December 18, 2013 at 7:08 pm #8635ccpik1Participant
My goal is to get into pen testing and basically wanted some advice as to how I should next proceed.
I am 27 years old and have a degree and masters in information security and I am currently working as a security engineer. My remit is installing and configuring/trouble shooting firewalls and performing vulnerability testing for our clients.
I have been in this post about six months but want to get into pen testing and always have. The company I work for not offering pen testing only vulnerability assessments.
I am aware you can’t just jump into being a pen tester and that is the problem I currently have.
My company would fund the CEH but I know this only gets past HR in a pen testing role, and other certs hold a lot more value. I can’t see my employer paying for SANS/CHECK CREST/OSCP so I am limited as to which step next.
Should I stay in this role for another six months and try and get a job as a pen tester? Although it would only be a junior role and possibly a pay cut? Or do I stay where I am for a few years and fund myself to take the OSCP and try and get a job as a pen tester in a few years, but the it might still be junior as lack of actual pen testing experience?
I apologise for the wall of text but any guidance with this would be fantastic!
December 18, 2013 at 11:53 pm #53735dynamikParticipant
Take whatever your current employer is providing for you. That’s part of your overall compensation. While the CEH isn’t a hardcore pentesting cert, you’ll still learn things as you study for it. Getting your foot in the door and past HR is one of the biggest hurdles. Most technical interviewers aren’t going to care about a lack of “impressive” certs if you can impress them with your knowledge and skills.
Start networking now and don’t set arbitrary time limits like six months or X number of years. Go to conferences and/or get involved with whatever’s available in your local community. Maybe you’ll land an opportunity in the very near future, or maybe someone you come in contact with will have a position open up when you feel like you’re more prepared to make a move.
If you’re offered a junior/low-paying role that you don’t want to accept, politely decline, tell them you’re interested in a more advanced role, and reach back out when you feel like you’re where you need to be. Also, use this as an opportunity to get feedback regarding what knowledge/skills they’d expect for such a role.
Certs make you look better on paper, but it’s not like you can’t do anything without them either. Keep learning and keep moving forward. There are a ton of free/cheap resources available, and you can easily get a vulnerable virtual network setup on modest hardware. You can have a ton of certs and still look like a dummy during an interview, and you can completely blow them away with no/few certs.
I would say sign up for the OSCP, even if it’s on your own dime. You’ll be amazed at how much you learn if you see it through. You do have to be motivated though; they’re not going to hold you hand. I’d start with 30 days, so you can go over the material and feel out the course. You can setup your own network to play around on, and then tack on another 30-60 days when you feel ready to move forward, or go directly to the exam if you feel you’ve progressed enough.
You may find you have huge gaps in knowledge that you need to correct. While getting a bundle of 90 days is cheaper than starting with 30 and adding more time on, it can also be a huge waste if you need to take a massive detour to learn other skills before you can progress.
I apologize if you’re experiencing some unfortunate personal circumstances that have put in you in a dire financial position, but I find it hard to believe that it’ll take you multiple years to come up with the $750 you need to get started on the OSCP. Nearly every time I see someone complain about being unable to afford something like this, I regularly see them going out to eat, hitting up bars, buying new electronics and video games, etc. If you’re not willing to pay for some of these things yourself and make reasonable sacrifices when necessary, you need to step back and consider how bad you really want to progress.
December 19, 2013 at 8:06 am #53736ccpikParticipant
Thank you for the great advice. I will take it on board. Funding the oscp will not be an issue, I have always put my education first and also paid for my masters with a part time job.
I just can’t see a way into a pen tester role, every single job I see advertised needs an someone with experience. Would an employer take a chance on someone that has an oscp etc and can show they understand the areas and have the technical skills? Or do those jobs always need prior experience of being an actual pen tester?
Edit.Just re read my original message and I didn’t mean for it to come across as it taking years to fund the oscp. I meant should I stay in my current role and gain a couple of years experience then make the transition or go for the job move in six months
December 19, 2013 at 3:27 pm #53737hayabusaParticipant
I’m in full agreement with dynamik, here.
When you asked,
I meant should I stay in my current role and gain a couple of years experience then make the transition or go for the job move in six months
with regards to taking your time, or trying harder to do something, near term, I’d say begin the study, and get a feel for what’s involved, before you make that decision. Having a Master’s degree, I’m certain that you understand the value of knowledge. My recommendation would be to gather as much information as you can, start your learning in the pentesting-specific realm, and see how you’re feeling about it, after that.
For instance, there are many avenues in pentesting. It’s a very general term. MOST (not all) pentesters have specializations, such as web app testing, network testing, disassembly / vulnerability detection and 0-day writing, etc. You’ll need to decide if you want to specialize, or if you feel you have enough knowledge to try to be a ‘jack of all trades’ in the field. You’ll want to network with others in the field, as dynamik said, and get their feelings and opinions on what’s currently happening in the field, and what the ‘hot topics’ of the time are. There’s a lot of leeway, but you have to really focus on the overall picture, and where you want to fit into it, as well as determining what role you actively want to play.
So again, I’d personally say, don’t make that timing decision, right away. Start your study, build up some knowledge and momentum, then make the call as to when / where you want to jump next.
December 19, 2013 at 10:48 pm #53738ccpik1Participant
Thank you for the advice. I know I sound in a rush but I do not want to get shoe horned into my current role and then in 5/10 years time try and make the jump into pen testing. A pen testing role just seems incredibly hard to get into whatever education/experience you have outside of that domain
- You must be logged in to reply to this topic.