Hacker News new | past | comments | ask | show | jobs | submit login
Shared thoughts after 6 years in Pentesting (0x00sec.org)
303 points by wolframio on June 25, 2017 | hide | past | web | favorite | 87 comments

1. You definitely do not need to make security part of your "lifestyle", much less spend 80 hours a week working at it. The irony is that the author is a netpen person, which is sort of infamously the least demanding specialty in offensive security. If people writing browser drive-by exploits can stay on top of their game with a 40 hour work-week, I think the netpen people can too.

2. Don't get certificates. If you meet a prospective employer who seems intensely interested in them, that's a red flag about that job.

3. The idea that you should aspire to being able to do your whole job from a Linux terminal is pretty silly. Use what works for you.

Maybe it takes more than 6 years in offensive security to realize this, but the #1 bit of advice for this field is: learn to enjoy coding. The worst possible place to end up in security is as a captive to available tooling.

I agree with you.

Here are some of my thoughts at 15 years:

1. Get sleep and exercise. Stop drinking soda, just stop it. Drink water, coffee, tea, and scotch.

1a. During undergrad, I would get into a trap where I would think I was too busy with schoolwork some night to exercise. Later, I changed my thinking and realized I was too busy to NOT exercise. My grades improved.

2. Work 40 hours a week. Don't be a hero. You're going to burn out.

3. Keep your mind open, but don't accept what others say uncritically. Investigate and evaluate all new information, time permitting. Don't think you know everything, also, don't think anyone else does either.

4. Be a good programmer.

5. Learn some advanced mathematics and cryptography. Don't listen to the people that say "I've never had to use that." Learn about something until you're unsure and uncomfortable- like exercising until you feel it, that means you're learning something.

6. Make your resume more about stories you can tell and less about tools you can use.

"Make your resume more about stories you can tell and less about tools you can use."

This is great advice, but I've never been able to describe it so succinctly.

I agree. Well put. Reminds me of functional resume approach of describing what one did vs where they worked. I've always preferred it.

I read Chris Lattner's online CV [1] (probably via HN), he of Apple/LLVM/Tesla fame and a technical engineer I regard rather highly.

It's an excellent example of story-driven resumes.

[1] http://nondot.org/sabre/Resume.html

> That leads me to this: to be great in this industry ( or great for this industry), I believe that InfoSec/NetSec has to become a lifestyle,not just a job. I easily work 80+ hours a week

Who is working 80+ a week long term? It throws into question every other statement on the page.

I've been working 80+ hours per week for nearly 20 years. I wholeheartedly enjoy what I do but I don't just work on one thing though. It's a combination of direct work, research, and FOSS.

Wow. Well I guess there you are. I cannot imagine this! And I work well over 40 hours a week, last few weeks have been near 80. But as a rule, no way. Guess it takes all kinds.

He is including time spent on here :P

He is including all time spent learning stuff and so on. 40h work + 40h learning/reading HN/doing hobby projects is pretty common.

Is it really? That's 16 hours of work 5 days a week. If you sleep for 8h you don't do anything but work or learn for all of your waking hours.

A more reasonable person would probably put a fair amount of learning time on the weekend, but even then you leave very little time for a social life, physical exercise, eating, relaxing.. things that most healthy people, if not everyone, requires.

Working 40 hours per week and sleeping 8 hours at night leaves you 72 hours of free time a week so you still have time for other activities.

Also, learning and hobby projects can include social aspects.

It's not just about being able to keep that up, either - it's less efficient to work 80 hours consistently and you end up with a large number of hours worked that you get a negative return on because they contribute to burnout without increasing the amount of work you get done by much at all.

Most of this applies equally well to data science, natural science, or social science with "statistics, probability, and machine learning" swapped in for "cryptography".

Pretty much any technical creative field.

> Learn some advanced mathematics and cryptography.

There is too much of mathematics to learn all of them. To make maximize, I think I need to focus on some subjects that would be cost-effective. What woulds would this be?

Sorry, could anyone enlighten me on the "Avoid ElGamal" part? I thought it was pretty secure. Is it due to bad efficiency?

I would guess the author wanted to say "avoid cryptosystems that work over Z_n ring", especially that you will use ElGamal when signing or encrypting over elliptic curves.

It is fine, but a good reason to avoid FFDH, RSA and other algorithms over multiplicative groups is that you need longer parameters compared to ECC.


I work in infosec as well, and I think the author of this article is confusing time spent vs. passion for something. Coming from software engineering, security is no different than any other technical profession: if you don't love what you do, you probably won't be very motivated to learn, and thus you probably won't be very competent. You need to have the passion. This doesn't need to manifest itself in 80 hour work weeks.

There's a whole contingent of "infosec ninjas" that think there is some type of bushidō bullshit going on, where if you aren't constantly training for your pentesting job like it's a martial art, you aren't capable of doing your job. In my experience, these people are often the most insufferable to work with and driven more by ego and power fantasy than the desire to tinker or craft.

Security is part of my "lifestyle" just as coding is. I work on security-related stuff outside of work not out of obligation to practice infosec kata, but because I actually like it. Some weeks I don't do anything outside of work other than browse /r/netsec or HN; some weeks (like this one) I'm writing some tools for myself to make a code audit easier.

The whole "80 hours a week" bit definitely seems to elide the difference between "working two full time jobs" and "being involved with the topic when you're off the clock".

I think it's true that most passionate people will engage with their field more than 40 hours per week, simply because it's a passion. But hell - some weeks that could mean reading a good novel on the topic, with no direct value to your work. I keep up to date on a bunch of aspects of computing and mathematics because they interest me, but that feels completely different from working long hours and 'training' constantly.

Turning "be interested in your work" into "put in 80 hours, train like you're in boot camp" seems like a silly way to act tough (and exclude people with families or hobbies from a field). Your point, actually caring about your field, seems much better.

It sounds a bit like developers who jump on every hyped up new technology without really having a reason.

I thought the OSCP, which is the one he recommends, was a little better than the others. Not enough to be a requirement, given other skills, but better than the multiple choice tests of the CISSP and Security+. Unlike with those, the OSCP involves an actual network and using actual exploits.

I wouldn't automatically discount someone who put the OSCP on their resume, like I would the CISSP, CEH, and Security+. Any experience, even non-pentesting, would probably trump it though.

If I'm honest, and I feel like I should be when it comes to talking about my profession even though I'm going to be a little impolitic here and it could cost me elsewhere: yeah, I definitely do discount people a little bit if they volunteer to me that they have OSCP certification.

Avoid certification.

> Avoid certification.

IMO that should be avoid current certification. Avoiding all certification for all eternity would imply that training decent pentesters/hackers is something that cannot be done in a controlled methodical way. Which would be a setback for the entire infosec industry, IMO, because I do think that such a thing (infosec is not a special snowflake) is possible.

I think OSCP is actually a big step in the right direction. The harder challenges in their training network force you (and encourage you) to deeply investigate the underlying security issue. That part of the training actually focuses on the underlying conditioning that you need to become a good pentester, as shown by their slogan 'try harder'.

It's the same thing that armies the world over do. The army also realized that knowing everything there's to know about tactics and how to operate a weapon is not enough, soldiers also need to be aggressive and need to be conditioned to be able to effectively engage an enemy. So there's training designed to increase a soldier's willingness to fire upon enemies when ordered to.

The same goes a bit for this training, where underlying simple technical guidance is provided at the start of the training, and later a trainee is left to themselves and pushed to investigate on their own, something that I'd recognize as one of the cornerstones of a successful hacker.

Still, I'd also avoid hiring a person for a technical position if all they can show is a CISM/CISP/w\e

You'd be better off participating in CTF challenges than doing the OSCP.

Heh I tried that a few times, but I found that many of them have devolved into hopelessly contrived abominations of true security issues. Fun games to be sure, but of trivial usefulness for actually building up skills I think.

I do like the ones that offer memory corruption/exploitation challenges, but those are few and far between.

"Avoid certification."

So how do you get through HR wall? Padding CV with keywords is a common way to get an interview. I'm an embedded system engineer looking to move closer to IT security, so how do I get there without experience and certifications as virtually all jobs require one, another or both (except junior positions, but I'm too old to start from the very bottom)? I do learn a lot on my spare time, but you still need to get a chance to demonstrate your skills, which is impossible if your CV is discarded as "requirements are not met" (a.k.a not enough keywords on CV match the ones in job description).

HR wall? You're applying at the wrong places. If a company needs to see letters on your CV, it's because they have no idea what/who they want.

A decent company will have your future colleagues heavily involved in the hiring process, and they'll know how to chat to you about security.

> HR wall? You're applying at the wrong places

This elitism is not helpful. There are finite employers in the world, and many of them do screen based on keywords. That's reality. Applicants who are entering the job market might not always have the luxury of disregarding n% (where n most likely > 75) of their potential employers based on stuff like "oh well any real company wouldn't screen my resume..."

The security industry is remarkably small. If you're going to spray your CV and hope for the best, sure, having as many certs as possible will get you past the first interview.

But chances are if someone is browsing HN they're at least genuinely engaged enough to do better than that. You're advocating for people to shoot for average, I'm suggesting to not settle.

> You're advocating for people to shoot for average, I'm suggesting to not settle.

From my perspective, I'm advocating that people don't inadvertently shoot themselves in the foot. They might not yet be qualified to work at Matasano or [insert top tier security shop here] : not everyone is.

Assuming someone isn't (yet) qualified to work with their dream employer, what do you suggest they do? "Don't settle" in that scenario sounds a lot like "be unemployed". I'm straight up saying it's better to build up skills at a job - even if that job isn't their endgame.

I'm generally on board with this point - encouraging everyone to shoot for the top 10% inherently means letting down 90% of people.

But I think in this case, the issue might be that rather than one job being the first step to the other, we're talking about two totally distinct tracks. If a company is sufficiently shoddy and certification-happy, it's possible that they don't even provide meaningful experience for someone seeking the top-tier options. You might be better served by hardening systems at some general software job than getting an entry-level security job and blindly throwing Nessus at client's systems.

"A decent company will have your future colleagues heavily involved in the hiring process"

Of course, but you still have to get to them first as no sane company makes their engineers to do 1st round CV screening (especially for publicly announced positions where tens or hundreds of CVs are applied). From my personal experience, technical interview with an engineer is usually only on 2nd/3rd round, so we are back to square 1. Yes, I know the best positions are filled through networking and recommendations, but that's not an option when you live outside of tech bubbles.

I'm a fan of yours. I asked before and I'll ask again as someone who is depressed into day 3 of a new annual round of OSCP study and yet again crippled by impostor syndrome: without a formal degree, what is there beyond your Amazon booklist?

I started MicroCorruption and RE flummoxes me. I keep coming back to it because I can tell how weak I am and it has pissed me off for 2 years. Even in OSCP i get bent out of shape on my insufficiency there and never focus on other stuff.

I don't want to be a Metasploit jockey. Where to from here? Online CS courses in C and ASM work my way up? I don't have a degree in it.

I don't have a formal degree! I have 1 semester of college from 1995, and that's it.

You don't have to do RE to be in software security. There's virtually no assembly-level RE in web application security, and very little of it in mobile security. Both of those specialties are more lucrative than RE, a specialty where maybe the top 10% go to high-status RE and exploit dev careers, and the other 90% go to low-status malware analysis and SOC jobs.

My advice is to pick a technology stack you really like and get comfortable with it at a nuts and bolts level, and then build security expertise on top of that. Maybe that's iOS and Swift, or maybe it's web and Django, or maybe it's distributed databases. Pick something, get good, and then be a security expert for that thing.

Picking has always been hard I guess. Thank you very much for the solid advice. I will keep it in mind moving forward.

Then don't pick: surf r/netsec and use anything you find fun. 1 month later look at what you practiced most and enjoyed most, here you are, some part of your brain actually picked the possibly right thing for you. :)

This is a great trick in all sorts of settings. If a choice seems meaningful but hard to make, look for a way to bypass it until the answer is obvious.

This might be doing others a disservice. Don't avoid certification altogether, some people actually enjoy the study/test and tangible outcome of certification. I personally have none, it's not for me.

Rather avoid certification if you just want to have 20 lines on your resume to look like a ninja and brag. I'm a hiring manager in infosec, and same deal if you brag about certs I start to tune out.

>> Avoid certification.

Why? Is that something that can hurt your abilities, or your employment prospects?

Possibly the former, certainly the latter.

Please explain how is that so?

Certification in a field such as vulnerability research doesn't help with your abilities because the techniques you learn are rarely related to the techniques you need to be the best in your class.

As for job prospects, generally certification won't get you into companies that are only looking for talent as opposed to a checklist of certifications (the former is usually where all of the really interesting work is done). So wasting time on a certification that won't help you is putting you behind people that don't waste their time with certifications.

I think you guys are comparing apples to oranges

> Certification in a field such as vulnerability research

OSCP is basically tool-based network pen testing with a bit of outdated websec and buffer overflows thrown into the mix. It's not "vulnerability research" in any meaningful sense of the word. They have some other certs (OSCE) that might purport to target that domain, but idk much about them.

> As for job prospects, generally certification won't get you into companies that are only looking for talent as opposed to a checklist of certifications

So apparently OSCP won't get you a job at Matasano - but they're not the only game in town, and a lot of other security shops with less name recognition and lower standards do in fact use the OSCP as a positive signal.

No, it won't be l33t but it will be a job that they can use to transition to those fancy schmancy companies whose founders are HN regulars.

Name a pentesting firm that cares about the OSCP.

In the UK OSCP can be used for CRT equivalency and I know that many/most pentesting companies care about CRT/CCT qualifications in the UK, if only because they're a requirement for doing work for some government departments, and also some financial services companies will use CREST certification as a check for testers doing work for them.

So in that sense, they do care about OSCP.

> Name a pentesting firm that cares about the OSCP.

Here: https://rhinosecuritylabs.com/company/ lists OCSP and CISSP and a bunch of other certs. So I guess they care about that.

Now, how about you name the pentesting firm that does not list any certs.

The pentesting team at SEI-CERT cares about it.

pentesting requires fast thinking, an ability to learn quickly, and solve unusual challenges on the go. It could be considered dangerous to become comfortable having lessons to teach you new skills, and fairly arbitrary exams that are a poor replica of the real world to assess your own skill set.

A lot of good employers know this, and put zero weight on certa. Or as tptacek mentioned, possibly even consider it a bad thing. If I see a CV with CEH, I go in with an open mind but aware it's probably going to go poorly. I'd rather see someone who bought a stack of books, wrote some vulnerable code to attack, asked for advice from people; demonstrated they could throw themselves in and make it up as they go along.

Would you hire somebody for c# coding if they have spent a year in school five years ago getting VB.net certification?

How about if they just had a job in Vb.net form a year and then worked other languages for five years.

I guess it's a very fine difference.

If you are a black hat, would that help if you have a certificate and half the world knows about it? Transitioning from a (anonymous) black hat to a white hat is relatively painless. However the opposite could be quite painful, because the probability of you ending up on the suspects list will be much higher. Also consider how blurred the line between white/black hat really is.

If you're entry-level and don't have a network, certs help you get through the HR filter. Once you're mid-level, you can use your network and experience.

This. Simply saying "certifications are bad don't get them" is not universally helpful advice. Some people will definitely face improved career prospects with the right cert(s) depending on their market and level of experience. Not all companies have equally enlightened hiring practices - and not all prospective employees can pick and choose the way some veteran HN members can.

> The irony is that the author is a netpen person, which is sort of infamously the least demanding specialty in offensive security.

I think that's a fairly sweeping judgement to make, and not entirely accurate. I think it says more about your own experiences than those of network penetration testers.

You could equally cast the aspersion that red teamers are little more than Microsoft Office power users and occasional part-time domain admins and fall just as far outside of the mark.

The speciality is certainly demanding. The generalisation is not. The difference is that scan and scram artists and PCI scanners get lumped into the more general area associated with network penetration testing.

When done properly, network penetration testing is inherently valuable, not just from a security perspective but from a network discovery and debugging perspective.

I think your point on network testing (and indeed points 2 and 3), are shining examples of navel gazing within your own experience. Perhaps it's best not to belittle an entire subsection of the industry you spent so long in all at once, but to ask yourself why you believe this to be the case and wonder where you may have gone wrong in this assertion.

I am just starting in Networking and want to progress to NetSec eventually and I was kind of taken back by OPs advice to work 80 hours a week, I want to have a life, not work all the time, so your comment was pretty comforting.

> 2. Don't get certificates

I am progressing through my CCNP and LPIC-1, mostly because I want to get recognized for my skills, but I also see them as a guideline, what to learn next, kind of like a ladder, maybe one day I will get to the top of the ladder and have no where to go, but for now I think that certifications lay a path for me, what do you think about that?

Tangentially related: If you can, work to live - not live to work. I'm retired, but I remember weeks of 90+ hours. I highly recommend against that.

But... Hey, yes, have a life, that is a hacking / security life !

Is there something else ? ;)

Honestly without joking, as the OP said, having this as a passion or lifestyle is going to accelerate your proficiency compared to the others. My feeling is that it's not an absolute prerequisite, just a tremendous accelerator.

I started "having a life" maybe 15 years after the beginning of my hacking passion ;) tho my wife would argue about that ;)

> much less spend 80 hours a week working at it

No. The author counted learning (perhaps including going to meetups and watching DefCon videos) in it.

> If people writing browser drive-by exploits can stay on top of their game with a 40 hour work-week, I think the netpen people can too.

He clearly stated he loves learning. The amount of stuff you can learn around every possible vulnerability is virtually unlimited.

I'm currently doing a PhD in electrical engineering. I've just finished my first year, and I'm starting to realize that the work I'm putting in to research projects isn't being appreciated monetarily. In other words, I feel like my time is worth more.

I like to think of myself as a decent programmer, but I'm not well versed in software security (more of a hardware person). I've also never had a full-time job as I jumped straight from my BS to a PhD.

I'm considering taking some security-related courses next year and getting my MS. I have two options after that: 1) look for summer internships in the field of software security and see if I like it, or 2) look for full-time positions and withdraw from the program temporarily to test out the waters. The issue with 1) is that there are less intern positions available, at least based on what I've seen.

Am I approaching this correctly, or is there something else I could do? Any advice is appreciated!

If you were going to get an internship position anyways, getting an internship at a security company isn't a bad plan. I wouldn't take an internship rather than a starting-level full-time position though, if internships weren't already your plan.

Yeah, assuming I stick to the PhD, the default plan would be to do an internship every summer. I guess I'll start looking for potential companies before searching for something full-time.

Thanks for the advice :)

>I've also never had a full-time job as I jumped straight from my BS to a PhD.

Not having any work experience means you'll go through "University Recruiting" (vs experienced hire) recruiting channels at any large company. This gives you tremendous freedom to explore a variety of careers as employers will only be able to judge you by your academic credentials and you won't be pigeon-holed by your professional experience. Use this to your advantage and explore as many careers & companies as possible.

Your internship will be your first professional anchor point so choose wisely - you may consider starting with a broader, more general software engineering experience before specializing to keep your options open.

> The irony is that the author is a netpen person, which is sort of infamously the least demanding specialty in offensive security.

I googled, but I didn't manage to find out what "netpen" is. Network Penetration? I'd assume that virtually all relevant security stuff is network related these days so I'm still confused. Which are the other specialties and why are they more demanding?

Network Penetration Testing is a correct guess.

Pentesting itself can be quite a broad field, and although you’re right about a lot of it being network-related, it typically gets split into categories depending on the exact type of pentest (e.g. application penetration testing, wireless pentesting, embedded devices, SCADA/OT systems).

You could get into a debate on which areas are more demanding, but as you get deeper, they do require different skill sets/specialities/ways of thinking. Someone who’s great at web app pentesting may not necessarily be fantastic at RE or social engineering.

So is webapp pentesting a part of netpen? How about wireless? I still don't understand the definitions.

I personally agree NetPen is the least demanding. Not because there aren't incredible netpen testers nor that it can be challenging, but generally you have a lot of attack vectors across a very complex piece of infrastructure, and you just need to find the weakest link to win.

Compare that to say, cryptography or code review, which typically require fairly deep specific knowledge and a lot of intense focus, as opposed to broader knowledge and a willingness to try a lot of different things.

Most findings in netpen reports I see are basically that something wasn't configured correctly, or that one of the 10k employees had a weak password, or someone got phished. I often chuckle but rarely am surprised or learn too many new things.

I noticed number 3 in an internship I did in a security company. It was what pushed me towards a career in software engineering instead of security, because I was much more into it than most others were, many really weren't that interested in it.

I get the certificate hate if you have to pay for them yourself but that seems like an awfully broad statement. Many organizations love to send you off to get certificates. Anytime I need a vacation I simply look for a new certificate to get.

Yeah...stopped reading at 80 hour weeks. I don't care how esteemed someone is in their industry, if they have to completely destroy their life to get there I question their judgement and don't want their advice.

Not sure such an absolutist approach is much better. I definitely agree with your sentiment, but as my own clichéd counter-example, I can tell you that I wasn't always like that.

I squandered away my 20's and 30's on 80-hour work weeks. It was never expected of me, I just loved my job and did it anyway. Yes, there have been benefits, but today I feel I lost more than I gained.

At the time I would've dismissed you and your comment as you do OP's. Life just isn't that black and white.

It's more nuanced than that.

Working at your job 80 hours a week = a waste. Always.

HOWEVER, spending 40 hours a week engaged with something you enjoy and are interested in is a perfectly fine way to spend your time.

But what, I hear you ask, if I enjoy my job? Well, what about the job do you enjoy? See, if it's the work, chances are you can freelance, self-study, build stuff for yourself, in the same field, and get the same impact, AND you're free to do it how you want, free to learn whatever lessons you want, AND to capture any value it may add for yourself, rather than giving it to your employer.

This person is spending their time learning. I.e., investing in themselves. I disagree with their statement that that's required for their job, but it -does- likely make them better at their job than they'd otherwise be, and so long as they enjoy it, I can't find fault with it. But it shouldn't be a burden.

>I don't care how esteemed someone is in their industry, if they have to completely destroy their life to get there I question their judgement and don't want their advice.

Well, the best way to negate that advice is to put out your own and show that someone can achieve the same with a much lesser workload. Any other argument is simply an opinion. I certainly don't want to work 80 hours a week, even if I know that I can get a lot more done in that time. However, depending on what it is you're trying to do, putting in 80 hour weeks might be perfectly appropriate. If you want to be simply the best in the world in anything, you simply have to put in a LOT of work. I'm not saying its 80 hours or 56 hours, but yeah, if being average or good-enough is OK, then work-life balance is very achievable.

We just had some consultants do pentesting on our medical device and its software components. I was pretty impressed by all the problems they found quickly. As developer I find it pretty hard to stay up-to-date with all the possible ways hackers can get into your systems.

To me this was money well spent.

Check out Threatcare, it's a SaaS version of what most pentesters do.

any specifics you can share? medical device & security, and iot & security will be pretty critical (since it's not already).

The stuff they found were some big picture stuff but also little things like misconfigured drive encryption. So even if you do the right things it's good to have someone check that the right thing has been done right. This is way too specialized for the regular dev to stay up-to-date with.

i could totally see these. it's also easy to hack up some stuff to make it work, and then forgetting about it.

thanks for sharing.

I would say certs have value in security management, compliance and audit. In fact, if you want to take one of those paths, certs are mandatory. If you want to do technical security (which is totally different), then get a CS or EE degree and maybe a few SANS certs (optional unless you are in a regulated/compliance oriented industry). Finally, having a security clearance will help as well, especially if you or your employer want to do government contracting.

Edit: To expand on the cert topic... if you want to do computer forensics for law offices, police departments, etc. You'll need a technical cert (GCFA, etc.). And having a CS/EE/CE degree won't hurt either. You'll have to have a cert to do serious forensic work.

> There is a huge need for InfoSec/NetSec professionals

I know far more people that moved from Security to development than the other way around. Security work has become less pioneering and more routine. The fun part of security is learning, not work.

The demand for developers increased faster than infosec and so did salaries.

I am always fascinated by pen testing and studied computer networking in security to fall into a software engineering job. I just never knew where to start with heading a leg up on the tools and practices to be able to go into pen testing professionally... I couldn't find any apprenticeships or junior roles for it so ended up shelving it as a 'maybe one day' 'dream'. Where would be the best place to start? Most of the books I have are pretty dated now.

Also the article was a great read. Pinning it to go over again on the weekend as my lunch is now over.

I work as pen tester (ask me anything). In school I got the opportunity to pick digital security as my major, but I'm certain any computer science related study would have been fine.

When interviewing for my current company, my first full-time job, I was given a vulnerable web application which they used to assess whether I could do the job (next to a regular interview). I aced this hack test, but due to it being my first full-time job they still scaled me in as a junior.

Overall, if you know your thing, you can just go and interview with companies that do security. Specifics, such as a workflow when performing a security assessment, are specific to a company anyway. With some semi-related work experience (many colleagues have a programming background) you should be able to come in above junior too.

As for where to get the skills: hack something. My study gave me dedicated time to spend on it, but even in high school I was writing code, sharing it with others, and we had fun poking around each other's applications security-wise. That's how I truly learned: doing.

I'm the same as you. I got this book:


Which I've dabbled in, and haven't gotten further than what I already know from my CS education, but the consensus seems to be it's a good book to learn from.

this is gold and so inspiring.

So many years pen testing.

Is blue better than black?

Do red pens last longer?

Black tend to not notice how much / badly tainted they become.

Red/white may not know how bad and hostile reality is.

Ps: no, there's no comment about ethnicity in this comment.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact