The Ethical Hacker Network - What's next after OSCP?

H1t M0nk3y

Hero Member

Offline

Posts: 864

What's next after OSCP?

« on: February 18, 2010, 07:04:29 AM »

Hey,

I am currently starting OSCP, but I can't help but thinking about the future...

After GSEC, CEH and hopefully OSCP, where should I go next if my goal is to be a pentester?

OSCE, GPEN, CPTS, CPTE, other?

I am practicing a lot at home in my lab to gain as much experience as I can. Also, I pay all courses/certs myself.

I have been a web application developer/architect for 10 years now and I am currently re-orienting my career towards pentesting. I have spent the last year studying every single day! Tongue

Anyway, I am curious what you guys think I should do next.

Thanks


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

UNIX

Hero Member

Offline

Posts: 1234

Re: What's next after OSCP?

« Reply #1 on: February 18, 2010, 07:23:27 AM »

Did you already apply for any specific job at a company which is doing pentests?
Certs are good to have and backup ones abilities, though you should try to get some real-world experience. Maybe you would also look for more broader job openings, such as systems engineer/ administrator, network engineer, etc., in order to get some experience there. To enter right into a pentesting company might be quite hard if you can't show anything but certs. Gaining experience in one of the mentioned jobs before might help therefore.

Also think about how you present your 10 year-experience in webapp dev. When you can include such things as a lot of experience towards sql injections, xss, etc. it might help too (if you have).

If you can't get into it at all, you can also look at voluntary work, participate in some projects (e.g. some security tools which involves some kind web-technology), start something on your own, etc.


	Logged

hayabusa

Hero Member

Offline

Posts: 1631

Re: What's next after OSCP?

« Reply #2 on: February 18, 2010, 07:58:33 AM »

I'd second awesec's comments, and really wouldn't have much additional to add, H1tM0nk3y.

As awesec said, you really need to market yourself and the skills you have already gained, and apply them towards openings with companies where you feel you can contribute, even if you feel you aren't fully up to task, yet. Certifications ARE a good first step, but I can tell you, from my personal experiences, as well as from interviews I have supervised for new folks, that in the technical portions, I expect to be SHOWN what the person is / isn't capable of, and we put them to actual hands-on tests. So certifications won't make up for a lack of skills and critical thinking, if you only have the paper to back them up.

I'd also agree with awesec's comment, that even if you don't get hired directly in, you might start participating for free, to get your foot in the door - perhaps even contributing / working on open-source projects, like BackTrack and others, to start gaining experience and items you could later put on your resume, to help bolster your experience levels and knowledge.

Participation in such activities will go a long way, both to promote yourself, and to continue your learning curve.


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

H1t M0nk3y

Hero Member

Offline

Posts: 864

Re: What's next after OSCP?

« Reply #3 on: February 18, 2010, 01:01:47 PM »

Man I like you two!

I know you're so right. It is the same with developers. Degrees and Certs are only one part of the equation.

I already started a project on my own (which will be on hold because of OSCP). I really do think I should specialize first in web application pentesting (has you may have guessed from some of my other posts). I know the SQL language inside-out and I have many contacts in web application development. And god only knows if web applications are "sometime" vulnerable...

So my goal is first to become a Security Architect for Web Applications, which is really mixing my two things. Then, in a few years (hopefully a couple of years), I hope to move to pentesting.

As you guys can see in my signature, I also have a cert in Project Management. I realized three years ago that management wasn't for me. So I quite the nice and secure government job and I am now consulting. So all that to say I am a technical person and will always be.

So, here I am! Trying to meet people in ISSA and OWASP in my area.

So, I couldn't agree more with you. I have already interviewed a PhD and refuse to hire him. After OSCP, I will definitively go for Web App pentest and architecture. My goal is also to finish my project by the end of October.

I am afraid I am a workaholic now... Tongue


	Logged

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP

Pages: [1] Go Up

« previous next »