In my experience, security has much fewer of those resources. Most of the information seems to shared through word-of-mouth, conference presentations, and blog posts.

Much of the information is also just RTFM. I don't think it's a stretch to say that security is a lifestyle: if I read the documentation of an API, more often than not I'll wonder if something can be abused for something. Or when trying to register for health insurance, the password field required special characters, so I set my password generator to include them, after which the form broke, and so I investigated and found that I could inject scripts there. It's just stuff I come across when I'm not even trying.

Word of mouth, chat groups where things are shared, conferences, blog posts... yes, those are resources. But it's also just a whole lot of curiosity and poking at systems.

And experience. Knowing what to look for, even if it's just the HTML source of a web page, is rather important in the first steps of breaking the system. How do you learn what to look for? Well, certainly there are blog posts and even playgrounds with virtual systems and components one can have a go at.

Actual security expert^W dude here. On the topic of breaking/hacking things, I never read a book, followed a MOOC, or studied university course material, and I doubt most of my peers do that either. Which is not to say I don't use those resources, but they're for other topics like software development, system administration, or non-fiction books like Predictably Irrational[1].

The only security-relevant subreddit I'm subscribed to is /r/netsec, and sometimes interesting things come by, but I don't use it a lot. HN is more useful for (context about / following) big security events than netsec. Perhaps /r/sysadmin is also fair to mention, but that's more to see what's hot in sysadmin world (and get their perspective on breaking security news) than to learn about security.

Instead of Quora, I use the IT Security StackExchange site[2]: answering questions makes me dive into topics just a little deeper than what I already knew and I always come out knowing a few more useful details. The site has some really hardcore security people who are typically find any mistakes in your answers as well. I'd recommend that site a lot for learning, whether that is through asking or answering questions (though with answering, perhaps it's more to deepen knowledge than to get into the field), or even if it's just for getting correct answers to security questions like "What are the optimal WPA3 settings for a home router" or something.

So then, how does one get into security? Most people I know just started breaking things and noticed that others usually found it useful if we told them about it. After a while you'll have seen most of the common issues. Add to that some more structured materials like the OWASP top 10 and similar resources, and now I feel fairly confident that my reports are not just a haphazard collection of what I came across in previous years, but that I can actually give a reasonably complete assessment of the security of a system.

I don't know why the security field doesn't have as many structured resources as other fields. Maybe the field is just too small compared to how fast it moves? Or maybe security people are, y'know, as breakers of other people's systems, as hackers, as those who outsmart the people who made the system... maybe we want to be different and not follow norms by studying the normal way? And most of us just started doing it for fun before it became a profession, so few people would use the resources even if they were there? I'm just speculating.

[1] https://en.wikipedia.org/wiki/Predictably_Irrational

[2] https://security.stackexchange.com