Re: Career Advice

[Michael Dickey <lonervamp () gmail com>]

I second the blog part. Start a blog and start having something others can
see (just don't go into it expecting readership like Reddit/Lifehacker); do
it not for readers, but just to demonstrate what you're into. You don't
necessarily need to demonstrate ground-breaking security research, but just
be involved in the space and join into discussions as they happen. Bounce
onto Twitter, follow other people's blogs, engage as you can. Eventually
you can get on LinkedIn and network a bit, order up some personal business
cards (name, handle, whatever on them), and simply gain some relationships.
Friends and family may also be occasional sources, provided they know a bit
about what you want/do. If you're known as that hacker/security/"I try to
find issues with computers before bad guys do" you may get some informal
references. It's also not unheard of to pick up a client at a bar after
they found out what you do and known a unit in their business who could use
the help!

Security+ is another companion cert to A+ to have under your belt. It's not
difficult and it is cheap. Honestly, if you can pass it, the CISSP is not
that expensive at all either. The certs at Offensive Security are also
fine. They may not mean anything to HR or a client, but they do in our
world.

Check out local security groups in your area (if you're in a more rural
area, widen your scope) such as ISSA, Infragard, ISACA, NOVASec, BSides, or
other groups. There may be times where some of the people you meet can let
you know about security opportunities, or better yet, may offload some work
on you if you make a good impression. That's likely pretty rare, but try it
out. Don't forget user groups for things you are interested in: .NET,
Linux, codecamps, etc.

Do as much security-related stuff as you can at work, with proper approval.
You have a work environment ready and waiting to scan, test, poke, and
create sample reports on. It might not get you more pay, but it can start
to get you some sample work and such.

Check into what PCI is, if you're not already familiar with it. You will
eventually run into it, and it'll generate work for you. It's not
pen-testing, per se, but regular pen tests are a requirement of it.

Check with local IT recruiters or contracting firms or IT placement places.
You probably don't want to live through them, but you can at least let them
know your interests in case they see any short-term contracts come in
asking for similar needs. If you do get some hookups there, that may be a
nice springboard to use those stints as references or even future clients.
(There are some ethics in there, but honestly nothing strange or heinous as
long as everything seems natural and you're not blabbing too much.)


And continue to check in with other professionals to hear the war stories.
Many companies get pentests to check a box. Many are also not happy with
their pentesters because they keep pwning their shit and making them look
bad, or because clients don't understand scope, security, or even their own
IT/apps! They get frustrated and either hop around various pentesters or
just stick with the "easy" ones and check their boxes and keep a
predictable budget. Plenty care, don't get me wrong, but plenty do not. It
helps to know what things others are going through. If you hear someone is
using securitymetrics.com...I mean, XYZ firm, know what their weak points
are and use that as a way to convince a client to try someone better.





On Sat, Feb 23, 2013 at 12:07 AM, Brian Seel <brian.seel () gmail com> wrote:
> > Note: I am trying to keep this email vague so it is generic
> > for posterity's sake. I am trying to not make the question specific to my
> > situation so others can use your advice.
> >
> > =========
> >
> > So long time listener (pre Ep 100) who has been doing computer security
> > related things for the last four years or so since college. I would really
> > like to break into the pentesting arena, but I really like my current day
> > job for a variety of reasons (pay definitely not being one of them).
> >
> > Basically, I would really like to do commercial pentesting on a part time
> > basis, where I take a week or two off from my day job every few months and
> > try to gain experience in the commercial realm and get my feet wet with a
> > different way of approaching computer security. Within the next year I
> > would love to leave my day job and do pentesting full time, but I dont feel
> > confident enough just yet. As a bit of background, right now I am doing
> > some Metasploit dev for my employer, but I am not able to do an end to end
> > pentest.
> >
> > My question is if you have any advice about the best way to try to get a
> > part time pentesting job. I am not under any illusion that trying to do
> > pentesting part time is not going to be an easy sell. I know that, but I
> > think my unique skill set will make *someone* want to take a flier on me.
> > But, considering that most of you are probably pentesters, or in fields
> > closely related, what would make you want to take someone on in a part time
> > basis. Or is there really no case where you would consider that?
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com