Our great sponsors
-
wstg
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Hands on is the best way to learn web app testing.
Companies give you 24-48 hours to test vulnerable web app. After you send them report with findings if they like they have final interview round.
Some of the better companies are ncc group, bishop fox, nettitude, google certified security companies and others. You can find them as sponsors on security meetups like bsides.
Some of the more technical ones are https://cure53.de/#publications. You can read their reports. Also https://www.trailofbits.com/
As for pay it’s decent but the ceiling is lower than SWE. Entry level positions usually make below 100, senior low 100, manager mid 100 and more senior positions are around 200. After that it’s harder to move up.
Lastly the job itself can get pretty boring at times. Code review is something most people try to avoid. It’s useful when combined with web app testing to perform greybox testing.
Web app testing can be boring as well, when testing multiple web apps in a row that were tested multiple times and not finding anything decent.
What makes up for all of that is excitement from testing newly developed or older web apps with lots of vulns, performing network pentesting and developing new tools for different projects.
It’s a great feeling when you publish a new tool and lots of people start using it and appreciate your work.
Most web app testing is performed using this guide https://owasp.org/www-project-web-security-testing-guide/