Just to reiterate what's already been said, I've told several people that the elearnsecurity course is the best entry level web security course out there.

It provides such a good foundation.  After taking the course, I started reading the WAHH, and I found the material in the book much easier to understand because of what I learned from the eCPPT.

I've only used Dirbuster once, I'll have to play around with it some more.

How accurate is nikto?  I've used it on 2 different servers and got a lot of false positives (PHP related issues on sites not running PHP!)

I typically use Burp Spider and the BuiltWith Chrome Extension to map websites I'm testing.  Does anyone use anything else?  I'm always looking for new things to play around with.

Did anyone take this course at Black Hat, or hear anything about it?  I haven't heard anything since it was announced.

I don't rely on vuln scanners too much, but I do like to use them to get a sense of the overall focus of security of a client.  If I run it and come up with 10 major issues, I know I might have to focus first on fixing simple things since it's most likely the case that the admin hasn't really viewed security as a priority.  Kind of like running an antivirus scan, if it comes up with 40 viruses, i know it's going to be a pain to clean, but if it comes up with none that doesn't necessarily mean things are ok.

I obviously would if I need to, but if OpenVAS is just as good, then I'd rather pass the cost of something else on to them.

Yes, really excellent article m0wgli.  Just what I was looking for.  Thanks!

So, I've been getting some paid pentesting jobs, and I need to decide between buying a Nessus license or using OpenVAS.  I'd prefer not to spend the extra money, but I don't have any experience with OpenVAS.  Is it just as good as Nessus or should I suck it up and just buy the license?  I primarily do web pentesting, and use Nessus to find configuration issues and software vulnerabilities on a web server before I begin testing the actual site.

Also there are a lot of OpenVAS tutorials out there.  If anyone has some favorites please post the links. 

Thanks.

'm not actually trying to be part of the security community.  I'm trying to go after small businesses and start-ups that have no idea they need security.  Sites that don't use HTTPS and send credit card numbers in plaintext for example.  There's definitely a market for that, but I'm trying to figure out how to market to people who don't have any idea of the security risks.

I actually decided to start my own web pentesting company last month.  For the past 2 years, I've been doing consulting work for various start-ups while looking for a full-time job.  2 months ago I did a pentest on my friend's website and got a nice amount of money for it (despite the fact that I offered to do it for free).  As a result, I decided to try and see if I could make any money doing pentesting for other sites.  However, I'm having trouble finding that second client.

Besides using word-of-mouth with my friends, for the past 3 weeks I've been looking for sites that have obvious security holes (like a login system without HTTPS) and sending out e-mails.  I've gotten responses from 2 websites, both of which basically said, "We know and we don't care."

This past week, in addition to searching for those kinds of sites, I've been attempting to find freelance security jobs, but I haven't found anything useful.  If anyone has any advice, please let me know.

On the bright side, most of my interviews involve me going through 3-5 phone interviews, then flying out to the company before getting rejected.  So not finding clients is a lot less frustrating, and a lot less work, than not finding a job!

I'm unemployed, so no, he won't 

Looks like no GWAPT or even GPEN at my nearest conference this year, guess I won't have to try to be a volunteer until next year!

GoDaddy wouldn't even let me interview for a pentesting position because i didn't have enough experience, so is it ok that I take a little pleasure in this?

tturner (or anyone else), could you please elaborate on the type of work you have to do as a facilitator?  I'd like to be sure I can do the work before I try and sign up.

Thanks.

I'm on it, that's why I'm doing this test.  Figuring out what works and what doesn't, what we can reuse and what we need to get rid of.  Once that's done, then we'll have a better understanding of what we need the new admin to be able to do.