Lately, I’ve been reading lots of blog posts, books and watching YouTube channels related to computer security.
This will be my public notes on learning security from the perspective of a web developer. I know how to code websites but I just recently learned about security.
I noticed there are two paths to learning security. First path is the OSCP-style pentesting approach, which I call “top-down” approach. You learn computer networks, Kali Linux, servers, web, etc. The other path is on the CTFs side. Binary exploitation, reverse engineering, C and x86 assembly, and the likes. I call this “bottom-up” approach.
I first learned about the top-down approach so I installed virtual box, Kali and a vulnerable VM. But I want my tools to be simple, so I removed Kali. I feel that Kali has a lot of ready-made tools for hackers but I’ll just be overwhelmed by all these tools.
For the bottom-up approach, I downloaded an Ubuntu VM on my laptop and install the tools that I need as I go over what I need to learn. This is like creating my attack machine from scratch.
I also learned more about CTFs, LiveOverflow and John Hammond and the likes. I like LiveOverflow’s approach of not using Kali. That’s another reason why I deleted Kali Linux. I want few tools that I know very well instead of lots of tools that I know only the surface level.
For learning security from the bottom-up approach and the minimalist tools, I’ll use OverTheWire (war-game website), picoCTF for CTF challenges, and pwn.college for learning binary exploitation.
As of September 2025, I’m using a MacBook M1 Pro as my laptop and VMWare Fusion for virtualization. I also have UTM for x86 emulation. I know it’s an uphill battle with virtualization and Apple Silicon, but that’s what I have right now. Wish me luck!