

Is penetration testing a career worth pursuing? - zitstif

I ask this due to this article:<p>http://carnal0wnage.attackresearch.com/node/440<p>I think he made some very good points that most companies don't want to take an expensive test that they'll most likely fail and they just want to be compliant.<p>While I can see penetration testing diminishing in the corporate environment, I think it will most likely be a constant within the realm of the military.<p>What are your two cents?
======
whatusername
I'm not sure HN is the best community to be asking. Remember it was originally
called "Startup News".

That being said -- pen tests are still valuable -- and PCI DSS mandates them.
So there is definately a market for them.

I know the latest pauldotcom episode I listened to covered the "is pen testing
dead" subject once more... Worth a listen to if you don't already and are
interested in the field: <http://www.pauldotcom.com/security-weekly/>

------
raffi
Right now we have vulnerability assessments and penetration tests. There are
still people who confuse the two. Chris Gates (author of the article) is
talking about another tier emerging in the field: attacker emulation.

Right now penetration test can mean many things. It can mean a standard
CEH/CISSP/other cert trained monkey running tools and generating a report from
within your DMZ for two weeks. Or it can mean a dedicated team spending their
days like a stalker in a dark basement putting LinkedIn profiles and IP
addresses on a cork board until they see the opportunity to strike.

They're different tests needed for different situations. I do not know how big
the market will be for these advanced tests, but some organizations need and
will pay for them. It's fun work if you can get it.

So the article is drawing this line and saying: "hey talented guys, there's
real work for us… we just need to be aware of what it is and not get
discouraged". Penetration testing isn't dead, it's just becoming automated and
the lower tier of it is becoming more well defined. The cool stuff still
exists, we just need to call it something else.

How's that? As for making a career out of it? I'm not. I pen test now, but
only because it's fun. Once the fun wears off, I'll go do something else.

~~~
raffi
This captures the field quite well:
<http://www.youtube.com/watch?v=pzcLTPy8yDQ>

------
JoachimSchipper
Security in general seems to be doing fine (ask tptacek), but I'm not sure how
large the market for _really good_ pentesters is - you'll need to be a lot
better than Metasploit etc, which is difficult, and will penetrate almost
every network, which is embarassing to your employer.

You can make a fairly decent living running Metasploit and turning the results
into a nice report, too - but that's not "penetration testing" (as it is/used
to be understood.)

~~~
memr
Be better than metasploit? Run metasploit and turn in the results? You don't
know what metasploit is.

~~~
JoachimSchipper
That's not an entirely unfair criticism. ;-)

Would you like to try to improve on my comment?

------
mahmud
No. Nowadays, pen-testing is something for entry-level security workers, often
using stock tools. The whole "hacking" scene came apart when someone decided
to certify "ethical hackers" after someone else decided to fly planes into
buildings.

~~~
memr
Entry-level using stock tools? That was the nineties. Hacking scene came apart
due to ethical hacking certs after 9/11? No. The hacking scene was all about
hacking in the beginning. Then some people turned white-hat and got security
jobs. Then most people in the scene got security day-jobs by releasing tools
and 0days to market themselves. Then organized crime started hiring hackers
for projects. Now hacking is all about money, be it a security job or working
for the Russians.

