Home page logo

pen-test logo Penetration Testing mailing list archives

Re: career advice
From: Ali-Reza Anghaie <ali () packetknife com>
Date: Tue, 22 Nov 2011 17:41:01 -0500

You may think programming doesn't come easy to you but that doesn't
mean you shouldn't try to get familiar with and understand a small
variety of programming and scripting languages. I've given that as my
top piece of advice for aspiring InfoSec professionals for ~13 years
and every one has thanked me profusely in the end.

What I'd suggest is starting from the tail-end and learning how to
~read~ code properly. To that end I can't recommend this book enough:


It's not the lightest reading but it's fairly accesible and once you
add some practice you can also reference many other languages and
scripts on the numerous http://stackexchange.com/ sites. That way, in
short order, you can make sense of C, Ruby, Python, PHP, SQL, etc. the
"cleaner" languages in a sense. And the gaping holes and the white
rabbits to follow become clear even if you don't have a firm grasp on
a given language.

Now, to further consider what you want I'd say you should keep in mind
that the majority of penetration testing and security research is
based on architecture and process. It's not what most people read
about and it's not as sexy as finding insanely difficult to exploit
UDP to closed port exploits but it's the "bread and butter" for a
majority of the field. Likewise a majority of "Enterprise Security
Architecture" is well above the weeds. Sure you have to be familiar
with OATH, revisions to it, and mixed-mode platforms like Opa, but you
don't have to be an implementation expert per se on any of them. It
requires A LOT of reflexive memory and reading. Referencing FOSS
mailing lists and diagrams for design decisions, making sure you
gather and organize documentation well, paying close attention to
Changelogs, etc. just so you can continuously envision the changing
landscape in your mind.

So I'm going to recommend you go in three general directions based on
what you wrote:

1) Code reading, understanding the basics, backwards-in approach..

2) Learn more and more about the numerous high-level Enterprise
Architectures as they apply to web delivered systems, distributes
systems, web APIs in particular, ..

3) Make sure you know you're way around Backtrack, Metasploit, etc.
just to keep the layman interested. In the end that'll basically be
your meal ticket to expanding your knowledge base.

For (3) I'm going to give a short set of resources:

1) The PTES (http://www.pentest-standard.org/) is an effort to create
something of a "quality standard" for Pen-testing. Consider this the
baseline and not the ceiling. It's expanding and a good basis for
further exploration.

2) This (http://www.tinyurl.com/msf-ptes) is a fairly new document
that tries to map Metasploit use to the PTES. Good if you're trying to
get a better grasp of Metasploit.

3) Explore http://www.securitytube.net/ for HowTo videos and talks from CONs.

4) Two two posts
&& http://www.securityaegis.com/the-big-fat-metasploit-post/

I want to re-emphasize though, most pen-test engagements find many
holes examining the landscape well before Backtrack is booted or
Metasploit loaded. If you're not looking at that level too, you're
doing it wrong.

OK.. that's all I'll dump on you for now. This could get quite lengthy. :-D

You're welcome to connect on LinkedIn
(http://www.linkedin.com/in/anghaie) and Twitter
(https://twitter.com/#!/Packetknife). Good luck to you! Cheers, -Ali

On Tue, Nov 22, 2011 at 16:52, Nathalie Vaiser <nvaiser () gmail com> wrote:
Hello all,

I'm hoping to get some direction/advice from some seasoned IT security

In short, I've been in IT for about 10 years (mainly as a system
administrator / helpdesk type of role - web servers).  I've always
been interested in security and have recently taken and passed the CEH
exam so that I can get some kind of foundation to build upon. I know
what I've learned so far is only the 'tip of the iceberg' and I've
been having difficulty deciding where I should focus my learning now,
in terms of preparing myself for a career in security, ideally as a
pen tester but possibly just in a defensive security role.

I find it ALL very interesting, but I've been struggling with finding
a direction and focus for myself.  My current job duties don't involve
much security work but I'm hoping to eventually grow into that role
there. For now I'm taking time outside of work to further my IT
security skills.

It seems 'web application security' is in high demand right now -
however - I'm not a developer nor programmer, and probably could never
be a good one if I tried (it just doesn't come easy to me).   I assume
if my focus would be on web application security I would need to know
more than just how to find vulnerabilities - I would need to be able
to at least consult or work with developers on fixing the problem, so
I'd be very limited and at a disadvantage without any programming
skills (am I right about this?).

I do feel I would be at a disadvantage, for example I've started
practicing using OWASP Webgoat and am struggling with parts of it,
mainly for my lack of knowledge of Ajax, SQL, etc..

If that is the case (that web application security shouldn't be my
focus since I have no programming/dev background), then I'm not sure
what to focus on, and what would make sense in terms of a viable
future career in security.  Possibly network security may be of
interest, which means I should probably consider studying for the CCNA
to get a much better foundation in networking.

I know no one can decide for me, but what I'm looking for is feedback
on what scopes I may want to consider in the security field that are
large enough that they do encompass a career/job position, with the
caveat that my programming/dev skills are currently nill, and even
though I am considering learning some kind of programming (probably
Perl or Python) I can't see myself ever being extremely proficient
with it.

Thanks in advance for any advice you can offer.

CEH, MCP, MCTS, Linux+

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]