Penetration Testing mailing list archives
Re: career advice
From: David Glosser <david.glosser () gmail com>
Date: Tue, 22 Nov 2011 20:22:14 -0500
Great advice by Ali... If you like web application security, may also wish to check out the OWASP. For starters, install OWASP WebGoat, which is a deliberately insecure web application. Then test it using "Zed Attack Proxy" and "fiddler/watcher" proxies, and move on to more active testing using W3AF, nikto/wikto, etc. Another nice resource is http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html Good Luck! On Tue, Nov 22, 2011 at 5:41 PM, Ali-Reza Anghaie <ali () packetknife com> wrote:
You may think programming doesn't come easy to you but that doesn't mean you shouldn't try to get familiar with and understand a small variety of programming and scripting languages. I've given that as my top piece of advice for aspiring InfoSec professionals for ~13 years and every one has thanked me profusely in the end. What I'd suggest is starting from the tail-end and learning how to ~read~ code properly. To that end I can't recommend this book enough: http://www.amazon.com/Code-Reading-Open-Source-Perspective/dp/0201799405/ref=ntt_at_ep_dpt_2 It's not the lightest reading but it's fairly accesible and once you add some practice you can also reference many other languages and scripts on the numerous http://stackexchange.com/ sites. That way, in short order, you can make sense of C, Ruby, Python, PHP, SQL, etc. the "cleaner" languages in a sense. And the gaping holes and the white rabbits to follow become clear even if you don't have a firm grasp on a given language. Now, to further consider what you want I'd say you should keep in mind that the majority of penetration testing and security research is based on architecture and process. It's not what most people read about and it's not as sexy as finding insanely difficult to exploit UDP to closed port exploits but it's the "bread and butter" for a majority of the field. Likewise a majority of "Enterprise Security Architecture" is well above the weeds. Sure you have to be familiar with OATH, revisions to it, and mixed-mode platforms like Opa, but you don't have to be an implementation expert per se on any of them. It requires A LOT of reflexive memory and reading. Referencing FOSS mailing lists and diagrams for design decisions, making sure you gather and organize documentation well, paying close attention to Changelogs, etc. just so you can continuously envision the changing landscape in your mind. So I'm going to recommend you go in three general directions based on what you wrote: 1) Code reading, understanding the basics, backwards-in approach.. 2) Learn more and more about the numerous high-level Enterprise Architectures as they apply to web delivered systems, distributes systems, web APIs in particular, .. 3) Make sure you know you're way around Backtrack, Metasploit, etc. just to keep the layman interested. In the end that'll basically be your meal ticket to expanding your knowledge base. For (3) I'm going to give a short set of resources: 1) The PTES (http://www.pentest-standard.org/) is an effort to create something of a "quality standard" for Pen-testing. Consider this the baseline and not the ceiling. It's expanding and a good basis for further exploration. 2) This (http://www.tinyurl.com/msf-ptes) is a fairly new document that tries to map Metasploit use to the PTES. Good if you're trying to get a better grasp of Metasploit. 3) Explore http://www.securitytube.net/ for HowTo videos and talks from CONs. 4) Two two posts http://danielmiessler.com/projects/webappsec_testing_resources/#methodologies# && http://www.securityaegis.com/the-big-fat-metasploit-post/ I want to re-emphasize though, most pen-test engagements find many holes examining the landscape well before Backtrack is booted or Metasploit loaded. If you're not looking at that level too, you're doing it wrong. OK.. that's all I'll dump on you for now. This could get quite lengthy. :-D You're welcome to connect on LinkedIn (http://www.linkedin.com/in/anghaie) and Twitter (https://twitter.com/#!/Packetknife). Good luck to you! Cheers, -Ali On Tue, Nov 22, 2011 at 16:52, Nathalie Vaiser <nvaiser () gmail com> wrote:Hello all, I'm hoping to get some direction/advice from some seasoned IT security professionals... In short, I've been in IT for about 10 years (mainly as a system administrator / helpdesk type of role - web servers). I've always been interested in security and have recently taken and passed the CEH exam so that I can get some kind of foundation to build upon. I know what I've learned so far is only the 'tip of the iceberg' and I've been having difficulty deciding where I should focus my learning now, in terms of preparing myself for a career in security, ideally as a pen tester but possibly just in a defensive security role. I find it ALL very interesting, but I've been struggling with finding a direction and focus for myself. My current job duties don't involve much security work but I'm hoping to eventually grow into that role there. For now I'm taking time outside of work to further my IT security skills. It seems 'web application security' is in high demand right now - however - I'm not a developer nor programmer, and probably could never be a good one if I tried (it just doesn't come easy to me). I assume if my focus would be on web application security I would need to know more than just how to find vulnerabilities - I would need to be able to at least consult or work with developers on fixing the problem, so I'd be very limited and at a disadvantage without any programming skills (am I right about this?). I do feel I would be at a disadvantage, for example I've started practicing using OWASP Webgoat and am struggling with parts of it, mainly for my lack of knowledge of Ajax, SQL, etc.. If that is the case (that web application security shouldn't be my focus since I have no programming/dev background), then I'm not sure what to focus on, and what would make sense in terms of a viable future career in security. Possibly network security may be of interest, which means I should probably consider studying for the CCNA to get a much better foundation in networking. I know no one can decide for me, but what I'm looking for is feedback on what scopes I may want to consider in the security field that are large enough that they do encompass a career/job position, with the caveat that my programming/dev skills are currently nill, and even though I am considering learning some kind of programming (probably Perl or Python) I can't see myself ever being extremely proficient with it. Thanks in advance for any advice you can offer. Nathalie CEH, MCP, MCTS, Linux+ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- career advice Nathalie Vaiser (Nov 22)
- RE: career advice Iman Louis (Nov 22)
- Re: career advice Robin Wood (Nov 22)
- Re: career advice Ali-Reza Anghaie (Nov 22)
- Re: career advice David Glosser (Nov 22)
- Message not available
- Re: career advice Nathalie Vaiser (Nov 22)
- Re: career advice Enis Sahin (Nov 23)
- Message not available
- Re: career advice Enis Sahin (Nov 23)
- Re: career advice Dr. Lizzz (Nov 23)
- Re: career advice psiinon (Nov 24)
- Re: career advice David Glosser (Nov 22)
- Re: career advice tom (Nov 23)