Penetration Testing
career advice Nov 22 2011 09:52PM
Nathalie Vaiser (nvaiser gmail com) (4 replies)
RE: career advice Nov 23 2011 02:12AM
Ward, Jon (Jon_Ward SYNTELINC COM)
It's been my experience (I started my computing education back in the early 80's as a kid.) that information security has the highest technical knowledge requirement of any of the disciplines in the IT realm. You have to know what the PC guy knows, what the network guy knows, what the web admin knows, what the developer knows, etc. Moreover, you have to know it better than they do. There are a number of different disciplines that are grouped under the security umbrella (deservingly so or not). If you choose to stay within the technical area of security, programming skills are essential. The deeper you go into technical security, the more of a requirement it becomes. You will absolutely NEED to completely understand the code you're looking at. You'll want to write your own programs and scripts to get a particular job done. You'll want to look at someone else's PoC code to understand how a new attack works. You'll want to be able to write some shell code that will return to libc to the address of a pop-pop-ret and point EIP to the rest of your shell code to do [insert goal here]. Just to understand the meaning of that sentence requires 2 programming languages, C and ASM.

You can't be a hacker without programming. Hacker's without programming skills are called "users". So, I agree with another poster (Robin, I think it was). You should figure out what it is that you enjoy and do that. If you want to do the hacking part of security, pick up those programming skills. It's not nearly as difficult as you think. Don't sell yourself short. If you don't like the hacking idea, there are some less technical aspects of security that can be rewarding in their own ways. I cracked my first program when I was 12 using some patch code that someone else wrote. It was the coolest thing ever up to that point, but it wasn't nearly as satisfying as later accomplishing my own first hack. That's my bag. What's yours?

1.) Figure out what it is that you truly enjoy. What would you do on your own time without getting paid for it? Is it really security? (For most people it isn't.) Also, because of steep knowledge requirements of security, decide if you want to constantly learn. If you don't enjoy reading, researching, experimenting and just playing around to figure out new stuff, you may find yourself falling behind, or making yourself miserable doing what you don't enjoy trying to stay ahead. What do YOU want?
2.) Learn to program. (notice that period) It's indispensible. You can get by without it for a while in IT, but you won't really grasp how not having it is crippling until you pick up a language. Understanding the instructions and logic that drives computing seems like a no-brainer in an IT job. What if you married someone from some other country without speaking the same language. In that 70% of communication is non-verbal, you could get by, but how well?

Good luck!!

Jon Ward, CEPT, CISA
jon_ward (at) syntelinc (dot) com [email concealed]
Technical Lead - Information Security Vulnerability Testing

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Nathalie Vaiser
Sent: Tuesday, November 22, 2011 3:53 PM
To: pen-test (at) securityfocus (dot) com [email concealed]
Subject: career advice

Hello all,

I'm hoping to get some direction/advice from some seasoned IT security

In short, I've been in IT for about 10 years (mainly as a system
administrator / helpdesk type of role - web servers).  I've always
been interested in security and have recently taken and passed the CEH
exam so that I can get some kind of foundation to build upon. I know
what I've learned so far is only the 'tip of the iceberg' and I've
been having difficulty deciding where I should focus my learning now,
in terms of preparing myself for a career in security, ideally as a
pen tester but possibly just in a defensive security role.

I find it ALL very interesting, but I've been struggling with finding
a direction and focus for myself.  My current job duties don't involve
much security work but I'm hoping to eventually grow into that role
there. For now I'm taking time outside of work to further my IT
security skills.

It seems 'web application security' is in high demand right now -
however - I'm not a developer nor programmer, and probably could never
be a good one if I tried (it just doesn't come easy to me).   I assume
if my focus would be on web application security I would need to know
more than just how to find vulnerabilities - I would need to be able
to at least consult or work with developers on fixing the problem, so
I'd be very limited and at a disadvantage without any programming
skills (am I right about this?).

I do feel I would be at a disadvantage, for example I've started
practicing using OWASP Webgoat and am struggling with parts of it,
mainly for my lack of knowledge of Ajax, SQL, etc..

If that is the case (that web application security shouldn't be my
focus since I have no programming/dev background), then I'm not sure
what to focus on, and what would make sense in terms of a viable
future career in security.  Possibly network security may be of
interest, which means I should probably consider studying for the CCNA
to get a much better foundation in networking.

I know no one can decide for me, but what I'm looking for is feedback
on what scopes I may want to consider in the security field that are
large enough that they do encompass a career/job position, with the
caveat that my programming/dev skills are currently nill, and even
though I am considering learning some kind of programming (probably
Perl or Python) I can't see myself ever being extremely proficient
with it.

Thanks in advance for any advice you can offer.

CEH, MCP, MCTS, Linux+


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

[ reply ]
Re: career advice Nov 22 2011 10:41PM
Ali-Reza Anghaie (ali packetknife com) (1 replies)
Re: career advice Nov 23 2011 01:22AM
David Glosser (david glosser gmail com)
Re: career advice Nov 22 2011 10:28PM
Robin Wood (robin digininja org)
RE: career advice Nov 22 2011 10:23PM
Iman Louis (ilouis cigital com)


Privacy Statement
Copyright 2010, SecurityFocus