Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: "J. Oquendo" <intrusion () ENGINEER COM>
Date: Sun, 10 Sep 2000 13:00:05 -0400

I am wondering how did the readers of this list get into the pen-testing field? What steps did you take to get from 
where you started in the field to where your at now? Did employers train you? Did you get promoted into it? Did you 
create the position yourself?

I started out into goal oriented studying the at the infamous PacketStorm back when Ken Williams had about 9000+ hits 
and Underground Security was sort of a taboo issue. I read anything and everything I could, and posted tons of stuff on 
the forum although I waited about 6 months to do so, in order to get a feel for the people there.

Its difficult to sit and read through hundreds of news server posts as well as mailing lists so I narrowed it down 
heavily at the time to 3-5. Showdown.org, PacketStorm, Bugtraq, Technotronic, the mailing list at toad.com.

I started off as a sysadmin and pestered the company I worked for to jack up their security and proved I could do it 
and maintained it for a while before I began to look for a security oriented position ONLY.

From there I had the opportunity to move to a large network where I learned more from more knowledgeable people and 
maintained a large number of people I could correspond to.

Pen testing & security is a very interesting area of the IS field I would like to break into but many positions posted 
are requiring years of pen-testing skills which I just don't have outside of my personal lab at home (combo of Win95,NT 
Srv, RH Linux). Would you recommend starting at a big 5 firm? A small firm? Fortune 500's? Has anybody heard of any 
pen-testing firms in St. Louis?

Experience does count heavily for large companies and you should try to break in via a small or mid-sized company. It 
worked for me and I'm sure a minimal percent of the people just didn't jump on the scene as CTO of BigCorp.com, 
everyone has to start somewhere and sometimes larger companies won't provide the opportunity to work with other 
technologies you would at a small or mid sized firm since most of the architecture is in place already and would cost a 
hefty amount to mix technologies such as a big firm running Checkpoint, Pix, Netscreen.

Its uncommon and most tend to select a specific vendor/product and stick with it. This is an advantage of smaller 
corporations especially companies which outsource network/security/etc. products, you get to play with all sorts of 
neat things.

As for the testing portion I suggest heavily reading and understanding whats going on without thinking that a simple 
scan of a site will render you the option of penetrating it. Understaning architectures, networking, and 
"computer-psychology" (art of understanding how and why people may have set up their network and what their network 
does) is valuable. Along with the techie stuff I tend to diagram things in a personal notebook I get and cross analyze 

Setting up a network at home is pretty cool but take into consideration no two networks will work the same and unless 
you can afford all the different types of hardware/software companies use it can become fruitless and waste time.

Offer pen tests to friends, smaller companies, and see what you can do and can learn.

I started from scratch as switched over from the advertising field where I used to work at one of the top ten 
advertisers in the world. Although I could've made more money and would have less stress, security is something I enjoy 
and this is the greatest factor you have to weigh. There are a lot of times you can get frustrated breaking into the 
scene, simply remember, if your doing it do it for the love of it and you'll learn a heck of a lot more than if your 
looking at it from a "I have xxx cert and will make xxx amount more money if I work for xxx corp."

Do it for yourself at your own pace.

my two cents...

greets? heh too many to list...

FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]