RE: entry level vuln assessment/pen tester

["Andy Cuff (Talisker)" <SecurityLists () securitywizardry com>]

(Disclaimer: I run a Recruitment Agency)
I can see your dilemma, 
it's a Catch 22 situation, it's very difficult to get a Pen Tester role
unless you have Pen Tester experience and the only place to demonstrate that
experience is in a Pen Test role.
There are some Pen Test Houses out there, that do acknowledge passion and
ability over experience, but in my experience they are fairly rare.  We have
a number of clients who all wants years of experience, except for one who
looks for ability with the hope of training you up, they require UK Security
Clearance, probably not much use.

I would suggest a few ways forward:
If you are starting out, I would avoid contracting, especially if you have a
mortgage and mouths to feed, the contracts are generally short and
infrequent, until you develop a strong customer base.

As a permanent employee, you will be paid less, however, you will have job
security, you will be able to develop the skills and you will develop
contacts.

To get into a permanent role, unless you can find an open minded Pen Test
House, I suggest you move into an Information Security Consultancy as a
general practioner and then move into a more specialised Pen Testing role
once you have demonstrated your abilities.

Best of Luck


Andy Cuff
Computer Network Defence Ltd
www.networkintrusion.co.uk
Skype: Taliskeruk
LinkedIN http://www.linkedin.com/in/andycuff 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of pfohjo () gmail com
> Sent: Monday, August 11, 2008 9:31 PM
> To: security-basics () securityfocus com
> Subject: entry level vuln assessment/pen tester
>
> I am IT professional with am MS in CS (with specialization in 
> security) which I received about a year ago.  The work that I 
> have done up to this point and the work that I am doing now 
> is more in security systems (e.g. we are currently working on 
> a platform for secure dist. systems).  I am starting to 
> realize that the work I would really like to be doing is more 
> in the direction of vulnerability assessment/analysis, pen 
> testing, or incident response.  
>
>
>
> My current position would not let me transition into such a 
> position since it is simply not something they do.  My 
> question becomes this:  Could anyone give me some tips or 
> guidelines for transitioning into such a position having no 
> formal experience?  I believe that my CV is quite competitive 
> and I do have what I would consider the basis which I need, 
> but where do I start?  What kind of positions do I look for?  
> Though I got my degrees in the States, I am currently in 
> Europe and would like to avoid another larger move, so does 
> anyone know of firms in Europe where I might have a good 
> chance starting?
>
>
>
> I apologize if this is a little of-topic, however I figured 
> looking for an entry level IT security position falls most 
> appropriately under "Security Basics"
>
>
>
> Thanks