
Careers in security, ethical hacking and advice on where to get started - jscholes
https://www.troyhunt.com/careers-in-security-ethical-hacking-and-advice-on-where-to-get-started/
======
alltakendamned
As a counterpoint for this fluff piece for Pluralsight (mentioned 29 times),
I'd like to offer the following links with very good information by well
respected people in the industry:

\- [https://www.corelan.be/index.php/2015/10/13/how-to-
become-a-...](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-
pentester/)

\- [https://tisiphone.net/2015/10/12/starting-an-infosec-
career-...](https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-
megamix-chapters-1-3/)

\- [https://danielmiessler.com/blog/build-successful-infosec-
car...](https://danielmiessler.com/blog/build-successful-infosec-career/)

~~~
andersonmvd
Allow me to enhance your list.

"Owasp Testing Guide V4" is a must read for web hackers, at least for
starters:
[https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table...](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents)

OWASP has vulnerable application projects for you to play with, such as
WebGoat
"[https://www.owasp.org/index.php/Category:OWASP_WebGoat_Proje...](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project"),
but there are many applications like these such as "DVWA - Damn Vulnerable Web
Application" and variants in Node JS ([https://n0where.net/damn-vulnerable-
node-application-dvna/](https://n0where.net/damn-vulnerable-node-application-
dvna/))

I also developed two free courses on "WordPress Security" and "Docker
Security" [https://dadario.com.br/courses/](https://dadario.com.br/courses/)

The point is to learn development / infrastructure first, then study attacks
and defense to develop a security mindset. Get involved in bug bounties, but
learn how to fix, don't let your code skills rust. Then learn more security
concepts, how to build a corporate security program and keep moving :)

There's also a very famous book in the area: "The Web Application Hacker's
Handbook" [http://mdsec.net/wahh/](http://mdsec.net/wahh/)

------
debatem1
As a hiring security manager: go break shit. I don't care if you have a CEH, I
care if you can bring me good vulns. Show me you can break things I care about
and that you're not a horrible person and you'll go straight to the top of the
list. It's that simple.

How do you get started breaking shit? Github has tons of shit. Go break it.
More interested in hardware? Go buy some crappy iot gear and break it. Vulns
are not rare and they do not require a damn piece of paper to find. Find them,
and you will have no problem finding jobs.

If you are reading this and still don't know where to start, I am happy to
help you find things to break and suggest approaches that might help. But
seriously,don't waste your time and money getting certified. I don't care at
all.

~~~
patcheudor
To this point, bug bounties, bug bounties, bug bounties. If someone is
applying to be a security developer, consultant, or anything beyond a security
help desk operator my expectation is that they can tell me about bounties
they've collected. In lieu of that, I'll accept them telling me about their
ethical disclosures. Also playing CTF's, even without winning is a good sign.
It shows passion and that's what matters at this point as we need people in
security not because of the money, but because they passionately want to make
the world a safer place and enjoy the work as a bonus.

~~~
dsacco
I want to push back against this a bit because you used the word
"expectation." Yes, I strongly agree that bug bounties are _one way_ to
achieve and demonstrate a certain level of expertise in information security,
especially if you are trying to break in. However, don't make it more than a
job for people who just want to do the job, and don't arbitrarily make it the
whiteboard of the security industry.

My best colleagues, the people I most deeply respect and the people who
inspired me to work in this industry all neglect bug bounties. They mostly
don't participate in them at all. Bug bounties are usually pursued by people
who have the free time and bandwidth for them. For the most part, most
security consultants and engineers do not actually engage in them because they
are already highly paid. This is why you most frequently see bug bounty
participants from countries other than the United States and Western Europe.

Those that do have a full-time position and also engage in bug bounties
certainly have a commendable passion for the work (or sometimes more
accurately a workable formula for getting to low hanging fruit in new programs
first), but please don't expect all or even most skilled security talent to
adhere to this rule. Many people enjoy being skilled without sacrificing work-
life balance. Just as not every software engineer needs to contribute to open
source or have a GitHub profile, not every security engineer needs to have
badgers for every company they've hacked.

~~~
patcheudor
I agree with you on your assessment, but those people you respect and inspired
you are the one's who are already in the field. They already have
accomplishments and have done things to earn that respect. I've found that
it's near impossible to differentiate "posers" from actual security people
when it comes to hiring someone without a long, formal, and vouched for by
others security career. This is where bounties and ethical disclosure come
into play. Also note the careful choosing of long, formal, and vouched for
wording above. There are certainly people in our industry who are here because
they are good at social engineering rather than here because of their
technical skills or work ethic. Those individuals are very damaging to our
field.

~~~
dsacco
Can you clarify what you mean by "good at social engineering"? Do you mean
they try to specialize in that and pass it off as actual security rigor
("hacking")?

~~~
patcheudor
Exaggerating their skill-set, claiming to have skills when they don't. Yes, it
could be the Dunning–Kruger effect in action but more than not I think there
is careful plotting involved to deceive. It's actually odd if you think about
it a bit. I've been going to DEFCON for the last 11 years, have done the CTF
thing, the speaking thing, etc., and it strikes me in many ways as a tale of
two cities. You've got your highly skilled and technical security
professionals who are talking and sharing but then you have all of the
roadies, the fans, the people who watched Hackers and want that lifestyle. We
don't see this in any other technical field that I'm aware of - I mean I'm
pretty sure there aren't blue-haired database administrator wannabe's showing
up to DBCon, are there? What ends up happening is that people like the idea.
They want to be a "hacker" but want it as a day job but don't have the
technical skill so they must figure out ways to social engineer their way into
the field.

The folks at Attrition tend to cover it a bit more when it comes to "security
rockstars":

[http://attrition.org/errata/charlatan/](http://attrition.org/errata/charlatan/)

~~~
dsacco
Yikes, what a list. I see your point though.

------
tptacek
I like Troy, but I need to put in a word here against pursuing certifications.

There are no employers in security that I know that anyone wants to work for
that take certification seriously. The best people working in security --- not
just in application security but in network security, red-teaming, exploit
development, and cryptography --- don't have certificates.

If you want to work in startups, a hiring process that even asks if you have a
certification is a big red flag. This is less true in the broader tech
industry, but while it's probably not a good idea to discard a prospective
Fortune 500 employer just because they _ask_ if you have any certifications,
it is certainly reasonable to pull the ejection lever hard if an employer
_cares_ about them.

Every minute you'd spend pursuing certification is better spent building
programming skills.

For whatever it's worth, I still stand behind everything in here:

[https://krebsonsecurity.com/2012/06/how-to-break-into-
securi...](https://krebsonsecurity.com/2012/06/how-to-break-into-security-
ptacek-edition/)

~~~
konficker
Care to elaborate why programming skills are so important in the field of
security? Genuinely curious. I have always wanted to take my skills to the
next level but have never actually gotten started. This might be the time for
me to start.

~~~
m0nastic
It's of varying importance depending on what field of security you're talking
about, but generally it's the chasm that separates entry-level security folks
from the rest.

Using systems administration as an analog, there exists a class of sysadmins
who can't write even basic scripts. Their ability to troubleshoot or problem
solve are limited to using predefined tools. Whole categories of tasks will be
infeasible for them to accomplish (mostly because of the amount of time it
would take to do them manually, not necessarily because they are technically
impossible).

Lacking the ability to do any programming limits their job prospects to the
bottom of the sysadmin barrel. That being said, programming isn't necessarily
a prerequisite for their job, it's just a ceiling.

Going back to security, most tasks benefit from the ability to automate some
part of them. I come from application security, where that frequently
manifests in having to quickly piece together tools for interfacing with a
specific protocol or API. Application consulting exacerbates that even more,
because you'll usually have to do all of this in a very short amount of time,
so that you can spend the allotted assessment time actually doing the
assessment, and not trying to get your tools to work with the environment.

------
dsacco
I'll echo what debatem1 and tptacek said here with what I tell everyone:

0\. Do not pursue certifications at all.

1\. Learn to code. C + Python is a great choice, to start with (or C + Ruby).

2\. Start with application security, because it's the easiest place to get
your feet wet.

3\. Work through _The Web Application Hacker 's Handbook_ (don't just read
it).

4\. Find bug bounties in as many programs on BugCrowd or HackerOne as you can.
Extra resume points (and money!) for bug bounties in Google, Facebook etc.

5\. Join a reputable security consultancy (NCC Group, Optiv, Bishop Fox, etc.)
and mature your skills.

6\. Decide how you'd like to specialize.

~~~
patcheudor
> 2\. Start with application security, because it's the easiest place to get
> your feet wet.

This is true because of the availability of targets, however, the easiest
place to get your feet wet is not the same thing as the easiest discipline and
people must keep that in mind. Application security is the toughest of the
discipline's in my book; far tougher than netsec, oppsec, and many others
because it's a world of vast diversity of solutions. It's also a world of vast
diversity in attacks from SQLi to XSS, to remote unauthenticated remote code
execution, to the identification of logic errors which result in the exposure
of sensitive information.

~~~
dsacco
Yes, I agree, and this is a good addendum to my point. I could quibble about
it being the most difficult (I specialize in AppSec and I find crypto much
more difficult), but you're right.

------
eieio123
On a related note, here's a quick guide to infosec in the defense industry:

1\. Graduate from any school with a degree in CS/CE/Math/Physics.

2\. Solve one crackme in your free time.

3\. Apply for all entry level jobs at GENERIC DEFENSE CONTRACTOR that involve
keyword "ida pro." Prepare to move to a deserted town in Florida or the DC
megalopolis.

4\. Die on the inside when you spend years working on unbelievably complicated
problems that do nothing else except get a government employee promoted. Have
everyone else in the news/online tell you you're evil.

5\. Spend several months working for a government employee that is amazing at
what he or she does. (part of the 20% of employees doing 80% of the work)

6\. Watch as that employee is immediately promoted and replaced by someone
else who doesn't care.

7\. Try to transition to non-defense and discover that for all the talk about
"cyber!!!!" and infosec in the news, all anyone actually wants is an IT
professional that took a one week course at Blackhat on exploitation/has
meaningless certificates/knows how to buy and install Nessus products and Palo
Alto products. That has to be 90% of the job postings out there.

In all seriousness, if you do think you want to go down the government route,
stick to a dedicated research institution or try to get a federal job. There
are a very, very small few defense contractors that truly do good work, but
they burn too bright and are eventually snuffed out by corporate greed or
insane management.

~~~
linkregister
Ha ha ha. That was right on the money. Though it seems a bit too pessimistic.
And CCOEs mostly have really boring projects.

Raytheon SI, Mantech, and Booz Allen Hamilton have some decent contracts; yes
they are in Melbourne and Annapolis Junction (where else would they be in the
U.S?).

It's hard to get involved in the smaller firms, because DoD wants to keep the
best employees from going to these contractors to do their current job for 2x
the pay.

I'm biased, but I think the better way is to start federal, get into a cool
3-year rotational program for poverty wages, and then go contractor once
you've paid your dues for a couple of years.

This is, of course, pretty damn niche for infosec. Most infosec folks I've met
in the industry have no exposure to this.

~~~
eieio123
I think that's decent advice. If I was young again, I'd just apply to one of
the many security engineering internships out there and skip defense work.
Those didn't exist when I was in undergrad.

Federal jobs are pretty awesome everywhere except extraordinarily expensive
cities. Unfortunately, a good percentage of them are based exactly there. :)
(Also, a bit easier to admire the benefits and stability they offer when
you're older. Early 20s me would laugh and then apply to whatever popular
corporate grinder was hiring for prestige and 6000 hour weeks.)

Grass is always greener.

------
mi100hael
I've enjoyed Troy's posts explaining past high-profile hacks, so I assume the
content he created for Pluralsight is pretty good, too. I'm glad he didn't
directly tailor them to the CEH, because from what I've seen it's not the most
esteemed certification. Most managers I've talked to on the security side of
things have said something like Security+ is a good starting point for newbie
hires, and CISSP or OSCP are a decent indicator for mid-to-senior hires.

In general though, the prevailing sentiment has been that demonstrated
experience is the #1 factor. Infosec isn't a career path that begins as a
totally oblivious hire after floating around in college. It begins in your
bedroom in the evenings poking around bug bounties or playing on
hackthissite.org and its forums and that sort of thing. A professional setting
isn't required to gain some good real-world experience, so there's no reason
you should be inexperienced by the time you're sitting for your first
professional interview.

~~~
phaus
A CISSP is only a good indicator that someone wants a free ride past HR. As a
technical certification, or a measure of technical ability, it is worthless.

~~~
toss1941
I wouldn't say worthless, a lot of CISSP's are in management where actual
technical ability gets delegated to non-CISSP's. I'm pretty confident that
most CISSPs could pick up almost any security-related technical skill if they
were motivated to do so.

~~~
phaus
The context of this thread is that we're talking about technical positions. If
you see my other comment, I already mentioned that it's a management cert.
Also, if a person with a CISSP is capable of picking up technical skills,
that's simply coincidental. The CISSP didn't teach them to learn technical
skills, it's completely unrelated. In my experience, motivation is the largest
factor in learning anything, so of course a person motivated to spend time
learning a specific subject is capable of picking it up.

------
ryanlol
Content-wise, CEH is probably one of the worst infosec certifications in
existence. And EC-Council is nothing more than a paper mill. This can't be
emphasised enough.

Check out a few sample questions:
[http://www.gocertify.com/quizzes/ceh/ceh1.html](http://www.gocertify.com/quizzes/ceh/ceh1.html)

Also review their attrition.org page that exposes how they just copypaste
their material from other authors. [http://attrition.org/errata/charlatan/ec-
council/](http://attrition.org/errata/charlatan/ec-council/)

Especially this part: [http://attrition.org/errata/charlatan/ec-
council/history_and...](http://attrition.org/errata/charlatan/ec-
council/history_and_criticism.html)

Oh yeah, EC-council keeps your passport scans and other PII unencrypted in
their gmail inbox. I would know, I hacked them once.
[https://cdn.arstechnica.net/wp-content/uploads/2014/02/EC-
ha...](https://cdn.arstechnica.net/wp-content/uploads/2014/02/EC-hack.png)

Stay away from CEH and EC-Council, don't support these scumbags. They're just
a bunch of charlatans that managed to grow their paper mill by spamming and
stealing material from others.

EDIT: Oh! But there's more! Apparently they like to serve ransomware on their
website [http://arstechnica.co.uk/security/2016/03/ethical-hacker-
web...](http://arstechnica.co.uk/security/2016/03/ethical-hacker-website-
ransomware/)

tl;dr: stay the fuck away from CEH and EC-Council.

------
avenueb
10+ year info sec veteran here. I think first order of business is do you want
to be a specialist or a generalist? Application security is but one piece
(albeit in many cases a very important piece). I chose generalist and I am
happy to have done so. Today I am diving into Strict Transport Security, yes,
but also working with HR and IT on our employee onboarding and off-boarding
process, reviewing vendor and customer contracts and federal compliance
requirements. Privacy, Regulations and Law, Compliance, IT and infrastructure
security, corporate IT security, and yes application security - every day I
deal with all of the above and I love that. And a great foundation into all
the things a security person may do, I cannot recommend the CISSP enough go
for the CISSP (or, alternatively, CISA) certification.

~~~
tptacek
I literally can't think of a single person I talk to in security --- and I
talk to lots of security people --- who will mount a defense of the CISSP
certification. Most of the people I know see it as a plague on the industry.

(I'm 22+ years in the industry, for whatever that's worth.)

~~~
toss1941
There's nothing wrong with the CISSP for what it is, a wide gamut glance into
InfoSec, but a lot of hiring managers have been led to believe it holds high
technical merit. A few years ago I took a job with my then shiny new CISSP and
I was uncomfortably flattered a bit at how much awe it held with people who
had no idea what it even was. They assumed I was a master hacker when neither
my work nor my resume suggested any such thing.

~~~
tptacek
What does it actually tell employers, and, for whatever that thing is, how
likely is it that having a CISSP is a reliable indicator of that thing?

~~~
toss1941
I think what it tells employers, who don't know better, is that the person is
a Certified Information Systems Security Professional, and they might have
heard all government security employees must have one, so it must mean that
the people are extremely skilled. In this, I'm not qualified to say but my
hunch is, not very likely based on a few untechnical people I know in the last
few years who passed the test successfully.

What it should tell employers however is that the person is capable of
critical thought and has a light familiarity with a wide range of security
concepts.

~~~
tptacek
Why should I have to pay a pretty significant amount of money at the start of
my career to buy a piece of paper that suggests I'm capable of critical
thought? In fact: isn't doing the exact opposite of that actually doing a
better job of demonstrating critical thinking skills?

~~~
Dagwoodie
It's difficult for most companies to distinguish a skilled IT worker from a
disaster.

~~~
wglb
So would you want to work for those companies?

------
jwtadvice
When we hire skim the list of certifications and look for indications of
experience. A list of CVEs, a blog or several years in a serious role rank
much higher on our hiring queue. And when we interview, we specifically check
for depth on the areas the resume indicates depth on, and we look for breadth
everywhere else.

------
andersonmvd
I'm surprised that he didn't mention CSSLP from (ISC)², the same organization
that created CISSP. Certified Secure Software Lifecycle Professional (CSSLP)
is a certification focused on all phases of software development lifecycle and
is for those who want to add security to the whole development lifecycle
instead of focusing on 'finding bugs'. It's great to find bugs, but
application security is much more than that, so is information security. This
is how I become certified [https://dadario.com.br/what-it-takes-to-be-
csslp/](https://dadario.com.br/what-it-takes-to-be-csslp/) and more info about
the certification
[https://www.isc2.org/csslp/default.aspx](https://www.isc2.org/csslp/default.aspx)

------
FLUX-YOU
>That's also reflected in how well rewarded security pros are

>That’s bad for employers but good news for cybersecurity workers, who can
command an average salary premium of nearly $6,500 per year, or 9% more than
other IT workers.

Why are the technical skills (in this article specifically) so demanding, but
yet the salary is only 9% higher?

Same for the other career-starting directions given here -- most of which seem
like multi-year time investments. Many of them ask even more of your technical
ability than the article before entering the field with a salaried position,
and yet that's only worth 9% extra salary?

------
YCode
> That’s bad for employers but good news for cybersecurity workers, who can
> command an average salary premium of nearly $6,500 per year, or 9% more than
> other IT workers.

$6,500 / year? Am I misunderstanding the term "salary premium"?

Also the bar graph confuses me. Shouldn't cybersecurity positions be included
in "all IT positions"?

~~~
ontoillogical
That's salary above the average for IT workers.

The average IT worker makes $72000, while cybersecurity workers are making
$78500, a 9% premium

------
christianbryant
I believe an area that goes unnoticed by new security analysts looking to work
in penetration testing and exploit authoring is that of OpenVMS and VMS-based
systems hacking. I've worked on these systems for years and the word floating
around out there is that they are "unhackable". While some have arguments
against why this would matter in this day and age, why it really does matter
can't be discounted. [1] Finding OpenVMS vulnerabilities and discovering ways
to own boxes running the system is not only important but a great resume
bullet.

[1]
[https://www.defcon.org/images/defcon-16/dc16.../defcon-16-ob...](https://www.defcon.org/images/defcon-16/dc16.../defcon-16-oberg-
nyberg-tusini.pdf)

------
lobo_tuerto
"That’s bad for employers but good news for cybersecurity workers, who can
command an average salary premium of nearly $6,500 per year, or 9% more than
other IT workers."

I think $6,500 per year is very low...

~~~
Bartweiss
'Premium', which is to say how much more money security IT work pays than
other IT work, on average.

Of course, it's still a bit of a silly comparison, because the distribution on
"IT" is so wide that you don't learn much without bucketing further.

