my learning plan - update #2

2025-05-20

long time no talk! it's been a while since i shared an update. i've been posting projects, but no blog posts recently. let's rectify that!


jumping right into it, i've been on quite a tear. i finished the Practical Bug Bounty course from TCM Academy awhile back. this course had me spin up a Docker container, so i could work through the labs alongside the course. i really appreciate the hands-on aspect of all of TCM's courses. to give a quick run down of some types of bugs i encountered, i worked on Broken Access Controls (BACs), Indirect Object References (IDORs), Insecure File Upload Bypasses, XML External Entity (XXE) Injections, Structured Query Language (SQL) Injections, Cross Site Scripting (XSS) Injections... the list continues on for a while actually. the course was a fantastic way to be exposed to the necessary contextual knowledge and then to experience an actual example of each and every bug in a web application.


i went beyond the course and also started tackling the labs available on PortSwigger Academy. the entire academy is free! again, a great combination of theory and practice, which really helped me develop my mental model of web applications further. that has been one of the coolest things about learning about cybersecurity and IT -- i absolutely LOVE when things come full circle and i connect it back to stuff i learned while doing web development projects. this was a great way to reinforce said web development knowledge, while also expanding upon it due to the different perspective that security gives.


as a quick example, i had a very elementary understanding of the client-server model. i knew that some code executed on the client, and some code was served from severs owned by the company that hosted the application. now i know all about HTTP/S, DNS, TCP/IP -- and that list goes on as well. networking is such a beautiful thing. there are also plenty of areas for mistakes and trouble to slip in due to that complex beauty!


i choose to not dive into any particular examples because the point of this blog post was actually to hone in on the fact that, it doesn't matter WHAT resource you use to learn. it is more about HOW, WHY, and WHEN. it matters that you are consistently trying. as i learned in Make It Stick: The Science of Successful Learning by Brown, Roediger III, and McDaniel, part of the journey IS meant to be difficult. in fact, that is actually integral to it! if it feels easy all the time, then you won't actually cement anything in your brain. so spending too much time on picking the "perfect path" of textbooks and projects can end up paralyzing you and wasting your time. get spaced repetition, interleave different subjects, introduce variation of problems for a given subject, embrace progressively overloaded difficulty, and focus on deliberate practice to shore up weak points.


i use a combination of resources, but the most important part is that i consistently grapple with the information. i'm building mental models, i'm reflecting, creating my own questions and trying to figure out the answers before looking it up, i'm getting hands-on experience with hardware and software, and i'm constantly challenging myself. whether i watch video lectures, listen to podcasts, or read books and articles, i'm glad to report that the results have been accumulating over time!


i've mentioned in an old post how much i love the human body as a complex and beautiful system, filled with subsystems that all work in a dynamic harmony. i've come to see applications, computers, and the internet as an equivalent masterpiece of ingenuity.


stay tuned for my next series of blog posts, where i dive into some security tips and tricks that EVERYONE would benefit from knowing!