mailing list archives
Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Sun, 10 Sep 2000 13:00:05 -0400
I am wondering how did the readers of this list get into the pen-testing field? What steps did you take to get from
where you started in the field to where your at now? Did employers train you? Did you get promoted into it? Did you
create the position yourself?
I started out into goal oriented studying the at the infamous PacketStorm back when Ken Williams had about 9000+ hits
and Underground Security was sort of a taboo issue. I read anything and everything I could, and posted tons of stuff on
the forum although I waited about 6 months to do so, in order to get a feel for the people there.
Its difficult to sit and read through hundreds of news server posts as well as mailing lists so I narrowed it down
heavily at the time to 3-5. Showdown.org, PacketStorm, Bugtraq, Technotronic, the mailing list at toad.com.
I started off as a sysadmin and pestered the company I worked for to jack up their security and proved I could do it
and maintained it for a while before I began to look for a security oriented position ONLY.
From there I had the opportunity to move to a large network where I learned more from more knowledgeable people and
maintained a large number of people I could correspond to.
Pen testing & security is a very interesting area of the IS field I would like to break into but many positions posted
are requiring years of pen-testing skills which I just don't have outside of my personal lab at home (combo of Win95,NT
Srv, RH Linux). Would you recommend starting at a big 5 firm? A small firm? Fortune 500's? Has anybody heard of any
pen-testing firms in St. Louis?
Experience does count heavily for large companies and you should try to break in via a small or mid-sized company. It
worked for me and I'm sure a minimal percent of the people just didn't jump on the scene as CTO of BigCorp.com,
everyone has to start somewhere and sometimes larger companies won't provide the opportunity to work with other
technologies you would at a small or mid sized firm since most of the architecture is in place already and would cost a
hefty amount to mix technologies such as a big firm running Checkpoint, Pix, Netscreen.
Its uncommon and most tend to select a specific vendor/product and stick with it. This is an advantage of smaller
corporations especially companies which outsource network/security/etc. products, you get to play with all sorts of
As for the testing portion I suggest heavily reading and understanding whats going on without thinking that a simple
scan of a site will render you the option of penetrating it. Understaning architectures, networking, and
"computer-psychology" (art of understanding how and why people may have set up their network and what their network
does) is valuable. Along with the techie stuff I tend to diagram things in a personal notebook I get and cross analyze
Setting up a network at home is pretty cool but take into consideration no two networks will work the same and unless
you can afford all the different types of hardware/software companies use it can become fruitless and waste time.
Offer pen tests to friends, smaller companies, and see what you can do and can learn.
I started from scratch as switched over from the advertising field where I used to work at one of the top ten
advertisers in the world. Although I could've made more money and would have less stress, security is something I enjoy
and this is the greatest factor you have to weigh. There are a lot of times you can get frustrated breaking into the
scene, simply remember, if your doing it do it for the love of it and you'll learn a heck of a lot more than if your
looking at it from a "I have xxx cert and will make xxx amount more money if I work for xxx corp."
Do it for yourself at your own pace.
my two cents...
greets? heh too many to list...
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup
Re: [PEN-TEST] How to "break into" the Pen-Testing field J. Oquendo (Sep 10)
Re: [PEN-TEST] How to "break into" the Pen-Testing field Oliver Petruzel (Sep 11)
Re: [PEN-TEST] How to "break into" the Pen-Testing field Litscher, Steven (Sep 11)
Re: [PEN-TEST] How to "break into" the Pen-Testing field Dunker, Noah (Sep 11)
Re: [PEN-TEST] How to "break into" the Pen-Testing field Chris Romeo (Sep 11)
Re: [PEN-TEST] How to "break into" the Pen-Testing field Rossman, Hart M. (Sep 11)