An Engineer’s Tale: My Journey From SWE and SDET to Application Security

Hey! How is it going? I am writing this personal journey not to brag about anything but because it can maybe motivate and let others realize that it is possible to accomplish various goals to find the career that will give you purpose.

I am originally from the Dominican Republic; I came to the US on August 27th, 2014. Currently, I work as an Application Security Engineer here at FloQast.

Software Engineering

In 2018 I was working as a Risk Analyst thanks to a program called YearUp, at an Investment Company, and in my downtime, I would open VScode and solve problems using JavaScript. When I lived in the Dominican Republic, I learned and played with C#, so I already had some programming logic because of it. I really enjoyed it, so it was a goal of mine to become a Software Engineer in the near future.

One day at work, a person I knew contacted me on Linkedin about a Software Engineering course from a program called General Assembly. It sounded like a deal to me, so I signed up for the program, passed the initial test, resigned from the job, and before I knew it, I was already taking classes at General Assembly; I learned React, Ruby on Rails, HTML and some CSS, as well as concepts like REST, CRUD, and others.

After the program ended one month later, I got my first Web Developer job using Ruby on Rails. I got a lot of experience at that place, but I wanted to be at a job where I could code using React and NodeJS, so I started applying for jobs on Linkedin where React and NodeJS were being used. One week after I started applying for jobs, I got a message from a company asking me to go to their place for an interview. I did every test and passed the interview; the next day, at 7 am whom at that time was, my Software Engineering Manager called me, giving me an offer. At this new job, we used to chat a lot during our lunchtime, and one day, the Manager mentioned a podcast called The Darknet Diaries, which sounded interesting to me.

Intro to Security

The first episode I listened to from The Darknet Diaries was Unit 8200, which blew my mind. I remember driving, and on the GPS from my phone, I added a stop to go to Barnes and Noble to buy a Hacking book I could read. I bought the book Hacking: The Art of Exploitation, 2nd Edition helped me understand some Assembly and how the CPU works. I started understanding the various areas of Security and figured out there was one for the Web. Also, by then, @thecybermentor had a great course Practical Ethical Hacking, for free. I quickly signed up and took the whole course, but what was particularly interesting to me was the Web Application Penetration Testing part of this course.

After taking the course, I got curious about how to practice my knowledge in a real scenario, and I started doing it on the website of the job I was at that time. My Manager at that time liked the findings I was able to get so much that he offered me a job change to Test Engineer, it didn’t align with Web Security, but I thought I could use that opportunity to also test for website security issues.

Software Development Engineer in Test at FloQast

After some time being a Test Engineer, I learned a lot about various topics. I could get a job doing the same but with better pay. Again started applying for jobs, and fast forward FloQast gave me a great offer to work as a Software Developer Engineer in test, which I couldn’t refuse. I loved the work and the project for the Performance Test I was given. After work, I explored and researched more about Web Security. I also practiced and learned using Portswigger Web Security Academy and fantasized about getting a certification called WEB-300: Advanced Web Attacks and Exploitation from Offensive Security(OffSec).

Application Security Engineer at FloQast

One day in the FloQast Slack Channel, a new channel got created so Engineers could introduce themselves. This was my introduction:

Hola everybody! I am Luis Miguel (just Luis is acceptable); I was hired 4 months ago and really like how challenged I am here at FloQast. I work as a Software Developer Engineer in Test I in the Pandora pod. Before I was a Software Engineer for about 3 years until I transitioned to work as a Test Engineer at the last company I was. My hobbies are gaming, Muay Thai, hacking(binary reverse engineering, web exploitation), and exploring new Korean and Japanese plates.

After that, I believe a couple of months after, Rune Kristensen, who is now a Senior Security Manager, requested a meeting with me to chat about security topics(I believe it was all a test, but whatever…). We discussed Web Security and my experience with Security. Before the meeting ended, he mentioned that there was a position open that I could apply to in case I was interested. I didn’t think much of it because I got some Imposter Syndrome; I think of Security as really important, and I didn’t think I had the skill set for it; little did I know I did have the necessary skills for it. The next day a Saturday, I woke up and sent Rune a message asking what I had to learn to apply. He asked for my resume, then after I got a security tool project, I had to code, and then all was story. I got a transfer offer to work as an Application Security Engineer and did my first Internal Web Penetration test, which the report part was very humbling; I will write another blog post about it soon.

I have learned lots of new exploitation techniques and concepts thanks to my other manager Harrison Richardson who also has given me the most demanding challenges and has put me through the most nerve breakings situations. Fast forward, Client and Server side Prototype Pollution is one of my favorite web exploits. I have been recommended great books to read, and my favorite is JavaScript for Hackers: Learn to Think like a Hacker by Gareth Heyes.

Conclusion

My main take from this journey are:

• Imposter Syndrome can make you doubt yourself: Don’t listen to it.
• Being disciplined and keep learning is essential to progress
• Always challenge yourself and or ask to be challenged
• Getting out of your comfort zone is essential to progress, even if that means putting yourself in nerve-breaking situations.
• In Security, never rush to finish a task; take your time; it is essential to be accurate; this is Security.

Luis Rodriguez Castro

Luis is an Application Security Engineer at FloQast who is a web security enthusiast, enjoys eating Korean and Japanese food, and also likes practicing Muay Thai and online gaming.