If you want to start doing security, I think it is more important to learn a fundamentally different perspective. It's sort of like learning magic, where the new perspective is 'What will my audience assume automatically? How can I get them to think that a given hat is empty?' (If it's a baseball cap and you drop it or invert it or so, for example.)
In security you're asking a similar question addressed instead at yourself. You're asking, "what am I assuming automatically?" Schneier for example has talked about why pilots don't get reduced screening at airports. The problem is that the pilots who cry out, "this is absurd, I could crash the plane I'm flying, how could I possibly be more of a risk to these people?" don't realize a certain automatic assumption: the assumption that the only people wearing the pilot's uniform are fellow pilots.
I tell this story occasionally, sorry if you've already heard me tell it. I once corrected a major security leak in an application I was paid to help develop -- the leak existed in the dev but not in production (thankfully!). The problem was that the team who had asked me to help out had made an assumption: "logs are good and are one of the only ways to create an audit/revert trail, we should log every request which comes our way just in case." This was built deep into the system. When I heard that, I was almost floored. As a proof of concept of the seriousness of what I'd realized, I looked through the audit logs for my boss's dev password and sent it to him.
It's a fundamental perspective shift: "if I wanted to break this, what assumptions could I use against it?" Whenever you see an implicit assumption you ask "how could that come back to bite us later?"
In security you're asking a similar question addressed instead at yourself. You're asking, "what am I assuming automatically?" Schneier for example has talked about why pilots don't get reduced screening at airports. The problem is that the pilots who cry out, "this is absurd, I could crash the plane I'm flying, how could I possibly be more of a risk to these people?" don't realize a certain automatic assumption: the assumption that the only people wearing the pilot's uniform are fellow pilots.
I tell this story occasionally, sorry if you've already heard me tell it. I once corrected a major security leak in an application I was paid to help develop -- the leak existed in the dev but not in production (thankfully!). The problem was that the team who had asked me to help out had made an assumption: "logs are good and are one of the only ways to create an audit/revert trail, we should log every request which comes our way just in case." This was built deep into the system. When I heard that, I was almost floored. As a proof of concept of the seriousness of what I'd realized, I looked through the audit logs for my boss's dev password and sent it to him.
It's a fundamental perspective shift: "if I wanted to break this, what assumptions could I use against it?" Whenever you see an implicit assumption you ask "how could that come back to bite us later?"