- This topic has 11 replies, 6 voices, and was last updated 10 years, 10 months ago by
UNIX.
-
AuthorPosts
-
-
March 5, 2010 at 2:15 pm #4747
alucian
ParticipantI am really interested in this field, and I would like to study more about it, in order be able to do penetration testing on it.
Unfortunatelly my company doesn’t want to pay for any certification. My boss says that I have enough certifications and I need more experience (he is 50% right, but I already had all my certifications when I came to them, so they just want to profit of my hard work and my personal money spent on education).So, my actual plan is to start with “The web application hackers handbook” and to use websec dojo’s live cd. Is this enough in order to have a good start, or there are other books to start with?
I mention that I don’t have programming skills in the web field, only some C++.
Thank you!
-
March 5, 2010 at 2:32 pm #29653
UNIX
ParticipantLearning to program in some web-based programming languages definitely wouldn’t hurt, at least it would help if you could read and understand it. The book you mentioned is a good read. Additionally you might take a look at the WebGoat Project, which should keep you occupied for quite a while.
-
March 5, 2010 at 2:33 pm #29654
apollo
ParticipantWhile you don’t have to learn any web programming to be a web app pen tester, you will have to learn some to be a good one. The resources that you have listed are good, but I might try to go ahead and start working on picking up some php, javascript, etc.
So.. good web resources:
RSnake has some great resources. Check them out at http://ha.ckers.org/ . Specifically check out the XSS Cheat Sheet. I go back and reference it from time to time when folks have mostly gotten data validation done correctly but have missed something.Samurai WTF: Samurai Web Testing Framework can be found at http://samurai.inguardians.com/ . This live cd distribution has many of the tools that you will want to become familiar with. This is a pretty lightweight distribution with great tools, and is a great start
I’m sure others will post more 🙂
-
March 5, 2010 at 2:36 pm #29655
-
March 5, 2010 at 2:59 pm #29656
unsupported
ParticipantFirst off, I think the answer your manager gave you is an asshat managers answer. A manager should be supportive of an employees desire to certify/educate.
What exactly do you do for your company? Does the certification directly relate to your job? If so, it would be an easier sell… but anyway…
I think you might find some great resources from OWASP, http://www.owasp.org.
Good luck!
-
March 5, 2010 at 3:16 pm #29657
alucian
ParticipantThank you guys. I started already the webgoat project. I already visited all the websites you mentioned in your posts, so I’ll keep myself busy for a while.
@unsupported: I am working as security analyst for a small security consulting company. When they hired me (4 month ago) they told me that I’ll do penetration testing, general security consulting and many more. But I have no work to do, and this bothers me. I came to this company to do a lot of things in order to became a better professional. But… I was wrong. So I am studying a lot of things regarding security (penetration testing, governance, risk analysis, I even started to do wargames – first level, and many more).
I study penetration testing because I like that it makes your brain work and I consider that it is of outmost importance in order to protect a company.
The problem is that my boss didn’t gave me any path to follow, any particular field in which he’ll need me. And this is very frustating.Thank you guys for the advices.
-
March 5, 2010 at 4:31 pm #29658
KrisTeason
ParticipantHere’s a couple more links that might be useful! (If you haven’t taken a look into them yet)
Damn Vulnerable Web App:
http://dvwa.co.uk/And maybe even look into LearnSecurityOnline’s, “So You Want To Be A Web App Pentester” course. It looks like a good price.
http://www.learnsecurityonline.com/offerings/courses/224-so-you-wanna-be-a-webapp-pentester
-Cheers
-
March 5, 2010 at 6:41 pm #29659
alucian
Participant@xXxKrisxXx wrote:
And maybe even look into LearnSecurityOnline’s, “So You Want To Be A Web App Pentester” course. It looks like a good price.
http://www.learnsecurityonline.com/offerings/courses/224-so-you-wanna-be-a-webapp-pentester
-Cheers
I saw the course and it really has a good price, but I didn’t saw any review of it. Maybe I’ll convince the sponsor (wife) and I’ll do it. Then I’ll do a review if there isn’t another one here.
Thanks!
-
March 8, 2010 at 12:17 am #29660
alucian
ParticipantWell.. me again.
As I mentioned in one post I had a lot of free time at my job, because they don’t have many contracts (they are a consulting company). And it wasn’t only me, there were more guys that did almost nothing. But because I was the last one employed I got fired Friday. This wasn’t fair because I have quit my previous job only because they promised me that I’ll have a lot of things to do and I’ll learn a lot by doing contracts under the supervision of someone more experienced. But the reality was different.
So, now I have a lot of free time. My dilemma is if I should continue with studying penetration testing (by myself only) or I should go on another direction.
I know that there are many opportunities in firewalls field, but I don’t have experience and knowledge (even if I am able to study them). Also, I really don’t like this domain, it is not suitable with my personality and way of thinking.
So my problem, should I continue and study hard for the next few months penetration testing (network, web application and system) or I should change the field just to be able to have more chances to find a decent job.
Besides pentesting I will improve my knowledge in risk analysis and project management.
Thank you!
-
March 8, 2010 at 12:34 am #29661
Ketchup
ParticipantSorry to hear the bad news alucian. On the bright side of things, it seems like the job market is picking up. I can’ tell you which direction you should pursue, only you can determine that. However, since you have prior consulting experience, you can consider search for a company that does some penetration testing, but it is not their only source of revenue. In today’s market, it really helps to be balanced.
-
March 8, 2010 at 1:07 am #29662
alucian
Participant@ Ketchup
This was the type of company I was working for, only that it was very small, 10 employees. Also, most of the companies wants to hire you as a consultant and send you to do contracts. They only want to make money on you, not to train you at all.
-
March 8, 2010 at 7:39 am #29663
UNIX
ParticipantThat’s not the best news, indeed. As Ketchup already stated, I too think that only oneself can decide where to head. As you have written that your field of interest is penetration testing, then personally I would continue in this direction, even if it might be hard. I probably wouldn’t go into firewalls, if I am not really interested in them. But then again there could be some other factors etc., and everything could look different.
I wish you the best luck.
-
-
AuthorPosts
- You must be logged in to reply to this topic.