{"id":1837,"date":"2025-06-24T14:10:21","date_gmt":"2025-06-24T14:10:21","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=1837"},"modified":"2025-07-02T16:12:09","modified_gmt":"2025-07-02T16:12:09","slug":"how-i-moved-from-developer-to-security-researcher-and-how-you-can-do-it-too","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/how-i-moved-from-developer-to-security-researcher-and-how-you-can-do-it-too\/","title":{"rendered":"5 Things Developers Should Know Before Breaking Into Security"},"content":{"rendered":"\n<p>Hi everyone! I&#8217;m <strong>Shreya Pohekar Agrawal<\/strong>, currently working as a <strong>Security Researcher at Microsoft<\/strong>. But my journey into cybersecurity didn\u2019t start here&#8211; Back in college, I was equally drawn to both development and security\u2014and choosing between the two wasn\u2019t easy. But after some exploration, I realized I didn\u2019t have to pick just one. I chose to begin my journey as a developer to build strong technical foundations, with the goal of transitioning into security later. That decision turned out to be the perfect balance, and looking back, I\u2019m really glad I took that path.<\/p>\n\n\n\n<p>If you&#8217;re a developer who&#8217;s intrigued by cybersecurity and wondering if it&#8217;s the right path for you, this post is for you.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Thinking About Switching? Don\u2019t Let the Doubt Hold You Back<\/h3>\n\n\n\n<p>Many developers hesitate when it comes to switching domains. The fear often comes from the idea that security is completely different or that it requires starting over from scratch.<\/p>\n\n\n\n<p><strong>But here\u2019s the truth:<\/strong> your background as a developer gives you a massive head start in security.<\/p>\n\n\n\n<p>Whether you\u2019ve worked in web development, mobile development, cloud infrastructure, DevOps, or systems engineering\u2014<strong>you already understand how things are built<\/strong>. And once you understand how something works, you&#8217;re halfway there to understanding how it can break.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Your Fundamentals Are Your Superpower<\/h3>\n\n\n\n<p>Let\u2019s take a closer look:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Web developers<\/strong> often find it easier to pick up <strong>web security<\/strong>\u2014things like XSS, CSRF, authentication flaws, and broken access control become clearer when you\u2019ve implemented those features yourself.<\/li>\n\n\n\n<li><strong>Mobile developers<\/strong> have an edge in <strong>mobile app security<\/strong>, including things like insecure storage, insecure inter-process communication, and reverse engineering.<\/li>\n\n\n\n<li><strong>Cloud engineers or DevOps professionals<\/strong> often transition well into <strong>cloud security<\/strong> or <strong>infrastructure security<\/strong>, working on IAM misconfigurations, insecure CI\/CD pipelines, or container hardening.<\/li>\n\n\n\n<li><strong>Backend developers<\/strong> often excel in <strong>source code review<\/strong> or vulnerability research, thanks to their experience with backend logic and architecture.<\/li>\n<\/ul>\n\n\n\n<p>The point is\u2014<strong>every tech stack has its security counterpart<\/strong>, and the transition is less daunting than it seems if you lean on your existing knowledge.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Think Like a Builder, Break Like a Hacker<\/h3>\n\n\n\n<p>One thing that truly sets developers apart in the security world is the ability to <strong>think critically and question everything<\/strong>.<\/p>\n\n\n\n<p>In cybersecurity, blindly running tools or using someone else&#8217;s exploit script doesn\u2019t make you a security engineer. That\u2019s what we call a <em>script kiddie<\/em>. To be effective, you need to understand how tools work, what they&#8217;re doing under the hood, and why a vulnerability exists in the first place.<\/p>\n\n\n\n<p>As a developer, you naturally question behavior: <em>Why did this API respond that way? What edge cases haven&#8217;t been handled?<\/em> That mindset helps you go deeper into understanding vulnerabilities and even identifying new ones that aren\u2019t obvious at first glance.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Why Coding is a Must-Have Skill in Security<\/h3>\n\n\n\n<p>Security may be seen as a separate domain, but it\u2019s not far from what you already do. In fact, <strong>coding is essential<\/strong> in many areas of cybersecurity:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Writing <strong>custom payloads or exploits<\/strong>.<\/li>\n\n\n\n<li>Building your own tools, scripts, or automation for scanning and triage.<\/li>\n\n\n\n<li>Performing <strong>source code reviews<\/strong> to identify vulnerabilities in applications.<\/li>\n\n\n\n<li>Writing <strong>detection logic<\/strong> for alerting or monitoring.<\/li>\n\n\n\n<li>Understanding patch-level changes and verifying their effectiveness.<\/li>\n<\/ul>\n\n\n\n<p>And it\u2019s not limited to just one language\u2014you may be reading Python one day, JavaScript the next, or even C\/C++ depending on the target. <strong>The key is not mastering every language, but being able to understand logic and control flow.<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Why Product Security Needs Strong Tech Foundations<\/h3>\n\n\n\n<p>When you work in <strong>product security<\/strong>, you\u2019re not just finding vulnerabilities\u2014you\u2019re also recommending or implementing fixes. That means you need to understand how something was designed, what constraints exist, and how a fix might impact performance or functionality.<\/p>\n\n\n\n<p>This is where your development background becomes invaluable. You think not just about patching a bug but about how to fix it the <em>right<\/em> way, considering edge cases, scalability, and maintainability.<\/p>\n\n\n\n<p>You\u2019re also expected to <strong>collaborate with developers<\/strong>, conduct <strong>threat modeling<\/strong>, and integrate security into the software development lifecycle (SDLC). Your ability to speak their language builds trust and improves the adoption of secure practices.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udcda How to Get Started (Especially for Product Security)<\/h3>\n\n\n\n<p>If you&#8217;re convinced and ready to explore cybersecurity, here are some <strong>learning areas to begin with<\/strong>\u2014especially if you&#8217;re aiming for <strong>product security roles<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Web Fundamentals<\/strong><br>Understand how browsers, HTTP, sessions, and web apps work.<\/li>\n\n\n\n<li><strong>Web Security<\/strong><br>Study OWASP Top 10 vulnerabilities (like XSS, IDOR, CSRF, SQLi), and learn how to find and mitigate them.<\/li>\n\n\n\n<li><strong>Mobile Fundamentals and Mobile Security<\/strong><br>(Optional, depending on the company.) Learn about Android and iOS architectures and common mobile threats.<\/li>\n\n\n\n<li><strong>CI\/CD &amp; GitHub Security<\/strong><br>Learn how secrets leak, how misconfigurations happen, and how to secure your pipelines.<\/li>\n\n\n\n<li><strong>Cloud and Container Security<\/strong><br>Learn about IAM misconfigurations, misused cloud APIs, Kubernetes security, Docker escapes, and more.<\/li>\n\n\n\n<li><strong>Source Code Reviews<\/strong><br>Practice reading codebases to spot logic flaws, insecure API calls, or weak crypto usage.<\/li>\n\n\n\n<li><strong>Threat Modeling<\/strong><br>Understand how to assess a system for potential risks before it goes live.<\/li>\n\n\n\n<li><strong>SAST and DAST<\/strong><br>Get familiar with Static and Dynamic Application Security Testing tools\u2014understand what they catch (and what they miss).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">My Final Thoughts<\/h3>\n\n\n\n<p>Switching to cybersecurity from a development role <strong>is absolutely possible\u2014and highly valuable<\/strong>.<\/p>\n\n\n\n<p>Security isn\u2019t a standalone field; it\u2019s an extension of your fundamentals. Once you get started, you\u2019ll discover how deep and exciting the field is. It\u2019s full of continuous learning, fast-paced innovation, and real-world impact. And most importantly\u2014it never gets boring.<\/p>\n\n\n\n<p>If you&#8217;re curious and passionate about learning, you&#8217;re already halfway there.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>PS:<\/strong> I\u2019ve also written a <a href=\"https:\/\/shreyapohekar.com\/blogs\/how-to-get-into-information-security\/\" title=\"\">blog post<\/a> to help you kickstart your learning in product security. Feel free to check it out!<\/p>\n\n\n\n<p>If you have questions or want to chat about the transition, drop a comment or DM\u2014I\u2019d love to help more devs find their path into security<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi everyone! I&#8217;m Shreya Pohekar Agrawal, currently working as a Security Researcher at Microsoft. But my journey into cybersecurity didn\u2019t start here&#8211; Back in college, I was equally drawn to both development and security\u2014and choosing between the two wasn\u2019t easy. But after some exploration, I realized I didn\u2019t have to pick just one. I chose [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1761,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[2],"tags":[453,452,454],"class_list":["post-1837","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-information-security","tag-developer","tag-security","tag-switch","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1837"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=1837"}],"version-history":[{"count":4,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1837\/revisions"}],"predecessor-version":[{"id":1843,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/1837\/revisions\/1843"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/1761"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=1837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=1837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=1837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}