Penetration Testing
career advice Nov 22 2011 09:52PM
Nathalie Vaiser (nvaiser gmail com) (4 replies)
RE: career advice Nov 23 2011 02:12AM
Ward, Jon (Jon_Ward SYNTELINC COM)
Re: career advice Nov 22 2011 10:41PM
Ali-Reza Anghaie (ali packetknife com) (1 replies)
You may think programming doesn't come easy to you but that doesn't
mean you shouldn't try to get familiar with and understand a small
variety of programming and scripting languages. I've given that as my
top piece of advice for aspiring InfoSec professionals for ~13 years
and every one has thanked me profusely in the end.

What I'd suggest is starting from the tail-end and learning how to
~read~ code properly. To that end I can't recommend this book enough:

It's not the lightest reading but it's fairly accesible and once you
add some practice you can also reference many other languages and
scripts on the numerous sites. That way, in
short order, you can make sense of C, Ruby, Python, PHP, SQL, etc. the
"cleaner" languages in a sense. And the gaping holes and the white
rabbits to follow become clear even if you don't have a firm grasp on
a given language.

Now, to further consider what you want I'd say you should keep in mind
that the majority of penetration testing and security research is
based on architecture and process. It's not what most people read
about and it's not as sexy as finding insanely difficult to exploit
UDP to closed port exploits but it's the "bread and butter" for a
majority of the field. Likewise a majority of "Enterprise Security
Architecture" is well above the weeds. Sure you have to be familiar
with OATH, revisions to it, and mixed-mode platforms like Opa, but you
don't have to be an implementation expert per se on any of them. It
requires A LOT of reflexive memory and reading. Referencing FOSS
mailing lists and diagrams for design decisions, making sure you
gather and organize documentation well, paying close attention to
Changelogs, etc. just so you can continuously envision the changing
landscape in your mind.

So I'm going to recommend you go in three general directions based on
what you wrote:

1) Code reading, understanding the basics, backwards-in approach..

2) Learn more and more about the numerous high-level Enterprise
Architectures as they apply to web delivered systems, distributes
systems, web APIs in particular, ..

3) Make sure you know you're way around Backtrack, Metasploit, etc.
just to keep the layman interested. In the end that'll basically be
your meal ticket to expanding your knowledge base.

For (3) I'm going to give a short set of resources:

1) The PTES ( is an effort to create
something of a "quality standard" for Pen-testing. Consider this the
baseline and not the ceiling. It's expanding and a good basis for
further exploration.

2) This ( is a fairly new document
that tries to map Metasploit use to the PTES. Good if you're trying to
get a better grasp of Metasploit.

3) Explore for HowTo videos and talks from CONs.

4) Two two posts

I want to re-emphasize though, most pen-test engagements find many
holes examining the landscape well before Backtrack is booted or
Metasploit loaded. If you're not looking at that level too, you're
doing it wrong.

OK.. that's all I'll dump on you for now. This could get quite lengthy. :-D

You're welcome to connect on LinkedIn
( and Twitter
(!/Packetknife). Good luck to you! Cheers, -Ali

On Tue, Nov 22, 2011 at 16:52, Nathalie Vaiser <nvaiser (at) gmail (dot) com [email concealed]> wrote:
> Hello all,
> I'm hoping to get some direction/advice from some seasoned IT security
> professionals...
> In short, I've been in IT for about 10 years (mainly as a system
> administrator / helpdesk type of role - web servers).  I've always
> been interested in security and have recently taken and passed the CEH
> exam so that I can get some kind of foundation to build upon. I know
> what I've learned so far is only the 'tip of the iceberg' and I've
> been having difficulty deciding where I should focus my learning now,
> in terms of preparing myself for a career in security, ideally as a
> pen tester but possibly just in a defensive security role.
> I find it ALL very interesting, but I've been struggling with finding
> a direction and focus for myself.  My current job duties don't involve
> much security work but I'm hoping to eventually grow into that role
> there. For now I'm taking time outside of work to further my IT
> security skills.
> It seems 'web application security' is in high demand right now -
> however - I'm not a developer nor programmer, and probably could never
> be a good one if I tried (it just doesn't come easy to me).   I assume
> if my focus would be on web application security I would need to know
> more than just how to find vulnerabilities - I would need to be able
> to at least consult or work with developers on fixing the problem, so
> I'd be very limited and at a disadvantage without any programming
> skills (am I right about this?).
> I do feel I would be at a disadvantage, for example I've started
> practicing using OWASP Webgoat and am struggling with parts of it,
> mainly for my lack of knowledge of Ajax, SQL, etc..
> If that is the case (that web application security shouldn't be my
> focus since I have no programming/dev background), then I'm not sure
> what to focus on, and what would make sense in terms of a viable
> future career in security.  Possibly network security may be of
> interest, which means I should probably consider studying for the CCNA
> to get a much better foundation in networking.
> I know no one can decide for me, but what I'm looking for is feedback
> on what scopes I may want to consider in the security field that are
> large enough that they do encompass a career/job position, with the
> caveat that my programming/dev skills are currently nill, and even
> though I am considering learning some kind of programming (probably
> Perl or Python) I can't see myself ever being extremely proficient
> with it.
> Thanks in advance for any advice you can offer.
> Nathalie
> CEH, MCP, MCTS, Linux+
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> ------------------------------------------------------------------------



This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

[ reply ]
Re: career advice Nov 23 2011 01:22AM
David Glosser (david glosser gmail com)
Re: career advice Nov 22 2011 10:28PM
Robin Wood (robin digininja org)
RE: career advice Nov 22 2011 10:23PM
Iman Louis (ilouis cigital com)


Privacy Statement
Copyright 2010, SecurityFocus