Most startups, and even gigantic corps have little or no actual security people to test software. It's just a factory where you churn out features and nobody is doing any checking, they work with C libraries with abstracted shit like angular/coffeescript/javascript and don't do proper testing or even best practices. If you learn how to write tests yourself, then you basically create your own CSIO role and parachute yourself into it. Remote CSIO is pretty easy, you just load up Emacs and use plugins like HiLock to quickly search through code, and org-mode to bookmark code you spot is obviously flawed or with to test later. You write your recommendations then go back to the beach in Thailand or w/e you work out of.
Start with
How to Design Program (HtDP)
it focuses on sane design and running tests in Racket (Scheme). The MOOC for it on edX is free, payment only for certificate of completion https://www.edx.org/xseries/systematic-program-design-0
At first it feels like rote learning, you are writing all these templates for seemingly simple functions. Trust me, it makes sense later on in the course/book when the programs become huge. You can slide right into Typed Racket after just a few chapters in https://www.classes.cs.uchicago.edu/archive/2014/fall/15100-1/guide.html
Do the rest of the course in Typed Racket to learn about type safety and you'll see for yourself how it works when you fail tests accidentally.
Now you need to write your own security tests, to start breaking non typed software using your knowledge of how stuff can break from creating type safe software. Read Gray Hat Python http://libgen.io/book/index.php?md5=381ABC536B480375ED49608177BB54E3
It specifically teaches you how to write security tests. If you've never used Python (after doing HtDP course) then read Zed Shaw's Python the Hard way tutorial which you will zoom through if already done HtDP http://learnpythonthehardway.org/book/ and/or Violent Python http://libgen.io/book/index.php?md5=eae478007e8e105aed06876890dfdf3d
Now get and read the following books:
Learn C the Hard Way http://c.learncodethehardway.org/book/
Secure Coding in C and C++ (2nd Edition)
The Art of Software Security Assessment
Zed Shaw's C tutorial has you breaking shitty code in the 4th lesson. The other books are still the defacto guides to secure development. It doesn't matter that they are C related, since the vast majority of errors apply to every program regardless of language. Whenever you come across a problem in the software assessment books, write a test for it and apply it to the software you maintain/build. If it fails, congrats you just saved whoever you work for countless money should anybody exploit that later.
Now go on HN (Hacker News https://news.ycombinator.com/news) and search for Unit Testing, Regression Testing, Fuzzing, and Security Tests. Write some of your own using their examples and apply them to where you work. If they don't parachute you into CSIO by now then nobody else will ever get that job. I guarantee you will break absolutely everything just doing basic tests unless you're using type safe languages from the start, which is hardly any company right now.
Other helpful books:
The Mobile Application Hacker's Handbook
The Web Application Hacker's Handbook
The Tangled Web: A Guide to Securing Modern Web Applications
The Android Hacker's Handbook
Yes, webdev shit but everything is networked, everybody runs a browser, every app has an API, ect. Again, everything you learn from those books write tests for them in your software suite (by now, your suite is so large you could probably sell or license it).
continued next post(s)