Penetration Testing mailing list archives
Re: career advice
From: Robin Wood <robin () digininja org>
Date: Tue, 22 Nov 2011 22:28:00 +0000
On 22 November 2011 21:52, Nathalie Vaiser <nvaiser () gmail com> wrote:
Hello all, I'm hoping to get some direction/advice from some seasoned IT security professionals... In short, I've been in IT for about 10 years (mainly as a system administrator / helpdesk type of role - web servers). I've always been interested in security and have recently taken and passed the CEH exam so that I can get some kind of foundation to build upon. I know what I've learned so far is only the 'tip of the iceberg' and I've been having difficulty deciding where I should focus my learning now, in terms of preparing myself for a career in security, ideally as a pen tester but possibly just in a defensive security role. I find it ALL very interesting, but I've been struggling with finding a direction and focus for myself. My current job duties don't involve much security work but I'm hoping to eventually grow into that role there. For now I'm taking time outside of work to further my IT security skills. It seems 'web application security' is in high demand right now - however - I'm not a developer nor programmer, and probably could never be a good one if I tried (it just doesn't come easy to me). I assume if my focus would be on web application security I would need to know more than just how to find vulnerabilities - I would need to be able to at least consult or work with developers on fixing the problem, so I'd be very limited and at a disadvantage without any programming skills (am I right about this?). I do feel I would be at a disadvantage, for example I've started practicing using OWASP Webgoat and am struggling with parts of it, mainly for my lack of knowledge of Ajax, SQL, etc.. If that is the case (that web application security shouldn't be my focus since I have no programming/dev background), then I'm not sure what to focus on, and what would make sense in terms of a viable future career in security. Possibly network security may be of interest, which means I should probably consider studying for the CCNA to get a much better foundation in networking. I know no one can decide for me, but what I'm looking for is feedback on what scopes I may want to consider in the security field that are large enough that they do encompass a career/job position, with the caveat that my programming/dev skills are currently nill, and even though I am considering learning some kind of programming (probably Perl or Python) I can't see myself ever being extremely proficient with it. Thanks in advance for any advice you can offer. Nathalie
Reading this it looks like you've chosen web app just because you think there is work going in that area but that contradicts what you say earlier about being interested in security. My best advice for this is look at what you are interested in and work on that area to start with. As you've been a sys-admin then maybe look at network security, if your background is MS then what areas have you been working in, AD, MSSQL, Sharepoint etc, if Linux then same question, configuring Apache... Take that knowledge and look at how it can either be secured or how it is naturally insecure. I'd guess you've made lots of mistakes setting things up over the years, think of those and how many of those mistakes others would also make, quick example, giving a DB user full privs rather than just the limited ones they need. Start with simple things like that and work up, see how others have exploited these holes and add your own experience to it. Basically have fun, there is no point in changing in to security and ending up doing things you don't enjoy. Robin ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- career advice Nathalie Vaiser (Nov 22)
- RE: career advice Iman Louis (Nov 22)
- Re: career advice Robin Wood (Nov 22)
- Re: career advice Ali-Reza Anghaie (Nov 22)
- Re: career advice David Glosser (Nov 22)
- Message not available
- Re: career advice Nathalie Vaiser (Nov 22)
- Re: career advice Enis Sahin (Nov 23)
- Message not available
- Re: career advice Enis Sahin (Nov 23)
- Re: career advice Dr. Lizzz (Nov 23)
- Re: career advice psiinon (Nov 24)
- Re: career advice David Glosser (Nov 22)
- Re: career advice tom (Nov 23)