Go through gera’s exercises in order http://community.corest.com/~gera/InsecureProgramming/

Once you understand those, you’ll be just about as good as anyone I’ve met.

Thanks
chrisu

Experiment with disassemblers: especially IDA Pro and OllyDbg for Windows and gdb for everything else.

You’ll also need to understand Java and C/++ in order to actually audit code. I would also recommend learning either Perl or Python for writing quick attack scripts. If you’re interested in web security, you will also need to know Javascript and understand SQL.

Sounds like a lot, but these are minimal requirements. Once you have learned one language, the others are easier to learn. I would recommend learning assembly and Java first, and then move from assembly to C and from Java to C++ and Python. Your mileage _will_ vary. Don’t get too bogged down in all the details yet, just learn how to write a few sample programs in each language and try to get a sense of what they do and how they differ.

Remember – Working in security isn’t about knowing everything, it’s about knowing where to look anything up. Make lists of useful references as you find them. Don’t try to memorize too much, just remember where you can find that information later.

Also, the most important thing: Cheat. Cheat at everything. Lie to the computer all the time and see what you can get away with. Most of the language APIs are dirty lies, and most documentation is trying to convince you the program works correctly, even if it doesn’t. The only truth, such as it is, is in the compiled binary.