This post is directed towards current network security/penetration
testing professionals.
I'm not sure what group this would be most appropriate in, so if this
is in the incorrect group, then please let me know and I'll move it
there (I've looked for a few groups that are strictly for pen-testers,
and haven't really found much). So I apologize in advance if this is
misplaced.
I'm currently a software engineer, but have a passion for network
security, and in particular penetration testing. I have to admit, I've
looked and looked for possible job descriptions for this type of work,
the pro's and con's of it, how to get into the field, etc... and
haven't found a whole lot regarding the first steps to get into this
type of industry.
I would love to have a few questions answered by those who have been
there and done this type of work. That being said, here are my
questions...
1) How did you get your start into this field of work?
1a) Did you attend any official courses to prepare?
1b) Did you obtain any certifications before you landed your first
pen-testing job?
2) What is an average day of work like for you?
2a) What are the pro's of working as a Pen-Tester?
2b) What are the con's of working as a Pen-Tester (what makes you hate
coming to work?)
2c) Do you work in a large or small firm? Or are you doing freelance
work? Which would you prefer/recommend?
3) What should I do to prepare?
3a) Are there any solid courses offered to prepare for this type of
work?
3b) What are the most credible and affordable courses one could take?
3c) In your opinion, what are the strongest certifications to have? Or
are any certifications worth their salt?
4) Are there any websites out there that would have some or all of the
answers to the questions above?
I've looked into going to the InfoSec school for Ethical Hacking, and
would love to have the bootcamp style training to get me started, but
atm, the cost is a bit outside of my limits. I can say, though, that
sometime next year I will be able to take such a course. In the
meantime, though, I'm trying to figure out if this is something that
I'd like to pursue. I currently have a very secure job and am quite
happy with it (most days :) ), as well as having a very bright future
for advancement in the industry, but I'm pretty sure I would absolutely
love this type of work. I feel like I've only read 'hype' about the
career, though. I'd love to pick a grizzled veteran's brain about this
and see if it's the right career move for me. Also, I'm young enough to
make a career switch a viable option. So it's been weighing on my mind
pretty heavily as of late, heh.
Thanks in advance to all reply with anything useful,
Keith
As someone on the end of reading security audit reports, can you:
1 - write high-level management reports, with scare stories to generate more
work?
2 - can you write down all the issues their own tech team tell you are
issues, and present this as your own work?
3 - can you state the bleeding obvious in an important-looking document -
'you need to patch your systems, have firewalls & IDS, do more monitoring,
QA your software, run up-to-date AV, limit admin accts, enforce password
policy, limit physical access, review security logs....'. (Since every firm
is always just one step behind in some area, you will always find an 'in').
If they are fully up-to-date and compliant, can you scare them with 0-day
exploits and more consultancy costs.
4 - can you steer someone else's cleverly written vulnerability scanner, and
produce reams of pdf reports which justifies your pointless exercise and
substantial contract fee
If so, go work for a big audit firm and keep reselling the above and keep
creaming the profits, whilst knowing in your heart you've never written a
line of exploit code or had an original idea on security yourself.
> > 2) What is an average day of work like for you?
>
> As someone on the end of reading security audit reports, can you:
>
> 1 - write high-level management reports, with scare stories to generate more
> work?
>
> 2 - can you write down all the issues their own tech team tell you are
> issues, and present this as your own work?
>
> 3 - can you state the bleeding obvious in an important-looking document -
> 'you need to patch your systems, have firewalls & IDS, do more monitoring,
> QA your software, run up-to-date AV, limit admin accts, enforce password
> policy, limit physical access, review security logs....'. (Since every firm
> is always just one step behind in some area, you will always find an 'in').
> If they are fully up-to-date and compliant, can you scare them with 0-day
> exploits and more consultancy costs.
>
> 4 - can you steer someone else's cleverly written vulnerability scanner, and
> produce reams of pdf reports which justifies your pointless exercise and
> substantial contract fee
Pity.
Sounds like you have contracted someone doing vulnerability scanning
vs actual ethical hacking.
But it's funny cus the market does have a lot of such crap out there.
> Pity.
>
> Sounds like you have contracted someone doing vulnerability scanning
> vs actual ethical hacking.
From a company perspective, they just want a report which tells them what
their exposures are (which any idiot could tell them - see point 3), and
then they can justify the spend and action the recommendations, and thereby
cover their ass should anyone externally need to have proof of their
'security'
It's not about hacking into code, it's about ticking the boxes.
> But it's funny cus the market does have a lot of such crap out there.
Ususally with a big brand name and a ludicrous fee
Not sure if my experience applies, but I used to work for the GeekSquad
at BestBuy. It was hell. But I did learn a few things. Mainly, though,
I learned that people pay for convenience. People pay for others to do
the things they need done, but don't have the time to learn how to
do...
My job consisted of booting up a computer, and then clicking 'scan' on
a few antivirus scanners, and a few spyware scanners, and then
documenting my work. Any monkey could have done the same. So why didn't
these customers have me do it?
They didn't have the time, perhaps even the aptitude, to learn and
educate themselves on how to do it themselves. Something so seemingly
simple, yet they didn't do it. I even went to _great_ lengths to show
these people they were being 'scammed', to show them how to do my
'job'. 9 times out of 10, though, these people flat out told me they
'didn't care, just fix it'.
Perhaps you have some truth in your inflammatory, pessimistic attitude
of penetration testing/ethical hacking. But I think your opinions are
more wrong than right.
1) Businesses want to know worst case scenario, and to be prepared for
them.
2) Sure I can. Will I? No. To assume and lump all penetration testers
into this unethical behavior is a bit narrow minded and immature, imo.
3) What is bleeding-obvious to you, may not necessarily be obvious to
others less savvy than yourself. Take my example of spyware, for
instance. Most people don't understand that a free screensaver is chock
full of malware and resource hogging software that is generally bad for
your system. Most people are too busy themselves to sit down and
educate themselves thoroughly enough to become a smart or even savvy
internet user. Case in point, most businesses are busy earning money
and making their business plans work to worry so much about security.
Hence, they hire a pen-tester or ethical hacker to tell them the things
they need.
4) Simply because I don't write my own vulnerability scanners doesn't
mean I am somehow less knowledgeable or less of a professional. Using
someone's already established tools is far better than reinventing the
wheel. It's smart. Do I write all of my current software in assembly,
because that would somehow make me a superior coder to those who use
high-level frameworks? No. I use the frameworks given to me to make my
life easier, my software development more efficient and my production
time less. Am I less of a software engineer because I don't write all
my projects in low-level languages? And just because I don't use those
low level languages, does that mean I don't understand what's going on
beneath the hood of my framework? You are making large assumptions that
don't necessarily add up to anything. On the same token, using someone
else's tools does not mean that I do not understand the
vulnerabilities. I _could_ attempt the vulnerabilities one by one
myself, manually executing them, but that would be tedious and slow.
I'd probably think about automating that, but wait... someone's already
done that! I'm sure you see my point.
As for pointless exercises... I'd beg to differ. If they were so
pointless, perhaps you should tell the CEO that the next time his/her
security is compromised. "Yes, you were compromised because of this
particular insecurity, but checking for that before you had been
attacked would have been pointless in my opinion." Make statements such
as that, and I'd wonder why you even browse this newsgroup...
As for substantial contract fees... knowledge is power. The reason
software engineers are paid well (or at least more than average) is
because of their knowledge and experience alone; because many have
devoted their time, effort, and finances to learning their trade. The
same goes with a penetration tester who stays current. Aside from that,
I'd wonder how you consider a company's peace of mind and security any
less valuable than it already is.
Lastly... simply because I would work as a penetration tester doesn't
automatically qualify me as a moron in the vulnerability research
department... And quite honestly, I would probably find myself adequate
at doing it, considering my background. I do see your point, though, in
that a truly excellent penetration tester should know these details to
truly understand his job.
So, with all of this, I'm going to call you out. I am quite sure that
if we were to know your line of business, we could make equally narrow
minded and inflammatory remarks. I won't, of course, but that was an
attempt to open your mind a bit. And since you posted in this group, on
this particular topic... have you ever written exploit code? Have you
ever contributed fresh ideas to the security community? Or do you
simply deride everyone else's careers, quite likely because of your own
insecurity in your own skillset? Heck, with your mindset, have you
written your own OS? Or are you just an inferior user? Have you made
your own motherboard? Processor? Memory units? Or are you just a simple
consumer?
Do you now see how rediculous your claims sound? In retrospect, had you
written something like, "Here's how you can be a horrible
pen-tester..." or perhaps, "These, in my opinion, are great
pen-testers...", I think I wouldn't have had a problem at all with your
post. I'd venture to say that constructive criticism _could_ go a long
way for you. I doubt you'd heed the advice though.
erewhon wrote:
> > 2) What is an average day of work like for you?
>
> As someone on the end of reading security audit reports, can you:
>
> 1 - write high-level management reports, with scare stories to generate more
> work?
>
> 2 - can you write down all the issues their own tech team tell you are
> issues, and present this as your own work?
>
> 3 - can you state the bleeding obvious in an important-looking document -
> 'you need to patch your systems, have firewalls & IDS, do more monitoring,
> QA your software, run up-to-date AV, limit admin accts, enforce password
> policy, limit physical access, review security logs....'. (Since every firm
> is always just one step behind in some area, you will always find an 'in').
> If they are fully up-to-date and compliant, can you scare them with 0-day
> exploits and more consultancy costs.
>
> 4 - can you steer someone else's cleverly written vulnerability scanner, and
> produce reams of pdf reports which justifies your pointless exercise and
> substantial contract fee
>
> If so, go work for a big audit firm and keep reselling the above and keep
> creaming the profits, whilst knowing in your heart you've never written a
> line of exploit code or had an original idea on security yourself.
>
> erewhon
> alt.hacker
> 9 times out of 10, though, these people flat out told me they
> 'didn't care, just fix it'.
That's certainly the case.
> Perhaps you have some truth in your inflammatory, pessimistic attitude
> of penetration testing/ethical hacking. But I think your opinions are
> more wrong than right.
>
> 1) Businesses want to know worst case scenario, and to be prepared for
> them.
Buinsesses don't care about security and vulnerabilty and exposure. Their
only interest in technology is in making a manual job easier (and therefore
saving cost), or generating revenue. In the process they know they have to
protect their assests (since this impacts their market position, or bottom
line if services are unavailable or compromised), and that they usually know
they have to be compliant with a variety of legal obligations in terms of
data security.
Their driver is not to 'want to know worst case scenario' - they know the
worst case scenario (I might get fucked over). What they want to know is 'am
I up to industry standards & best practice' and 'where are my weaknesses'.
In a large organisation with internal IT, you don't need an external audit
to tell you this - go and ask your existing teams. They'll have a list of
jobs which need doing, from laptop encryption, to improved IDS, to personal
firewalls, to spamware and malware scanners and filters, to better patch
management... the list will be comprehensive, assuming they actually ask!.
> 2) Sure I can. Will I? No. To assume and lump all penetration testers
> into this unethical behavior is a bit narrow minded and immature, imo.
If you are exployed by a large audit firm they will have a standard
approach - investigate their IT by examining all the information obtained
regarding their infrastructure from their IT teams, discuss their processes,
ask questions about the aforementioned areas likely to cause concern
(firewalls, patch, malware, encryption, et al) then present this list of
flaws in an audit report for management.
The managers will expect this - the audit firm knows this, and it will be a
cookbook delivery - the content of which will be obtained from existing IT
teams. How else would they be able to provide such a report in isolation -
audit every single network switch, firewall setting, PC and server? No -
they work from the inside to obtain, the resell back to you your own
information.
> 3) What is bleeding-obvious to you, may not necessarily be obvious to
> others less savvy than yourself. Take my example of spyware, for
> instance. Most people don't understand that a free screensaver is chock
> full of malware and resource hogging software that is generally bad for
> your system. Most people are too busy themselves to sit down and
> educate themselves thoroughly enough to become a smart or even savvy
> internet user. Case in point, most businesses are busy earning money
> and making their business plans work to worry so much about security.
> Hence, they hire a pen-tester or ethical hacker to tell them the things
> they need.
No they don't. They need to employ a team who can provide rigourous desktop
and server build standards. Someone who can write and enforce policy. They
need to employ someone to install AV, patch management, firewalls, IDS,
packet monitoring, proxy servers, malware and content sweepers at the
gateways et al.
That's why I stated your report needs to contain the obvious."'you need to
patch your systems, have firewalls & IDS, do more monitoring, QA your
software, run up-to-date AV, limit admin accts, enforce password policy,
limit physical access, review security logs....".
It does not require a pen-tester/ethical hacker to provide this analysis. It
needs a compentant and informed IT team. Anyone who's big enough to buy pen
testing, is big enough to have its own IT team provide such a report
detailling areas for improvement.
Having written such a detailled report covering all such exposures, and
mitigating factors, and technology & process required to resolve it, I then
realised big firms think very little of their own skilled IT team. They
ended up paying $200k+ for an audit firm to do a fraction of the analysis I
did, with far fewer practical solutions. It's only by paying third parties
to come in, do the glossy report, that the IT managers can go to the board
and justify the spend on fixing the issues. Third party auditors know this -
your skills on code-exploit writing will not be required for the job of a
pen-tester.
> 4) Simply because I don't write my own vulnerability scanners doesn't
> mean I am somehow less knowledgeable or less of a professional.
Of couse it does. The people who make such tools are obviously better
informed as to how the vulnerabilities exisit, how they can be exploited and
how they can be detected. The user of such tool is just that - a user of
someone elses tool. If they had the abilty they claimed, they would write
their own.
> Using
> someone's already established tools is far better than reinventing the
> wheel.
I never said it wasn't. I said 'can you steer someone else's cleverly
written vulnerability scanner' to produce reports. Any monkey can do this -
you don't need a experienced code head/pen tester/ethical hacker to point
and click these tools.
>It's smart. Do I write all of my current software in assembly,
> because that would somehow make me a superior coder to those who use
> high-level frameworks? No. I use the frameworks given to me to make my
> life easier, my software development more efficient and my production
> time less. Am I less of a software engineer because I don't write all
> my projects in low-level languages? And just because I don't use those
> low level languages, does that mean I don't understand what's going on
> beneath the hood of my framework?
Most auditors/pen testers who sell their services have little knowledge in
this regard. It's just not required to produce the reports and anaylsis
which is being commissioned. The buisiness needs a report from a tool which
can detect these holes. They don't give a shit if the person steering the
tool actually HAS the expertise to write the exploit code - they only need
to know if the hole exists and therefore the POSSIBILITY exists that someone
could exploit it.
>You are making large assumptions that
> don't necessarily add up to anything.
I am? Where exactly are my assertions flawed?
> On the same token, using someone
> else's tools does not mean that I do not understand the
> vulnerabilities. I _could_ attempt the vulnerabilities one by one
> myself, manually executing them, but that would be tedious and slow.
> I'd probably think about automating that, but wait... someone's already
> done that! I'm sure you see my point.
And my point is that no-one in the business cares if the employed
hacker/pen-tester/auditer actually has the skills to carry out the attacks
they say they are vulnerable to. They only need to know that such
possibilites exist - and for this you don't need to be a hacker/pen-tester -
just a monkey in a suit, with an arm full of reports and a penchant for
selling them back their own ideas.
> As for pointless exercises... I'd beg to differ. If they were so
> pointless, perhaps you should tell the CEO that the next time his/her
> security is compromised. "Yes, you were compromised because of this
> particular insecurity, but checking for that before you had been
> attacked would have been pointless in my opinion." Make statements such
> as that, and I'd wonder why you even browse this newsgroup...
I never said pen-testing was pointless. I said that the job of a
'professional pen-tester' is not what you would end up doing, since people
would be paying you to deliver to a common set of criteria - none of which
require an in-depth knowledge of exploit code and holes, only the means to
identify where they exisit.
> As for substantial contract fees... knowledge is power. The reason
> software engineers are paid well (or at least more than average) is
> because of their knowledge and experience alone; because many have
> devoted their time, effort, and finances to learning their trade. The
> same goes with a penetration tester who stays current.
My point is that this task does not require a substantial amount of
knowledge, above and beyond what a competant network or server engineer has
at hand, to deliver the output of such reports.
>> Lastly... simply because I would work as a penetration tester doesn't
> automatically qualify me as a moron in the vulnerability research
> department... And quite honestly, I would probably find myself adequate
> at doing it, considering my background. I do see your point, though, in
> that a truly excellent penetration tester should know these details to
> truly understand his job.
Actually, my point is - the best pen testers work in the background, writing
the tools and exploits. Buisness facing pen-testers do not - they steer
tools, & write cookbook reports.
> So, with all of this, I'm going to call you out. I am quite sure that
> if we were to know your line of business, we could make equally narrow
> minded and inflammatory remarks.
I'm a server engineer - I scope, design, & implement solutions, with a
degree of third line support for a multi-billion pound firm I get paid shit
loads cos I'm very good at it.
I know what tools to use, have written best design practice, and how to
deliver a secure, resilent solution on time, within budget and following
process.
> I won't, of course, but that was an
> attempt to open your mind a bit. And since you posted in this group, on
> this particular topic... have you ever written exploit code?
No. I don't claim to have.
> Have you
> ever contributed fresh ideas to the security community?
Yes.
> Or do you
> simply deride everyone else's careers, quite likely because of your own
> insecurity in your own skillset?
Me - insecure?! I'm not deriding the career path - I'm stating it will not
be what you expect and hope it to be.
>Heck, with your mindset, have you
> written your own OS?
No.
>Or are you just an inferior user? Have you made
> your own motherboard? Processor? Memory units? Or are you just a simple
> consumer?
I did a smattering of electronics during my degree..
> Do you now see how rediculous your claims sound? In retrospect, had you
> written something like, "Here's how you can be a horrible
> pen-tester..." or perhaps, "These, in my opinion, are great
> pen-testers...", I think I wouldn't have had a problem at all with your
> post. I'd venture to say that constructive criticism _could_ go a long
> way for you. I doubt you'd heed the advice though.
Hey - It's just my perspective based on experience.
Perhaps my perceptions of the business are a bit naive, I suppose. And
perhaps I was too quick to judge by your own response.
So this is one of those rare occasions on the 'net that anyone will see
an apology in these types of discussions -- Sorry for jumping to my own
assumptions. I suppose we all know where they lead.
So. Perhaps a corporate pen-tester is not the job I'd like to go into,
and I have been mislead. I suppose then, I would rephrase my question.
I like security; I like breaking into networks, and also finding out
how others have broken into mine. I'm a pretty damn good programmer,
and understand low level languages. What _would_ be the career that
would best facilitate that? Perhaps a network forensics consultant?
Something along those lines? Perhaps a vulnerability researcher?
Any direction here would be wonderful.
Thanks, and again, my apologies.
erewhon wrote:
> > 9 times out of 10, though, these people flat out told me they
> > 'didn't care, just fix it'.
>
> That's certainly the case.
>
> > Perhaps you have some truth in your inflammatory, pessimistic attitude
> > of penetration testing/ethical hacking. But I think your opinions are
> > more wrong than right.
> >
> > 1) Businesses want to know worst case scenario, and to be prepared for
> > them.
>
> Buinsesses don't care about security and vulnerabilty and exposure. Their
> only interest in technology is in making a manual job easier (and therefore
> saving cost), or generating revenue. In the process they know they have to
> protect their assests (since this impacts their market position, or bottom
> line if services are unavailable or compromised), and that they usually know
> they have to be compliant with a variety of legal obligations in terms of
> data security.
>
> Their driver is not to 'want to know worst case scenario' - they know the
> worst case scenario (I might get fucked over). What they want to know is 'am
> I up to industry standards & best practice' and 'where are my weaknesses'.
> In a large organisation with internal IT, you don't need an external audit
> to tell you this - go and ask your existing teams. They'll have a list of
> jobs which need doing, from laptop encryption, to improved IDS, to personal
> firewalls, to spamware and malware scanners and filters, to better patch
> management... the list will be comprehensive, assuming they actually ask!.
>
>
> > 2) Sure I can. Will I? No. To assume and lump all penetration testers
> > into this unethical behavior is a bit narrow minded and immature, imo.
>
> If you are exployed by a large audit firm they will have a standard
> approach - investigate their IT by examining all the information obtained
> regarding their infrastructure from their IT teams, discuss their processes,
> ask questions about the aforementioned areas likely to cause concern
> (firewalls, patch, malware, encryption, et al) then present this list of
> flaws in an audit report for management.
> The managers will expect this - the audit firm knows this, and it will be a
> cookbook delivery - the content of which will be obtained from existing IT
> teams. How else would they be able to provide such a report in isolation -
> audit every single network switch, firewall setting, PC and server? No -
> they work from the inside to obtain, the resell back to you your own
> information.
>
>
> > 3) What is bleeding-obvious to you, may not necessarily be obvious to
> > others less savvy than yourself. Take my example of spyware, for
> > instance. Most people don't understand that a free screensaver is chock
> > full of malware and resource hogging software that is generally bad for
> > your system. Most people are too busy themselves to sit down and
> > educate themselves thoroughly enough to become a smart or even savvy
> > internet user. Case in point, most businesses are busy earning money
> > and making their business plans work to worry so much about security.
> > Hence, they hire a pen-tester or ethical hacker to tell them the things
> > they need.
>
> No they don't. They need to employ a team who can provide rigourous desktop
> and server build standards. Someone who can write and enforce policy. They
> need to employ someone to install AV, patch management, firewalls, IDS,
> packet monitoring, proxy servers, malware and content sweepers at the
> gateways et al.
>
> That's why I stated your report needs to contain the obvious."'you need to
> patch your systems, have firewalls & IDS, do more monitoring, QA your
> software, run up-to-date AV, limit admin accts, enforce password policy,
> limit physical access, review security logs....".
>
> It does not require a pen-tester/ethical hacker to provide this analysis. It
> needs a compentant and informed IT team. Anyone who's big enough to buy pen
> testing, is big enough to have its own IT team provide such a report
> detailling areas for improvement.
>
> Having written such a detailled report covering all such exposures, and
> mitigating factors, and technology & process required to resolve it, I then
> realised big firms think very little of their own skilled IT team. They
> ended up paying $200k+ for an audit firm to do a fraction of the analysis I
> did, with far fewer practical solutions. It's only by paying third parties
> to come in, do the glossy report, that the IT managers can go to the board
> and justify the spend on fixing the issues. Third party auditors know this -
> your skills on code-exploit writing will not be required for the job of a
> pen-tester.
>
> > 4) Simply because I don't write my own vulnerability scanners doesn't
> > mean I am somehow less knowledgeable or less of a professional.
>
> Of couse it does. The people who make such tools are obviously better
> informed as to how the vulnerabilities exisit, how they can be exploited and
> how they can be detected. The user of such tool is just that - a user of
> someone elses tool. If they had the abilty they claimed, they would write
> their own.
>
> > Using
> > someone's already established tools is far better than reinventing the
> > wheel.
>
> I never said it wasn't. I said 'can you steer someone else's cleverly
> written vulnerability scanner' to produce reports. Any monkey can do this -
> you don't need a experienced code head/pen tester/ethical hacker to point
> and click these tools.
>
> >It's smart. Do I write all of my current software in assembly,
> > because that would somehow make me a superior coder to those who use
> > high-level frameworks? No. I use the frameworks given to me to make my
> > life easier, my software development more efficient and my production
> > time less. Am I less of a software engineer because I don't write all
> > my projects in low-level languages? And just because I don't use those
> > low level languages, does that mean I don't understand what's going on
> > beneath the hood of my framework?
>
> Most auditors/pen testers who sell their services have little knowledge in
> this regard. It's just not required to produce the reports and anaylsis
> which is being commissioned. The buisiness needs a report from a tool which
> can detect these holes. They don't give a shit if the person steering the
> tool actually HAS the expertise to write the exploit code - they only need
> to know if the hole exists and therefore the POSSIBILITY exists that someone
> could exploit it.
>
> >You are making large assumptions that
> > don't necessarily add up to anything.
>
> I am? Where exactly are my assertions flawed?
>
> > On the same token, using someone
> > else's tools does not mean that I do not understand the
> > vulnerabilities. I _could_ attempt the vulnerabilities one by one
> > myself, manually executing them, but that would be tedious and slow.
> > I'd probably think about automating that, but wait... someone's already
> > done that! I'm sure you see my point.
>
> And my point is that no-one in the business cares if the employed
> hacker/pen-tester/auditer actually has the skills to carry out the attacks
> they say they are vulnerable to. They only need to know that such
> possibilites exist - and for this you don't need to be a hacker/pen-tester -
> just a monkey in a suit, with an arm full of reports and a penchant for
> selling them back their own ideas.
>
> > As for pointless exercises... I'd beg to differ. If they were so
> > pointless, perhaps you should tell the CEO that the next time his/her
> > security is compromised. "Yes, you were compromised because of this
> > particular insecurity, but checking for that before you had been
> > attacked would have been pointless in my opinion." Make statements such
> > as that, and I'd wonder why you even browse this newsgroup...
>
> I never said pen-testing was pointless. I said that the job of a
> 'professional pen-tester' is not what you would end up doing, since people
> would be paying you to deliver to a common set of criteria - none of which
> require an in-depth knowledge of exploit code and holes, only the means to
> identify where they exisit.
>
> > As for substantial contract fees... knowledge is power. The reason
> > software engineers are paid well (or at least more than average) is
> > because of their knowledge and experience alone; because many have
> > devoted their time, effort, and finances to learning their trade. The
> > same goes with a penetration tester who stays current.
>
> My point is that this task does not require a substantial amount of
> knowledge, above and beyond what a competant network or server engineer has
> at hand, to deliver the output of such reports.
>
> >> Lastly... simply because I would work as a penetration tester doesn't
> > automatically qualify me as a moron in the vulnerability research
> > department... And quite honestly, I would probably find myself adequate
> > at doing it, considering my background. I do see your point, though, in
> > that a truly excellent penetration tester should know these details to
> > truly understand his job.
>
> Actually, my point is - the best pen testers work in the background, writing
> the tools and exploits. Buisness facing pen-testers do not - they steer
> tools, & write cookbook reports.
>
> > So, with all of this, I'm going to call you out. I am quite sure that
> > if we were to know your line of business, we could make equally narrow
> > minded and inflammatory remarks.
>
> I'm a server engineer - I scope, design, & implement solutions, with a
> degree of third line support for a multi-billion pound firm I get paid shit
> loads cos I'm very good at it.
>
> I know what tools to use, have written best design practice, and how to
> deliver a secure, resilent solution on time, within budget and following
> process.
>
> > I won't, of course, but that was an
> > attempt to open your mind a bit. And since you posted in this group, on
> > this particular topic... have you ever written exploit code?
>
> No. I don't claim to have.
>
> > Have you
> > ever contributed fresh ideas to the security community?
>
> Yes.
>
> > Or do you
> > simply deride everyone else's careers, quite likely because of your own
> > insecurity in your own skillset?
>
> Me - insecure?! I'm not deriding the career path - I'm stating it will not
> be what you expect and hope it to be.
>
> >Heck, with your mindset, have you
> > written your own OS?
>
> No.
>
> >Or are you just an inferior user? Have you made
> > your own motherboard? Processor? Memory units? Or are you just a simple
> > consumer?
>
> I did a smattering of electronics during my degree..
>
> > Do you now see how rediculous your claims sound? In retrospect, had you
> > written something like, "Here's how you can be a horrible
> > pen-tester..." or perhaps, "These, in my opinion, are great
> > pen-testers...", I think I wouldn't have had a problem at all with your
> > post. I'd venture to say that constructive criticism _could_ go a long
> > way for you. I doubt you'd heed the advice though.
>
> Hey - It's just my perspective based on experience.
>
> erewhon
> alt.hacker
> Perhaps my perceptions of the business are a bit naive, I suppose. And
> perhaps I was too quick to judge by your own response.
>
> So this is one of those rare occasions on the 'net that anyone will see
> an apology in these types of discussions -- Sorry for jumping to my own
> assumptions. I suppose we all know where they lead.
>
> So. Perhaps a corporate pen-tester is not the job I'd like to go into,
> and I have been mislead.
Let's just say I wouldn't let erewhon's bleak look into compliance
based, audit testing scare you away.
There are very cool pentesting jobs out there where a decent
proportion of your customers are getting their audits done out of
wanting to be secure rather than just getting a rubber stamp that says
they are, to paraphrase a defcon speaker's comments. :-)
> Perhaps my perceptions of the business are a bit naive, I suppose. And
> perhaps I was too quick to judge by your own response.
>
> So this is one of those rare occasions on the 'net that anyone will see
> an apology in these types of discussions -- Sorry for jumping to my own
> assumptions. I suppose we all know where they lead.
>
> So. Perhaps a corporate pen-tester is not the job I'd like to go into,
> and I have been mislead.
Not necessarily - I paint a picture based on corporate requirements, and
their need for audit reports and legal compliance. My concern was that as
someone such as yourself with a deeper interest in the subject matter, with
a talent for coding and understanding of the nature of code exploits, that
this type of job would not provide the type of challenge and interest you
appear to be looking for.
As an 'in' to the security market, perhaps it would not be such a bad thing
to go thro this excercise of working for such an audit firm. This would give
you access to a wide range of IT environments, allow you to develop your
management report writing and board presentation skills, and give you access
to IT professionals with a range of backgrounds and skills, and see how good
firms do it well, and how bad ones fuck it up.
As with all jobs, the job you hope it will be is not necessarily the one it
actually is.
Get some training. Get certified. Apply for the jobs.
Then when you get to the interview, ask the questions - what will the job
entail, how much training is provided to keep abreast of technololgies and
their vulnerabilites, how to you perform the audits, what reports do you
produce, who is your client base. This will give you a clear picture of what
you are getting yourself into.
Don't be surprised if the corporate audit firms are closer to how I describe
them than you may hope.
> I suppose then, I would rephrase my question.
> I like security; I like breaking into networks, and also finding out
> how others have broken into mine. I'm a pretty damn good programmer,
> and understand low level languages. What _would_ be the career that
> would best facilitate that? Perhaps a network forensics consultant?
> Something along those lines? Perhaps a vulnerability researcher?
Very possibly. As a coder, you could also advertise your skills reviewing
other people code to ensure it is not susceptible to exploit - a very
important QA function.
You could work for a firm which writes anti-virus, anti-malware, or content
filterting software - or at their sharp end of exploit / virus analysis and
patch management.
All vendors need QA and security patches.
> Any direction here would be wonderful.
Take on board a range of perspectives. You may have to take a leap of faith
and learn the pro's and con's of each career prospect. At worse your CV
looks stronger for the experience.
> Thanks, and again, my apologies.
No apologies required. I offer merely one perspective (that of my own).
Opinions are like ass-holes. Everyone's got one :)
Just wanted to thank you both for all of your insight and help. I'll be
getting certifications and looking around at the local scene to see if
there are any entry level positions available.
Thanks again!
erewhon wrote:
> > Perhaps my perceptions of the business are a bit naive, I suppose. And
> > perhaps I was too quick to judge by your own response.
> >
> > So this is one of those rare occasions on the 'net that anyone will see
> > an apology in these types of discussions -- Sorry for jumping to my own
> > assumptions. I suppose we all know where they lead.
> >
> > So. Perhaps a corporate pen-tester is not the job I'd like to go into,
> > and I have been mislead.
>
> Not necessarily - I paint a picture based on corporate requirements, and
> their need for audit reports and legal compliance. My concern was that as
> someone such as yourself with a deeper interest in the subject matter, with
> a talent for coding and understanding of the nature of code exploits, that
> this type of job would not provide the type of challenge and interest you
> appear to be looking for.
>
> As an 'in' to the security market, perhaps it would not be such a bad thing
> to go thro this excercise of working for such an audit firm. This would give
> you access to a wide range of IT environments, allow you to develop your
> management report writing and board presentation skills, and give you access
> to IT professionals with a range of backgrounds and skills, and see how good
> firms do it well, and how bad ones fuck it up.
>
> As with all jobs, the job you hope it will be is not necessarily the one it
> actually is.
>
> Get some training. Get certified. Apply for the jobs.
>
> Then when you get to the interview, ask the questions - what will the job
> entail, how much training is provided to keep abreast of technololgies and
> their vulnerabilites, how to you perform the audits, what reports do you
> produce, who is your client base. This will give you a clear picture of what
> you are getting yourself into.
>
> Don't be surprised if the corporate audit firms are closer to how I describe
> them than you may hope.
>
> > I suppose then, I would rephrase my question.
> > I like security; I like breaking into networks, and also finding out
> > how others have broken into mine. I'm a pretty damn good programmer,
> > and understand low level languages. What _would_ be the career that
> > would best facilitate that? Perhaps a network forensics consultant?
> > Something along those lines? Perhaps a vulnerability researcher?
>
> Very possibly. As a coder, you could also advertise your skills reviewing
> other people code to ensure it is not susceptible to exploit - a very
> important QA function.
>
> You could work for a firm which writes anti-virus, anti-malware, or content
> filterting software - or at their sharp end of exploit / virus analysis and
> patch management.
>
> All vendors need QA and security patches.
>
> > Any direction here would be wonderful.
>
> Take on board a range of perspectives. You may have to take a leap of faith
> and learn the pro's and con's of each career prospect. At worse your CV
> looks stronger for the experience.
>
> > Thanks, and again, my apologies.
>
> No apologies required. I offer merely one perspective (that of my own).
>
> Opinions are like ass-holes. Everyone's got one :)
>
> erewhon
> alt.hacker
Starting a Pen-Testing Career 
Linear Mode
