
Shared thoughts after 6 years in Pentesting - wolframio
https://0x00sec.org/t/shared-thoughts-after-6-years-in-pentesting/2492
======
tptacek
1\. You definitely do not need to make security part of your "lifestyle", much
less spend 80 hours a week working at it. The irony is that the author is a
netpen person, which is sort of infamously the least demanding specialty in
offensive security. If people writing browser drive-by exploits can stay on
top of their game with a 40 hour work-week, I think the netpen people can too.

2\. Don't get certificates. If you meet a prospective employer who seems
intensely interested in them, that's a red flag about that job.

3\. The idea that you should aspire to being able to do your whole job from a
Linux terminal is pretty silly. Use what works for you.

Maybe it takes more than 6 years in offensive security to realize this, but
the #1 bit of advice for this field is: learn to enjoy coding. The worst
possible place to end up in security is as a captive to available tooling.

~~~
munin
I agree with you.

Here are some of my thoughts at 15 years:

1\. Get sleep and exercise. Stop drinking soda, just stop it. Drink water,
coffee, tea, and scotch.

1a. During undergrad, I would get into a trap where I would think I was too
busy with schoolwork some night to exercise. Later, I changed my thinking and
realized I was too busy to NOT exercise. My grades improved.

2\. Work 40 hours a week. Don't be a hero. You're going to burn out.

3\. Keep your mind open, but don't accept what others say uncritically.
Investigate and evaluate all new information, time permitting. Don't think you
know everything, also, don't think anyone else does either.

4\. Be a good programmer.

5\. Learn some advanced mathematics and cryptography. Don't listen to the
people that say "I've never had to use that." Learn about something until
you're unsure and uncomfortable- like exercising until you feel it, that means
you're learning something.

6\. Make your resume more about stories you can tell and less about tools you
can use.

~~~
branchless
> That leads me to this: to be great in this industry ( or great for this
> industry), I believe that InfoSec/NetSec has to become a lifestyle,not just
> a job. I easily work 80+ hours a week

Who is working 80+ a week long term? It throws into question every other
statement on the page.

~~~
koolba
I've been working 80+ hours per week for nearly 20 years. I wholeheartedly
enjoy what I do but I don't just work on one thing though. It's a combination
of direct work, research, and FOSS.

~~~
branchless
Wow. Well I guess there you are. I cannot imagine this! And I work well over
40 hours a week, last few weeks have been near 80. But as a rule, no way.
Guess it takes all kinds.

------
knieveltech
Yeah...stopped reading at 80 hour weeks. I don't care how esteemed someone is
in their industry, if they have to completely destroy their life to get there
I question their judgement and don't want their advice.

~~~
Spearchucker
Not sure such an absolutist approach is much better. I definitely agree with
your sentiment, but as my own clichéd counter-example, I can tell you that I
wasn't always like that.

I squandered away my 20's and 30's on 80-hour work weeks. It was never
expected of me, I just loved my job and did it anyway. Yes, there have been
benefits, but today I feel I lost more than I gained.

At the time I would've dismissed you and your comment as you do OP's. Life
just isn't that black and white.

~~~
lostcolony
It's more nuanced than that.

Working at your job 80 hours a week = a waste. Always.

HOWEVER, spending 40 hours a week engaged with something you enjoy and are
interested in is a perfectly fine way to spend your time.

But what, I hear you ask, if I enjoy my job? Well, what about the job do you
enjoy? See, if it's the work, chances are you can freelance, self-study, build
stuff for yourself, in the same field, and get the same impact, AND you're
free to do it how you want, free to learn whatever lessons you want, AND to
capture any value it may add for yourself, rather than giving it to your
employer.

This person is spending their time learning. I.e., investing in themselves. I
disagree with their statement that that's required for their job, but it
-does- likely make them better at their job than they'd otherwise be, and so
long as they enjoy it, I can't find fault with it. But it shouldn't be a
burden.

------
maxxxxx
We just had some consultants do pentesting on our medical device and its
software components. I was pretty impressed by all the problems they found
quickly. As developer I find it pretty hard to stay up-to-date with all the
possible ways hackers can get into your systems.

To me this was money well spent.

~~~
tehlike
any specifics you can share? medical device & security, and iot & security
will be pretty critical (since it's not already).

~~~
maxxxxx
The stuff they found were some big picture stuff but also little things like
misconfigured drive encryption. So even if you do the right things it's good
to have someone check that the right thing has been done right. This is way
too specialized for the regular dev to stay up-to-date with.

~~~
tehlike
i could totally see these. it's also easy to hack up some stuff to make it
work, and then forgetting about it.

thanks for sharing.

------
w8rbt
I would say certs have value in security management, compliance and audit. In
fact, if you want to take one of those paths, certs are mandatory. If you want
to do technical security (which is totally different), then get a CS or EE
degree and maybe a few SANS certs (optional unless you are in a
regulated/compliance oriented industry). Finally, having a security clearance
will help as well, especially if you or your employer want to do government
contracting.

Edit: To expand on the cert topic... if you want to do computer forensics for
law offices, police departments, etc. You'll need a technical cert (GCFA,
etc.). And having a CS/EE/CE degree won't hurt either. You'll have to have a
cert to do serious forensic work.

------
eeZah7Ux
> There is a huge need for InfoSec/NetSec professionals

I know far more people that moved from Security to development than the other
way around. Security work has become less pioneering and more routine. The fun
part of security is learning, not work.

The demand for developers increased faster than infosec and so did salaries.

------
JokerDan
I am always fascinated by pen testing and studied computer networking in
security to fall into a software engineering job. I just never knew where to
start with heading a leg up on the tools and practices to be able to go into
pen testing professionally... I couldn't find any apprenticeships or junior
roles for it so ended up shelving it as a 'maybe one day' 'dream'. Where would
be the best place to start? Most of the books I have are pretty dated now.

Also the article was a great read. Pinning it to go over again on the weekend
as my lunch is now over.

~~~
lucb1e
I work as pen tester (ask me anything). In school I got the opportunity to
pick digital security as my major, but I'm certain any computer science
related study would have been fine.

When interviewing for my current company, my first full-time job, I was given
a vulnerable web application which they used to assess whether I could do the
job (next to a regular interview). I aced this hack test, but due to it being
my first full-time job they still scaled me in as a junior.

Overall, if you know your thing, you can just go and interview with companies
that do security. Specifics, such as a workflow when performing a security
assessment, are specific to a company anyway. With some semi-related work
experience (many colleagues have a programming background) you should be able
to come in above junior too.

As for where to get the skills: hack something. My study gave me dedicated
time to spend on it, but even in high school I was writing code, sharing it
with others, and we had fun poking around each other's applications security-
wise. That's how I truly learned: doing.

------
TheRealmccoy
this is gold and so inspiring.

------
forgottenacc57
So many years pen testing.

Is blue better than black?

Do red pens last longer?

~~~
philprx
Black tend to not notice how much / badly tainted they become.

Red/white may not know how bad and hostile reality is.

Ps: no, there's no comment about ethnicity in this comment.

