|
Posted by on October 26, 2006, 4:18 pm
If you were Registered and logged in, you could reply and use other advanced thread options
seraphimrhapsody@gmail.com wrote:
> 1) How did you get your start into this field of work?
> 1a) Did you attend any official courses to prepare?
> 1b) Did you obtain any certifications before you landed your first
> pen-testing job?
Nope. Nope. I transfered within a large company I was already
working for.
> 2) What is an average day of work like for you?
Walk down the hall, login to the computer. Break something new every
week or so. Short engagements, lots of new stuff all the time.
Always learning.
> 2a) What are the pro's of working as a Pen-Tester?
It's a lot more fun and rewarding to break stuff than to have to deal
with all the tedium of having to create things for the lowest common
denominator to use.
> 2b) What are the con's of working as a Pen-Tester (what makes you hate
> coming to work?)
When customers have you reassess their stuff a year later and all the
same stuff you reported a year ago is still broken. That's about it
though. It's a dream job.
> 2c) Do you work in a large or small firm? Or are you doing freelance
> work? Which would you prefer/recommend?
I'm in a large one. It has its benefits and detriments. A small firm
arguably can be more aggressive in their testing as they're not as
large a target for getting sued should something go horribly wrong.
Hasn't happened of course, but just htinking out loud. A large firm
has all the resources of a large firm, and an established brand that
connotes trust with a customer and applied appropriately, a steady
stream of business. Education budgets, lots of network
infrastructure and all that jazz. Smaller outfits mean more
uncertainty but generally higher salaries, less to invest in education
perhaps, less places to go if you ever get burned out.
This question I think is largely orthogonal of the profession and more
a personal choice regardless of your IT specialty I guess. Also
depends a lot on the individual company.
> 3) What should I do to prepare?
Send me your resume. I'll see if there's a fit.
If you aren't already very comfortable in both Linux and Windows, get
comfortable in both.
> 3a) Are there any solid courses offered to prepare for this type of
> work?
Oh yes. That Infosec CEH class you mention later is pretty darned
good. They have an advanced class as well that includes exploit
coding...and I think your background would make you very interested in
that.
Defcon is a decent cheap conference that's held annually.
> 3b) What are the most credible and affordable courses one could take?
> 3c) In your opinion, what are the strongest certifications to have? Or
> are any certifications worth their salt?
CISSP is probably the most widely known, but it requires someone with
a CISSP to certify that you've worked in a security related field for
a givne amount of time. Your work as a software developer though can
be construed in that way however. Make friends with a CISSP.
SANS.org GIAC certifications are a little more highly regarded I'd say
but cost will be an issue there as well, and then there's the issue of
which one to take. I don't know that I'd recommend it as a first
step.
> 4) Are there any websites out there that would have some or all of the
> answers to the questions above?
>
> I've looked into going to the InfoSec school for Ethical Hacking, and
> would love to have the bootcamp style training to get me started, but
> atm, the cost is a bit outside of my limits.
Talk with them see what you can negotiate. It's a good class, a very
good organization (Jack's awesome) and the EC Council certification
will carry some weight too. I haven't tested mine out in the
marketplace, so it's hard to say.
> I can say, though, that sometime next year I will be able to take
> such a course. In the meantime, though, I'm trying to figure out if
> this is something that I'd like to pursue.
Sounds like a great fit for your interests.
> I currently have a very secure job and am quite happy with it (most
> days :) ), as well as having a very bright future for advancement in
> the industry, but I'm pretty sure I would absolutely love this type
> of work. I feel like I've only read 'hype' about the career,
> though.
If you ask me, the hype is real. It's very fun to break stuff for a
living.
> I'd love to pick a grizzled veteran's brain about this and see if
> it's the right career move for me. Also, I'm young enough to make a
> career switch a viable option. So it's been weighing on my mind
> pretty heavily as of late, heh.
Security is still very much a growth industry and I dont' see that
changing any time soon. Versus software development, if you're living
in the US, there's an argument to be made that folks will be less
prone to offshore their security assessment work than they would code
and software engineering.
> Thanks in advance to all reply with anything useful,
Dunno if I've tripped that level, but yer welcome retroactively, as
applicable. :-)
--
http://www toddh net/
| 
XML site map