PaulDotCom mailing list archives

Re: Career Advice

From: allison nixon <elsakoo () gmail com>
Date: Sun, 24 Feb 2013 14:57:40 -0500

I don't think I sound like Dr Park haha

But if you aren't/cant afford to go the certs route, I'd suggest starting a
blog or documenting your work in some way.  The whole point of this
exercise is to convince the hiring person that you know something, and
giving them further reading on the subject of "you" is a good step in that
direction.  People are a lot more comfortable making a hiring decision when
they know more.

if you're self taught you're not going to easily fit into any of the molds
society set out for you.  The whole point of a resume is to present your
easily quantifiable sets of knowledge and experience, and it's really hard
to quantify "did stuff" on one page.  do projects, write about them on your
blog, put blog on resume.  Any technical person will be able to discern
what you know and what you don't know from the way you talk.  And proof of
work sometimes has more credibility than a degree(of course, depending on
the work, degree, and audience).

depending on how well connected you already are this may be a difficult
path to take.  for me, as of 1 week ago i am now a pentester.  this is
something i've wanted to do since i was a teenager, and it took me 6-7
years to get from where i was to finally getting this job.  The path I took
was a meandering one, but I could make it work because of blog posts and
cheating at videogames.  So I suggest plenty of both.

And be kind to people.  opportunities can come from the most unexpected of
places.

-Allison

On Sun, Feb 24, 2013 at 7:30 AM, Danilo Nascimento <danilonc () bugnotfound com

wrote:

Do you like CTF challenges?
If you have this kind of event near you,  it's a good place to expand your
networking and show your skills.
Create a blog and write the challenges solutions up.

Also there is a lot of CTF events that you can participate from the web,
take a look at these sites:
http://ctftime.org/
http://sysexit.wordpress.com/
http://techblog.rosedu.org/

Although CTF events aren't exactly a real world pentest ( In CTF you
already know that something is vulnerable and you don't have to write a
professional report) they will require that you have the technical
knowledge.


Em domingo, 24 de fevereiro de 2013, Brian Seel escreveu:

Good advice Allison. In the last few months I have been trying to get more

involved with the security community... its been hard because I have a
reclusive streak to myself but I am working on it.

As for certs, do you have any suggestions? I have not tried to focus on
certs just because my experience with getting my A+ and CISSP has left me
feeling like certs are a joke that cover up for deeper deficiencies... but
I have only attempted the A+ and CISSP. What certs are out there that you
think would make someone stand out.

As a follow up, do you think its worth the time it takes to get a cert
(do you value knowing that someone has a standard level of knowledge)? Or
would you think higher of someone that has job related experience?

Thanks,

Brian

PS: Allison, I never get a chance to watch the podcasts, but whenever I
hear them, I always picture you as Dr Park<http://en.wikipedia.org/wiki/Chi_Park>because you sound almost exactly 
like her.

On Sat, Feb 23, 2013 at 8:52 AM, allison nixon <elsakoo () gmail com> wrote:

My most generic advice is to:
1. teach yourself how to do it and then
2. convince the right person that you can do it

is your current job related to security or not?  get to know people in
the field because there is always a huge labor shortage and they will try
to hire you.

if you're looking for part time pentesting work only, you're going to
have to get to know a lot of people because very few would be setup to
contract that stuff out piecemeal, and they would only do it to trusted
people they know anyways.  very small pentesting companies are your best
bet here.

If you dont have any pentesting certs it would be wise to get some, but
may not be necessary if you have the skills and the right people know that.

you're going to have your best luck getting a full time job.  I know it
isn't easy to change large aspects of your life, but sometimes it's worth
it and you'll be a happier person in the long run.

-Allison



On Sat, Feb 23, 2013 at 12:07 AM, Brian Seel <brian.seel () gmail com>wrote:

Note: I am trying to keep this email vague so it is generic
for posterity's sake. I am trying to not make the question specific to my
situation so others can use your advice.

=========

So long time listener (pre Ep 100) who has been doing computer security
related things for the last four years or so since college. I would really
like to break into the pentesting arena, but I really like my current day
job for a variety of reasons (pay definitely not being one of them).

Basically, I would really like to do commercial pentesting on a part
time basis, where I take a week or two off from my day job every few months
and try to gain experience in the commercial realm and get my feet wet with
a different way of approaching computer security. Within the next year I
would love to leave my day job and do pentesting full time, but I dont feel
confident enough just yet. As a bit of background, right now I am doing
some Metasploit dev for my employer, but I am not able to do an end to end
pentest.

My question is if you have any advice about the best way to try to get
a part time pentesting job. I am not under any illusion that trying to do
pentesting part time is not going to be an easy sell. I know that, but I
think my unique skill set will make *someone* want to take a flier on me.
But, considering that most of you are probably pentesters, or in fields
closely related, what would make you want to take someone on in a part time
basis. Or is there really no case where you would consider that?

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
_________________________________
Note to self: Pillage BEFORE burning.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


--
[]'s Danilo Nascimento

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
_________________________________
Note to self: Pillage BEFORE burning.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Career Advice Brian Seel (Feb 22)
- Re: Career Advice allison nixon (Feb 23)
  - Re: Career Advice Brian Seel (Feb 23)
    - Re: Career Advice Andrew Johnson (Feb 24)
    - Re: Career Advice Patrick Laverty (Feb 24)
    - Re: Career Advice Danilo Nascimento (Feb 24)
    - Re: Career Advice allison nixon (Feb 24)
    - Re: Career Advice gold flake (Feb 25)
    - Re: Career Advice gold flake (Feb 25)
    - Re: Career Advice Brian Seel (Feb 25)
    - Re: Career Advice yersinia (Feb 25)
    - Re: Career Advice Bill Swearingen (Mar 23)
    - Re: Career Advice Brian Seel (Mar 24)
    - Re: Career Advice Kevin Shaw (Feb 25)
  - Re: Career Advice Michael Dickey (Feb 25)
- Re: Career Advice Dan (Mar 21)
  - Re: Career Advice Brian Seel (Mar 21)

(Thread continues...)