Penetration Testing
career advice Nov 22 2011 09:52PM
Nathalie Vaiser (nvaiser gmail com) (4 replies)
RE: career advice Nov 23 2011 02:12AM
Ward, Jon (Jon_Ward SYNTELINC COM)
Re: career advice Nov 22 2011 10:41PM
Ali-Reza Anghaie (ali packetknife com) (1 replies)
Re: career advice Nov 23 2011 01:22AM
David Glosser (david glosser gmail com)
Great advice by Ali...

If you like web application security, may also wish to check out the OWASP.
For starters, install OWASP WebGoat, which is a deliberately insecure
web application.
Then test it using "Zed Attack Proxy" and "fiddler/watcher" proxies,
and move on to
more active testing using W3AF, nikto/wikto, etc.

Another nice resource is
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
Good Luck!

On Tue, Nov 22, 2011 at 5:41 PM, Ali-Reza Anghaie <ali (at) packetknife (dot) com [email concealed]> wrote:
> You may think programming doesn't come easy to you but that doesn't
> mean you shouldn't try to get familiar with and understand a small
> variety of programming and scripting languages. I've given that as my
> top piece of advice for aspiring InfoSec professionals for ~13 years
> and every one has thanked me profusely in the end.
>
> What I'd suggest is starting from the tail-end and learning how to
> ~read~ code properly. To that end I can't recommend this book enough:
>
> http://www.amazon.com/Code-Reading-Open-Source-Perspective/dp/0201799405
/ref=ntt_at_ep_dpt_2
>
> It's not the lightest reading but it's fairly accesible and once you
> add some practice you can also reference many other languages and
> scripts on the numerous http://stackexchange.com/ sites. That way, in
> short order, you can make sense of C, Ruby, Python, PHP, SQL, etc. the
> "cleaner" languages in a sense. And the gaping holes and the white
> rabbits to follow become clear even if you don't have a firm grasp on
> a given language.
>
> Now, to further consider what you want I'd say you should keep in mind
> that the majority of penetration testing and security research is
> based on architecture and process. It's not what most people read
> about and it's not as sexy as finding insanely difficult to exploit
> UDP to closed port exploits but it's the "bread and butter" for a
> majority of the field. Likewise a majority of "Enterprise Security
> Architecture" is well above the weeds. Sure you have to be familiar
> with OATH, revisions to it, and mixed-mode platforms like Opa, but you
> don't have to be an implementation expert per se on any of them. It
> requires A LOT of reflexive memory and reading. Referencing FOSS
> mailing lists and diagrams for design decisions, making sure you
> gather and organize documentation well, paying close attention to
> Changelogs, etc. just so you can continuously envision the changing
> landscape in your mind.
>
> So I'm going to recommend you go in three general directions based on
> what you wrote:
>
> 1) Code reading, understanding the basics, backwards-in approach..
>
> 2) Learn more and more about the numerous high-level Enterprise
> Architectures as they apply to web delivered systems, distributes
> systems, web APIs in particular, ..
>
> 3) Make sure you know you're way around Backtrack, Metasploit, etc.
> just to keep the layman interested. In the end that'll basically be
> your meal ticket to expanding your knowledge base.
>
> For (3) I'm going to give a short set of resources:
>
> 1) The PTES (http://www.pentest-standard.org/) is an effort to create
> something of a "quality standard" for Pen-testing. Consider this the
> baseline and not the ceiling. It's expanding and a good basis for
> further exploration.
>
> 2) This (http://www.tinyurl.com/msf-ptes) is a fairly new document
> that tries to map Metasploit use to the PTES. Good if you're trying to
> get a better grasp of Metasploit.
>
> 3) Explore http://www.securitytube.net/ for HowTo videos and talks from CONs.
>
> 4) Two two posts
> http://danielmiessler.com/projects/webappsec_testing_resources/#methodol
ogies#
> && http://www.securityaegis.com/the-big-fat-metasploit-post/
>
> I want to re-emphasize though, most pen-test engagements find many
> holes examining the landscape well before Backtrack is booted or
> Metasploit loaded. If you're not looking at that level too, you're
> doing it wrong.
>
> OK.. that's all I'll dump on you for now. This could get quite lengthy. :-D
>
> You're welcome to connect on LinkedIn
> (http://www.linkedin.com/in/anghaie) and Twitter
> (https://twitter.com/#!/Packetknife). Good luck to you! Cheers, -Ali
>
>
> On Tue, Nov 22, 2011 at 16:52, Nathalie Vaiser <nvaiser (at) gmail (dot) com [email concealed]> wrote:
>> Hello all,
>>
>> I'm hoping to get some direction/advice from some seasoned IT security
>> professionals...
>>
>> In short, I've been in IT for about 10 years (mainly as a system
>> administrator / helpdesk type of role - web servers).  I've always
>> been interested in security and have recently taken and passed the CEH
>> exam so that I can get some kind of foundation to build upon. I know
>> what I've learned so far is only the 'tip of the iceberg' and I've
>> been having difficulty deciding where I should focus my learning now,
>> in terms of preparing myself for a career in security, ideally as a
>> pen tester but possibly just in a defensive security role.
>>
>> I find it ALL very interesting, but I've been struggling with finding
>> a direction and focus for myself.  My current job duties don't involve
>> much security work but I'm hoping to eventually grow into that role
>> there. For now I'm taking time outside of work to further my IT
>> security skills.
>>
>> It seems 'web application security' is in high demand right now -
>> however - I'm not a developer nor programmer, and probably could never
>> be a good one if I tried (it just doesn't come easy to me).   I assume
>> if my focus would be on web application security I would need to know
>> more than just how to find vulnerabilities - I would need to be able
>> to at least consult or work with developers on fixing the problem, so
>> I'd be very limited and at a disadvantage without any programming
>> skills (am I right about this?).
>>
>> I do feel I would be at a disadvantage, for example I've started
>> practicing using OWASP Webgoat and am struggling with parts of it,
>> mainly for my lack of knowledge of Ajax, SQL, etc..
>>
>> If that is the case (that web application security shouldn't be my
>> focus since I have no programming/dev background), then I'm not sure
>> what to focus on, and what would make sense in terms of a viable
>> future career in security.  Possibly network security may be of
>> interest, which means I should probably consider studying for the CCNA
>> to get a much better foundation in networking.
>>
>> I know no one can decide for me, but what I'm looking for is feedback
>> on what scopes I may want to consider in the security field that are
>> large enough that they do encompass a career/job position, with the
>> caveat that my programming/dev skills are currently nill, and even
>> though I am considering learning some kind of programming (probably
>> Perl or Python) I can't see myself ever being extremely proficient
>> with it.
>>
>> Thanks in advance for any advice you can offer.
>>
>> Nathalie
>> CEH, MCP, MCTS, Linux+
>>
>> ------------------------------------------------------------------------

>> This list is sponsored by: Information Assurance Certification Review Board
>>
>> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>>
>> http://www.iacertification.org
>> ------------------------------------------------------------------------

>>
>>
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]
Re: career advice Nov 22 2011 10:28PM
Robin Wood (robin digininja org)
RE: career advice Nov 22 2011 10:23PM
Iman Louis (ilouis cigital com)


 

Privacy Statement
Copyright 2010, SecurityFocus