Ask HN: How did you get started in Network Security/Penetration Testing? - Txmm
======
igolden
I’ve been a professional software developer for the last 4-5 years, but never
took security serious until iot took off. Get some raspberry pis, install kali
Linux on a VM or spare computer, and go to work! It’s just so easy and cheap
to setup a pen test lab. I’d recommend every dev have a few attack machines
for fun. That’s how I got _started_.

It’s also a huge field. Try checking out security in your current discipline.
I was a web developer in 2013, so it was natural that I was inclined to look
at SQL injections, XSS, packet sniffing, Etc. I already understood the domain.
That is easier than jumping into reverse engineering firm ware if you have no
xp.

Now after a couple years of practice, I’m recommitted to security. Huge issue
in our current tech ecosystem. I was just approved to take CEH and will be
taking it next month. To make it official. If you need some structure to your
learning and want to make a career move, check out getting an industry base
cert like the CEH or offensive arc cert. most security jobs prefer candidates
to have at least one, and they’re not incredibly difficult.

Happy pwning!

~~~
Txmm
"It’s also a huge field. Try checking out security in your current
discipline."

I'm actually 15 at the moment with basically no experience besides messing
around with kali tools like a script kiddie.

Got any tips for programming languages to learn/where to learn?

I appreciate the post!

~~~
raesene9
In terms of languages I'd echo the sibling comment, Ruby or python are likely
to be good choices.

If you're looking for things to start getting into security type learning, you
could do a lot worse than start with CTFs ([https://ctftime.org/ctf-
wtf/](https://ctftime.org/ctf-wtf/)) Whilst they're not identical to what
you'll face as a security tester, they cover a lot of similar skills. Also
you'll likely meet people in the industry by doing them.

There's also sites like [https://pentesterlab.com/](https://pentesterlab.com/)
which have free examples of pentesting challenges.

~~~
Txmm
Hmm those look very interesting. Thanks!

------
rhexs
I decided I wanted to get verbally assaulted by engineering teams I was
reporting findings to day in and day out. Who would have thought, I managed to
make a career out of it!

(ps, if you do go down this route, try to find a job at a company with a good
security culture. starting one from scratch is walking a road of broken glass)

~~~
dguido
Corollary: Don't try to fix a company with bad culture. You can't change
enough of it as a low level employee. Quit, and find somewhere better.

~~~
rhexs
Working on it.

------
throwaway8367
A bunch of comments here warn that you may become unemployable in software
engineering as a result. A so-called "security lifer".

I think that's a little silly. I work for one of the top security consulting
firms and it's just not my or anyone else I know's reality. In fact, the total
opposite seems to be true. We have talented code reviewers and tool writers
move on to work at tech companies all the time. These people are still
interested in security and from what I've heard, they end up working on or
even leading some _really_ cool software engineering projects.

I suppose if you woke up one day and decided that you're no longer interested
in security _at all_ , it may be difficult to pivot back if you stopped
writing code. But that does not sound like the typical person who was
originally interested in both security and code. Most security consultants I
know who came from writing code really excel in security doing code review,
architecture review, tool dev, etc. and those are all things that can
translate back into software engineering experience on a resume.

Of course some people's experiences will differ. There are plenty of employers
out there who are biased or looking for a very specific background. But these
cases are far from the norm. Perpetuating the whole "security is a dead-end,
life-long job" narrative is spreading needless FUD and prevents the industry
from maturing.

------
sillysaurus3
Just to clarify for everyone: Be careful switching your career to
netsec/pentesting. If that's your thing, great. But you're likely to be a
"lifer" because no one will want to hire you anymore for webdev.

It's not quite as clear-cut as that, but if you're out of the game for N
years, it's really hard to get back into it. Especially when you're not
younger than 30. Ageism is a real thing.

~~~
the_cyber_pass
As someone who has tried a couple times to jump the other way I can attest to
this. Completely stonewalled for full stack developer positions.

I have found exploits by knowing the quirks of all sorts of libraries and I
have to be able to understand how things work on a deep level. But because a
lot of the job is tracing other peoples work and finding gaps in their logic,
you don't have as much 'dev' time in the traditional sense. Most of your
coding turns into ways to prep your exploit. Your life gets wrapped up chasing
obscure malloc bugs or strange chrome behavior rather than contributing in
normal developer ways and companies don't recognize this as transferable. I'm
only a little bit bitter about it, but I love my work. I just hope the pay
stays solid and I don't end up in a dead end job later in life.

Also it's really hard to be good in this industry. It is almost entirely
driven by the top 1% of people and as someone who is not in that demographic
it feels like a constant struggle to keep up.

~~~
user5994461
By your text, you're a random senior developer. It shouldn't be too hard to
get a position, as long as you live in one of the active tech locations.

It looks like you and the parent poster are facing the usual company that is
looking to hire a cheap 20 year old web dev with little experience. Not a good
fit for you.

------
vmarquet
A way to validate that you're genuinely interested in penetration testing and
to learn is to do challenges on sites like [https://www.root-
me.org/](https://www.root-me.org/) for example. It's not necessarily realistic
challenges, meaning there can be challenges on vulnerabilities you're very
unlikely to see in real life, but you'll always learn something If the
challenge does not teach you on some kind of vulnerability, at least it will
teach you about how to think and do research, which is the most valuable.

I've seen companies filter candidates based on their score on such platforms.
For example, for a junior position in penetration testing, they asked for at
least 3000 points on root-me (but it was a few years ago, the number of
challenges on the site has increased so it would make sense if they had
increased their minimum points requirement).

Compared to certifications, it has two enormous advantages: it's fun, and it's
free. I've started that way and never regretted it. I've not needed a
certification to land a penetration testing job in a serious company (this was
in France though, I don't know much about practices in other countries).

------
Kikawala
I dabble in netsec, but not in it. My job requires me to work with our netsec
team so I prefer to be familiar about the subject matter. I usually lurk on
/r/netsec and they have a good resource on their wiki[1] on getting started in
netsec.

[1]
[https://www.reddit.com/r/netsec/wiki/start](https://www.reddit.com/r/netsec/wiki/start)

~~~
dguido
Thanks! I'm glad you found that useful (I'm one of the mods there).

/r/netsec is no longer the smaller, more personal community it was when I
started as a mod (7 years ago now?). If you're just starting out, one of the
things I recommend most is finding a meetup in whatever city you live. It's
hard to underestimate how useful an in-person conversation over a beer or two
can be when you're early on.

I guess my advice for you would be: take your netsec team out to lunch once in
a while! :-)

------
mkhpalm
I got started for personal entertainment in darker corners of the internet.
That ultimately evolved into me writing some of the tools people used in the
industry. Eventually that developed into some SaaS products and 2 companies
that we ended up selling.

My advice to you if you are just getting started in the infosec world is...
don't do it! Short of the increased attention to encryption and various better
authz/authn standards... the newer crowd doesn't want to hear anything about
the vulnerabilities in their code. 9 times out of 10 the only reason they'll
resort to testing anything is to cross off a corp checkbox somewhere. Keep in
mind that nobody likes policy and you'll be associated with their hatred for
it.

~~~
sebcat
> 9 times out of 10 the only reason they'll resort to testing anything is to
> cross off a corp checkbox somewhere

Can confirm.

The way it usually works is that Company X has N dollars allocated for
security. Company X (or rather, a person or a team at Company X, with
his/her/their own internal and external priorities and motivations) buys a
service - recurring automated tests/assessments/pentests &c. This is where the
usual corporate bullsh*t kicks in. If they want to show that they've done a
good job in securing something, they buy a pentest over a short duration for a
minor thing and then they claim "<trusted security vendor Y> said we were
secure". If they want more money, they obtain data to show that. The infosec
companies has a "customer is always right" mind-set. It's business.

You can probably get good cash just for telling people to use TLS. Green
padlocks and all that.

EDIT: also, to differentiate infosec from regular security, don't forget to
prepend "cyber" to everything.

------
kgc
In school, they taught us of the existence of Wireshark. It lets you see
network traffic.

------
dguido
I had an oppressive computer teacher in high school and I liked to pull
pranks. It started out with simple password guessing, then phishing, then
trojaned USB autoruns, SAM hash dumping, and password cracking, then some wifi
sniffing... I never thought of what I was doing as hacking at the time
(2001-2002). I just wanted to use the computer lab to play video games, and
show up my jerk of a teacher.

In my senior year of high school, I was handed a brochure for a scholarship
program offered by an engineering school that paid your entire tuition if you
studied cybersecurity. I didn't know much then, but I knew loans were a bad
thing, so I went with it and attended that university. The final hook was a
Capture the Flag (CTF) game hosted by the school. I had not pursued obtaining
the scholarship until that point but playing in the CTF got me exposed to the
other students and convinced me to go through it. You can read more about the
NSF Scholarship for Service (SFS) program here:
[https://www.sfs.opm.gov/StudFAQ.aspx](https://www.sfs.opm.gov/StudFAQ.aspx)

I like to characterize myself as one of the first class of graduates with
specialized degrees in cybersecurity (at least in the US). Anyone older than
me is usually entirely self taught, anyone younger generally had exposure in
an academic setting. I was about half and half. For reference, I am 32. I
think the NSA Center of Academic Excellence program had a lot to do with that
shift. Many US universities were first getting certified with new coursework
to meet that standard through the mid to late 2000s, right as I was attending
college.
[https://www.iad.gov/nietp/reports/current_cae_designated_ins...](https://www.iad.gov/nietp/reports/current_cae_designated_institutions.cfm)

FWIW I wrote a short career guide to help others trying to make sense of the
field and how to get started.
[https://trailofbits.github.io/ctf/intro/careers.html](https://trailofbits.github.io/ctf/intro/careers.html)

In fact, this year's Flare-On challenge just started today! It's an online
game composed of 10-20 reverse engineering and forensics challenges that takes
place over the next few weeks. There will be solution writeups after the
challenge is over so you can learn how to solve whatever got you stuck. Give
it a shot! Flare-On always gets great reviews for being fun to play, and
online games (CTFs, wargames, etc) are a great way to get yourself started and
add something to your resume. [https://2017.flare-on.com/](https://2017.flare-
on.com/)

I am now the CEO and co-founder of Trail of Bits, a high-end software security
research firm. I will probably never quit the field. You can read more about
what we do here: [https://www.trailofbits.com](https://www.trailofbits.com)
AMAA?

~~~
ktta
I feel like it is difficult to get hired right out of college into a
pentesting/netsec role without a bunch of certs and CTFs (which you do mention
in your career guide). Even then it just looks like just another qualifying
tick in the checklist. Right now I'm thinking a dev job for a couple years,
then move into security (which looks like what some recommend). What do you
suggest one can do to show that they have the chops to take up the a good role
short of getting a couple high profile CVEs? Write a blog? Write PoCs for past
CVEs?

What will get the attention of someone who hires (like you) to think that they
will be a good fit?

~~~
dguido
Easy! Develop software. Don't limit yourself to scripts and small utilities.
Work on something substantial, preferably low-level and closely related to the
operating system or hardware. If you play CTF, show me the tooling you wrote
to prepare, and the process you use to review your past performance and plan
your next game. Our biggest ask during our hiring process is a code sample of
some kind. If you're talking about finding bugs, show me that you didn't just
get lucky, that you know how to make the process reliably produce a known
outcome.

Sidenote, I think the dev job for ~2 years out of college then moving to
security is a smart move. You're 100x more effective as a security engineer if
you have a strong background in development. I'll say that we definitely
prefer to hire software developers and teach them security.

~~~
ktta
Thanks! This is great advice.

------
unixhero
I never went in, but the baseline skills are there.*

Let's just say I was forced to show up at the principal's office at several
educational institutions during my youth :).

I now sometimes make money doing white hat stuff.

------
Eridrus
By hacking the planet, duh.

But seriously, I got started by writing exploits for long tail web apps.

~~~
jnbiche
I understand the meaning of "long tail", but not sure what it means in this
context. Is this an infosec term? I work in webdev and have never heard it
used. Are you referring to less-commonly used web app frameworks?

~~~
Eridrus
Less commonly used web apps; they tend to have poor security because no-one
has cared/known enough to make them not horribly insecure.

------
anon_dev_123456
I can tell you how not to do it. I'll never forget the funniest interview I
ever had. I interviewed with this company called Deja vu Security.

[http://www.dejavusecurity.com/](http://www.dejavusecurity.com/)

I explicitly told them, via email, I have ZERO experience pen testing, or
anything related to hacking. I'm a terrific software engineer looking to pivot
into this market, would take a salary cut to get my feet wet and be mentored.
Would this be possible? Are you guys remotely interested in an arrangement
like this?

They say great, when can we sync up? That's definitely something we can do.

So we set a call up and the call takes literally 39 seconds, I'll never forget
it. He asked me what experience I had, and I reply: None whatsoever, like I
mentioned in my email I'm interested in jumping into this line of work though.

"Thanks but we're not going to move forward."

Before I can even say thank you for your time, goodbye, the dude just hangs up
the phone on me lol.

~~~
bitexploder
We have a hiring process for folks with no infosec experience. It isn't easy,
but it works. The guys at Deja are solid and consulting makes for busy folks,
so don't hold a low opinion of them. Probably did not pay close enough
attention to the initial email.

If you are interested shoot careers at carvesystems dot com an email.

