PaulDotCom mailing list archives
Re: Career Advice
From: Michael Dickey <lonervamp () gmail com>
Date: Mon, 25 Feb 2013 19:50:01 -0600
I second the blog part. Start a blog and start having something others can see (just don't go into it expecting readership like Reddit/Lifehacker); do it not for readers, but just to demonstrate what you're into. You don't necessarily need to demonstrate ground-breaking security research, but just be involved in the space and join into discussions as they happen. Bounce onto Twitter, follow other people's blogs, engage as you can. Eventually you can get on LinkedIn and network a bit, order up some personal business cards (name, handle, whatever on them), and simply gain some relationships. Friends and family may also be occasional sources, provided they know a bit about what you want/do. If you're known as that hacker/security/"I try to find issues with computers before bad guys do" you may get some informal references. It's also not unheard of to pick up a client at a bar after they found out what you do and known a unit in their business who could use the help! Security+ is another companion cert to A+ to have under your belt. It's not difficult and it is cheap. Honestly, if you can pass it, the CISSP is not that expensive at all either. The certs at Offensive Security are also fine. They may not mean anything to HR or a client, but they do in our world. Check out local security groups in your area (if you're in a more rural area, widen your scope) such as ISSA, Infragard, ISACA, NOVASec, BSides, or other groups. There may be times where some of the people you meet can let you know about security opportunities, or better yet, may offload some work on you if you make a good impression. That's likely pretty rare, but try it out. Don't forget user groups for things you are interested in: .NET, Linux, codecamps, etc. Do as much security-related stuff as you can at work, with proper approval. You have a work environment ready and waiting to scan, test, poke, and create sample reports on. It might not get you more pay, but it can start to get you some sample work and such. Check into what PCI is, if you're not already familiar with it. You will eventually run into it, and it'll generate work for you. It's not pen-testing, per se, but regular pen tests are a requirement of it. Check with local IT recruiters or contracting firms or IT placement places. You probably don't want to live through them, but you can at least let them know your interests in case they see any short-term contracts come in asking for similar needs. If you do get some hookups there, that may be a nice springboard to use those stints as references or even future clients. (There are some ethics in there, but honestly nothing strange or heinous as long as everything seems natural and you're not blabbing too much.) And continue to check in with other professionals to hear the war stories. Many companies get pentests to check a box. Many are also not happy with their pentesters because they keep pwning their shit and making them look bad, or because clients don't understand scope, security, or even their own IT/apps! They get frustrated and either hop around various pentesters or just stick with the "easy" ones and check their boxes and keep a predictable budget. Plenty care, don't get me wrong, but plenty do not. It helps to know what things others are going through. If you hear someone is using securitymetrics.com...I mean, XYZ firm, know what their weak points are and use that as a way to convince a client to try someone better. On Sat, Feb 23, 2013 at 12:07 AM, Brian Seel <brian.seel () gmail com> wrote:
Note: I am trying to keep this email vague so it is generic for posterity's sake. I am trying to not make the question specific to my situation so others can use your advice. ========= So long time listener (pre Ep 100) who has been doing computer security related things for the last four years or so since college. I would really like to break into the pentesting arena, but I really like my current day job for a variety of reasons (pay definitely not being one of them). Basically, I would really like to do commercial pentesting on a part time basis, where I take a week or two off from my day job every few months and try to gain experience in the commercial realm and get my feet wet with a different way of approaching computer security. Within the next year I would love to leave my day job and do pentesting full time, but I dont feel confident enough just yet. As a bit of background, right now I am doing some Metasploit dev for my employer, but I am not able to do an end to end pentest. My question is if you have any advice about the best way to try to get a part time pentesting job. I am not under any illusion that trying to do pentesting part time is not going to be an easy sell. I know that, but I think my unique skill set will make *someone* want to take a flier on me. But, considering that most of you are probably pentesters, or in fields closely related, what would make you want to take someone on in a part time basis. Or is there really no case where you would consider that?
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: Career Advice, (continued)
- Re: Career Advice Patrick Laverty (Feb 24)
- Re: Career Advice Danilo Nascimento (Feb 24)
- Re: Career Advice allison nixon (Feb 24)
- Re: Career Advice gold flake (Feb 25)
- Re: Career Advice gold flake (Feb 25)
- Re: Career Advice Brian Seel (Feb 25)
- Re: Career Advice yersinia (Feb 25)
- Re: Career Advice Bill Swearingen (Mar 23)
- Re: Career Advice Brian Seel (Mar 24)
- Re: Career Advice Kevin Shaw (Feb 25)
- Re: Career Advice Brian Seel (Mar 21)
- Re: Career Advice Dan (Mar 22)
- Re: Career Advice Michael Allen (Mar 22)
- Re: Career Advice Michael D. Wood (Mar 24)