialized area in itself. All in all, an excellent career option in itself - hopefully, I have answered your question to some extent.