15

I am currently a sophmore in Penn State's SRA:ICS program (Cyber Security) and IST:Dev program. My goal is that when I graduate I can become a Pen-Tester. I'm looking for advice on how to learn how to be a better pen-tester and security professional.

I have some programming experience but wouldn't say I am overly comfortable in any. I listen to Security Now! every week and make sure I understand what they are discussing. I am extremely comfortable with teaching myself new skills, I just do not know what I should be working on.

My question is this: Can any pentesters recommend a solid action plan on what technologies/languages I should be trying to learn and how I can apply it? I apologize if this question is overly vague. Thank you for your time and consideration.

Jesse
  • 181
  • 1
  • 1
  • 4
  • 6
    If you don't hate programming, I would say: it will benefit your career to develop your programming skills. I suspect that in the long term, a software security expert (someone who can code, and also knows security) may have stronger career prospects, and command higher salaries, than a pentester. I realize this isn't quite what you asked, so if it isn't helpful, I apologize! P.S. And, welcome to IT Security! – D.W. Sep 19 '12 at 01:56
  • Thank you very much for you reply! I plan to work on learning C and NASM assembly. I figure if I can get an understanding of the lower level languages, learning higher languages will be just a matter of syntax. I agree with your statement that these two skills combined would make me a more efficient professional, that is why I also chose to major in IST:Development. That way I can become comfortable with programming. – Jesse Sep 19 '12 at 02:29
  • 4
    My advice: Stop listening to Security Now!, now. [Steve Gibson](http://attrition.org/errata/charlatan/steve_gibson/) is on attrition.org's list of charlatans, primarily because a lot of what he does is FUD to get you to buy his products and services. There are plenty of other security podcasts out there: [LiquidMatrix](http://www.liquidmatrix.org/blog/liquidmatrix-podcast/), [Netsec](http://netsecpodcast.com/), [Risky Business](http://risky.biz/netcasts/risky-business), [Paul Dot Com](http://pauldotcom.com/), etc. (Disclaimer: Your mileage may vary!) – Polynomial Sep 19 '12 at 06:03
  • 1
    For programming, starting low-level and working your way up is probably the wrong way around. You're starting with the (largely irrelevant) minutia and working your way up to the big picture, which will likely be more confusing than helpful. – tylerl Sep 19 '12 at 09:52

2 Answers2

6

Pen testing is a type of consulting, and like any type of consulting so much of what is important is non-technical, so in addition to learning some programming and especially scripting (perl, python) I would focus on learning about how businesses work and how to work within one. Having a pen tester who knows how to find vulnerabilities and exploit them is one thing, having one who can stand up in front of bigwigs and convince them to give their employer lots of money for their services is a very rare thing and for more valuable. Getting that first job will be much easier if employers see someone who they can place with a client.

Learn business terminology, acronyms, the software development life-cycle, how companies get and spend budget, and typical company structure and governance. Learn presentation skills. Pen-testing is a good place to start but you probably don't want to get stuck there as there's a seniority block which you'll never get above, so you will want to develop your security skills beyond that. You won't be able to become an expert in these subjects in a university; so much of that comes from experience, but you can learn enough to set yourself out from the rest of the pack.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • This is good advice. Penn State has a great business program if you don't currently have a minor consider one in business admin. – KDEx Sep 19 '12 at 18:19
  • @GdD, What do you mean by *"don't want to get stuck there as there's a seniority block which you'll never get above"*? And if not there, then where? – Pacerier Jan 07 '16 at 22:46
  • Most companies have a structure where you cannot gain seniority on the basis of technical skill above a certain pay grade @Pacerier. If you want to progress beyond a certain level you will have to manage people. – GdD Jan 08 '16 at 08:48
  • @GdD, Hmm, doesn't "senior pentester" manages people (junior pentesters) too? – Pacerier Jan 08 '16 at 20:49
  • Not necessarily @Pacerier, senior could just denote someone who is more experienced. – GdD Jan 09 '16 at 16:19
  • @GdD, But that's typically atypical right? E.g. "managing the underlings" [is typical/expected](http://workplace.stackexchange.com/questions/44377/what-career-paths-are-available-to-a-developer-whos-not-interested-in-managemen) for developers. – Pacerier Jan 13 '16 at 23:08
  • From my own personal experience having "senior" people usually means they have no management responsibilities at all. I'm sure there are some that do. – GdD Jan 14 '16 at 08:26
4

A career in pen testing is a rare thing. Usually you start out with a career in a business consulting firm and somehow end up on the security team. Also, serious pen testing is often as much about physical security and general policy adherence as it is about software. A lot of what you need to learn is learned "on-the-job", in some job or another.

I would strongly recommend against planning specifically for a career in pen testing and instead prepare to to be a software and security guru/oracle at whatever firm your travels take you. If you really know your stuff (not just pretend), then you tend to get noticed and singled out for interesting work. If that what you enjoy, then that's a good thing. It also translates into highly marketable skills for future gigs. Small companies may have less of the interesting work to do, but you have a higher chance of getting picked to do it.

As suggested, security skills are acquired through experience rather than mental osmosis. Security is all about the "gotcha" that you wouldn't have caught unless you've been here before but on the other side of the fence. And there are plenty of (legal) ways to learn the trade. Open-source is always a useful place to start. Nearly everything of importance can be had for free once you have a decent computer. For example, virtual machines allow you to create complex network configurations without leasing hardware.

Possibly most importantly; spend free time around people who do things you want to learn about. People you work with, for example. Be friendly and try to be helpful, but make sure you're not annoying them. It's amazing what useful skills you can pick up if you keep your ears open, and many people just want someone who will listen to them. Also the personal connections are the most important factor in opening doors for new and interesting work.

Use your free time for something useful. Programming, reading, hardware hacking, etc. There's a reason you don't get into this field without enjoying what you do: it's because you wouldn't be here if you spent your free time doing something else.

As for languages: C is not optional, but it's a terrible place to start. It's unforgiving and unhelpful and drops you straight into the deep end. Python is both useful and simple, which makes it a pretty good idea. Perl is also arguably not optional, though it's slightly less simple. It's important to understand .NET and Java, but not critical that you're good at programming for them. Once you know how to program, new languages come much easier. But programming takes a type of abstract structural thinking that is very difficult for some people to learn. General IT security tends to deal heavily with Linux/BSD as IT people usually prefer them. But corporate security usually deals heavily with Windows for reasons anthropologists are still trying to understand.

As a side note, take what you hear on SN with something of a grain of salt. It's certainly an interesting show primarily because Leo is extraordinarily skilled at what he does. But Steve is as confident when he's wrong as he is when he's right, and his ideas and suggestions are a little off-kilter. I still listen to it for the news primarily because the alternatives are so painful on the ears, and in fact I've contributed an unusually large percentage of the featured "feedback". But still, bear in mind that the accuracy is only about as good as the average newspaper story -- you only notice where the mistakes are when you already know the subject matter. And I occasionally find myself shouting "no no no" at my computer when I listen to it. Though he's probably no worse than your average eccentric officemate.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • @tylerl, Re *"but Steve is as confident when he's wrong as he is when he's right"*, Steve does have some *weird* ideas, but what are some issues he is outright wrong about? – Pacerier Jan 07 '16 at 22:51