Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: career advice
From: Iman Louis <ilouis () cigital com>
Date: Tue, 22 Nov 2011 17:23:37 -0500

Hi Natalie,

I agree with you that you some development background would help you to be more than just a hacker. If you want to be 
in a consultant role, where you find vulnerabilities then give recommendations on how to remediate them, then a 
developer's background will greatly help you here. Often developers will challenge your findings' validity and/or 
importance and I find that my development background helps a lot with these discussions. In my previous company, for 
example, they wouldn't hire an appsec person without a solid development background. I do application security, and 
even though I had 10 years of development experience before my appsec role, I still often need to pick up new languages 
and frameworks in a short time before new engagements with new clients that use them. 

Having said that, it's not impossible to learn development, but sounds like it would be easier/faster for you if you 
build on both your experience and the CEH certification and pursue network security?

Cheers

Ivan

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nathalie Vaiser
Sent: Tuesday, November 22, 2011 1:53 PM
To: pen-test () securityfocus com
Subject: career advice

Hello all,

I'm hoping to get some direction/advice from some seasoned IT security professionals...

In short, I've been in IT for about 10 years (mainly as a system administrator / helpdesk type of role - web servers).  
I've always been interested in security and have recently taken and passed the CEH exam so that I can get some kind of 
foundation to build upon. I know what I've learned so far is only the 'tip of the iceberg' and I've been having 
difficulty deciding where I should focus my learning now, in terms of preparing myself for a career in security, 
ideally as a pen tester but possibly just in a defensive security role.

I find it ALL very interesting, but I've been struggling with finding a direction and focus for myself.  My current job 
duties don't involve much security work but I'm hoping to eventually grow into that role there. For now I'm taking time 
outside of work to further my IT security skills.

It seems 'web application security' is in high demand right now - however - I'm not a developer nor programmer, and 
probably could never be a good one if I tried (it just doesn't come easy to me).   I assume if my focus would be on web 
application security I would need to know more than just how to find vulnerabilities - I would need to be able to at 
least consult or work with developers on fixing the problem, so I'd be very limited and at a disadvantage without any 
programming skills (am I right about this?).

I do feel I would be at a disadvantage, for example I've started practicing using OWASP Webgoat and am struggling with 
parts of it, mainly for my lack of knowledge of Ajax, SQL, etc..

If that is the case (that web application security shouldn't be my focus since I have no programming/dev background), 
then I'm not sure what to focus on, and what would make sense in terms of a viable future career in security.  Possibly 
network security may be of interest, which means I should probably consider studying for the CCNA to get a much better 
foundation in networking.

I know no one can decide for me, but what I'm looking for is feedback on what scopes I may want to consider in the 
security field that are large enough that they do encompass a career/job position, with the caveat that my 
programming/dev skills are currently nill, and even though I am considering learning some kind of programming (probably 
Perl or Python) I can't see myself ever being extremely proficient with it.

Thanks in advance for any advice you can offer.

Nathalie
CEH, MCP, MCTS, Linux+

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]