Hacker News new | comments | show | ask | jobs | submit login
Ask HN: How did you get started in Network Security/Penetration Testing?
185 points by Txmm 6 months ago | hide | past | web | favorite | 64 comments

I’ve been a professional software developer for the last 4-5 years, but never took security serious until iot took off. Get some raspberry pis, install kali Linux on a VM or spare computer, and go to work! It’s just so easy and cheap to setup a pen test lab. I’d recommend every dev have a few attack machines for fun. That’s how I got started.

It’s also a huge field. Try checking out security in your current discipline. I was a web developer in 2013, so it was natural that I was inclined to look at SQL injections, XSS, packet sniffing, Etc. I already understood the domain. That is easier than jumping into reverse engineering firm ware if you have no xp.

Now after a couple years of practice, I’m recommitted to security. Huge issue in our current tech ecosystem. I was just approved to take CEH and will be taking it next month. To make it official. If you need some structure to your learning and want to make a career move, check out getting an industry base cert like the CEH or offensive arc cert. most security jobs prefer candidates to have at least one, and they’re not incredibly difficult.

Happy pwning!

Skip the CEH and go straight for the OSCP. It's much more valued. Many in the industry seentu CEH as a joke. Good luck!

I don't disagree that CEH is inflated, and this coming from me, the guy who paid $1000 for the chance to test.

What the CEH does give people is a curriculum that they can adhere to. Not everyone can wrap their head around a complex subject like infosec alone. It's not a badge of honor, especially in a niche like infosec. But it does show you're serious about the field and willing to make a financial commitment. That's why i'd say it's worth considering if you're looking to make a career move. Of course, look at every other option and choose the best fit for you.

I wouldn't skip the CEH, at least not the material, but I wouldn't use it as a badge of honor on a resume either. It's a decent study guide as it exploses you to the nomenclature fairly well but it's far too easy to pass the certification without actually being proficient in anything.

There is a massive difference between the CEH and OSCP. If he's ready to take CEH, I'd say do it and use that experience to begin studying for OSCP.

OSCP is no fucking joke. It's hard.

Hey man this is really inspiring. I've been thinking about switching from web dev to security. How do you like it in comparison?

Right now I am happy as a freelance software engineer. I wasn't looking for a new job (I wanted the KNOW), but I _was_ looking for validation among business-types. I also have a few certs from AWS, and attaining those created the validation I needed in Devops/cloud (so it can be worth it for career growth).

Honestly, I just got tired of being THAT developer who willingly shirked his security duties. I always let someone else 'handle it'. In comparison now, I'm much more confident because I know (more) about securing the network and underlying ecosystem that my applications live in.

I think most people hiring want to see a developer who is excited and puts out lots of work. I've always been pursuing this in my free time, which goes a long way to show that I am truly interested in the subject. But at the end of the day, your cert can't secure a network if you can't. Get the KNOW and you'll find an opp w/ or w/out the semantics.

Hope that helps.

That helps thanks for the reply!

"It’s also a huge field. Try checking out security in your current discipline."

I'm actually 15 at the moment with basically no experience besides messing around with kali tools like a script kiddie.

Got any tips for programming languages to learn/where to learn?

I appreciate the post!

In terms of languages I'd echo the sibling comment, Ruby or python are likely to be good choices.

If you're looking for things to start getting into security type learning, you could do a lot worse than start with CTFs (https://ctftime.org/ctf-wtf/) Whilst they're not identical to what you'll face as a security tester, they cover a lot of similar skills. Also you'll likely meet people in the industry by doing them.

There's also sites like https://pentesterlab.com/ which have free examples of pentesting challenges.

Hmm those look very interesting. Thanks!

I remember when I was 15 and asked that same question on hellboundhackers :D #nostalgia!

Jokes aside, go with Python. It was my first language and to this day I can't think of a better language for people to start out with!

Good luck to ya!


Take a look at either Ruby or Python - both have huge userbases in general, but are also used regularly within the business.

A lot of quick scripts are written in Python - you may have noticed this in Kali.

Ruby is what metaspoilt in built upon, meaning a lot of the modules are also ruby.

Both are great languages. In regards to where to start with learning them, take a look at https://www.codecademy.com, both are featured there and give you a nice gentle introduction to their syntax and ways of workings.

Also for Python there's https://learnpythonthehardway.org which is awesome, and https://automatetheboringstuff.com which is a little more practical to begin with.

Once you feel comfortable with the language(s), go read the source code for those scripts or modules in Kali and see what else you can pick up.

Thank You!

For some interesting reading, go pick up a Kevin Mitnick book like Art of Intrusion. It's not a technical how-to but a collection of social engineering stories that are fun reads. Gives you a lot more insight into where the real vulnerabilities are.

You have a long but very interesting road before you. Infosec is huge. Lesley “hacks4pancakes” Carhart has a great series which provides an overview of what you can choose from: https://tisiphone.net/2015/10/12/starting-an-infosec-career-...

If you're serious about infosec and not just want to run tools and call it a day, I suggest covering the basics first:

- programming: would be cool if you learn not only some language but programming “as art and mindset” in general. This includes your typical Computer Science courses, algorithms etc. Great if your school or university teaches those but you can always fall back to online education platforms.

When it comes to language, I'd recommend Python over Ruby. Granted, the latter powers Metasploit, but a lot more tools and wrappers around tools are written in Python. Once you know Python, creating Metasploit modules won't be a problem because a lot of things are handled by the Metasploit Framework.

Also, this comes from a highly subjective Python developer but suggest to learn Python 3, despite a lot of infosec tutorials and tools still using Python 2 (e.g. socket programming). It's easy to fall back to Py2 if you need but you'll have the power of latest and greatest if you go Py3 because not everything is backported. Most books contain a lot of useless material and are pretty slow-paced and I'm not a fan of “Learn Python The Hard Way” either. I personally started with “Learning Python” by Mark Lutz; after about a third into the book I ditched it and just went practicing and googling for answers. Cannot vouch for “Automate the boring stuff…”. You do you but in the end it all comes to practicing.

- networks: almost as important, if not more important than programming. Web pentesting, internal network pentesting, malware reversing, DFIR, even some part of exploit writing constantly interact with networks and analyze traffic.

- OS: for starters, tinkering will be enough. Familiarize yourself with Windows (console, registry) and some flavour of Linux (shell, permissions, important files etc.), preferably Debian-based because they are popular in CTFs and tutorials. Install and configure some software like web servers, databases, development environments to get the hang of it.

Where to learn:

Google, obviously.

https://pentesterlab.com/ is great for web pentesting. They have free tier with pretty okayish explanations and exercises. They also have “Bootcamp” section which covers some network, programming and Linux stuff.

LiveOverflow's Youtube channel has a playlist called “LiveOverflow Binary Hacking” which is a great primer into exploit development on Linux. For Windows, you should probably check Corelan series: https://www.corelan.be/index.php/articles/

https://www.vulnhub.com/ has machines for practice. Not all of them are great but you may learn a lot by reading writeups.

When it comes to certifications, they all serve their purpose, even CISSP and CEH. I did OSCP and while I won't call it “10 out of 10”, it's decent and probably the best one when it comes to skill practice and cost. It targets internal network pentesting, though, which might not be that useful if you choose other field.

Did I mention Google?

I decided I wanted to get verbally assaulted by engineering teams I was reporting findings to day in and day out. Who would have thought, I managed to make a career out of it!

(ps, if you do go down this route, try to find a job at a company with a good security culture. starting one from scratch is walking a road of broken glass)

Corollary: Don't try to fix a company with bad culture. You can't change enough of it as a low level employee. Quit, and find somewhere better.

Working on it.

A bunch of comments here warn that you may become unemployable in software engineering as a result. A so-called "security lifer".

I think that's a little silly. I work for one of the top security consulting firms and it's just not my or anyone else I know's reality. In fact, the total opposite seems to be true. We have talented code reviewers and tool writers move on to work at tech companies all the time. These people are still interested in security and from what I've heard, they end up working on or even leading some really cool software engineering projects.

I suppose if you woke up one day and decided that you're no longer interested in security at all, it may be difficult to pivot back if you stopped writing code. But that does not sound like the typical person who was originally interested in both security and code. Most security consultants I know who came from writing code really excel in security doing code review, architecture review, tool dev, etc. and those are all things that can translate back into software engineering experience on a resume.

Of course some people's experiences will differ. There are plenty of employers out there who are biased or looking for a very specific background. But these cases are far from the norm. Perpetuating the whole "security is a dead-end, life-long job" narrative is spreading needless FUD and prevents the industry from maturing.

Just to clarify for everyone: Be careful switching your career to netsec/pentesting. If that's your thing, great. But you're likely to be a "lifer" because no one will want to hire you anymore for webdev.

It's not quite as clear-cut as that, but if you're out of the game for N years, it's really hard to get back into it. Especially when you're not younger than 30. Ageism is a real thing.

As someone who has tried a couple times to jump the other way I can attest to this. Completely stonewalled for full stack developer positions.

I have found exploits by knowing the quirks of all sorts of libraries and I have to be able to understand how things work on a deep level. But because a lot of the job is tracing other peoples work and finding gaps in their logic, you don't have as much 'dev' time in the traditional sense. Most of your coding turns into ways to prep your exploit. Your life gets wrapped up chasing obscure malloc bugs or strange chrome behavior rather than contributing in normal developer ways and companies don't recognize this as transferable. I'm only a little bit bitter about it, but I love my work. I just hope the pay stays solid and I don't end up in a dead end job later in life.

Also it's really hard to be good in this industry. It is almost entirely driven by the top 1% of people and as someone who is not in that demographic it feels like a constant struggle to keep up.

By your text, you're a random senior developer. It shouldn't be too hard to get a position, as long as you live in one of the active tech locations.

It looks like you and the parent poster are facing the usual company that is looking to hire a cheap 20 year old web dev with little experience. Not a good fit for you.

I've heard a lot of managers complaining that it was hard to find security people who could code well, so while getting a generic web dev job may be hard due to bias, it should be relatively easy to get a security engineering position where you write security-related code, as long as you're good at the writing code part.

Sure, but that still makes you a security lifer.

To echo a sibling - that's not a bad thing. But let's add some context.

Security is one of the few fields that can truly benefit from a holistic approach. Really good QA people who can code and work directly with both marketing and engineering can lay the same claim to their field.

Once you have enough experience in development AND security, it's easy to add product life-cycle[0] considerations into the mix. When you get that far, you're expanding into architecture and workflow engineering. And this is where it gets interesting...

If you end up being responsible for security matters as part of engineering workflow, you will find yourself also deeply involved in compliance. People who have solid background in development, work on architecture or product life-cycle, focus on practical security, care about engineering workflow -- and can tie all this together to satisfy compliance requirements are rare. Very rare.

Not to mention employable.

The ability to meet ever-changing compliance requirements WHILE maintaining sanity, engineering workflow and development velocity is already in high demand. It can be very satisfying too, because you end up covering architecture, production systems, development and business needs, all together. The approach has to be holistic, because nothing else works.

The common wisdom is that security is a process. It's also a mindset. And a mindset can be taught...

0: Magic acronym is "PDLC" - Product Development Life Cycle

I didn't really find it that difficult to move from security consulting/research/code audits => dev/researcher at security vendors => machine learning engineer.

So I don't know how we decide whose anecdote wins here :p

Simple. If you value your career as a dev, you won't become a pentester. :) There's no upside except intellectually. Being a dev pays more and gives you more options going forward.

That's a harsh way to frame it, but it's also accurate. (I'm speaking from experience FWIW.)

In other words, you could have become an ML engineer anyway. No reason to risk it by becoming a pentester.

One thing to note is Dev paying more than security is a bit geographically dependent.

I know dev salaries in the US are very high, but in other countries (e.g. the UK) security posts can pay pretty well relative to many development posts.

In terms of options, there's a fair number of options available after pentesting, although most of them revolve around security in one guise or another. On top of the obvious moves into IT/Infosec management, there are new fields in security which open up alongside tech.

Recently there's been an expansion with fields like malware analysis, blue teaming, incident response and red teaming showing quite good expansion.

Within "pentesting" there's areas like IoT, Automotive, maritime etc which can offer moves for people wanting to move on from more trad. pentest roles.

I found security to be more financially rewarding than dev work (in the US) by asking developers at places I worked how much they were paid.

I wouldn't really recommend being a pentester either, but there is plenty of need for people who understand security and can code to write software.

It seems like you're having a tough time, and maybe ageism is a factor here, but none of what you're saying really meshes with my experience.

You say that like it's a bad thing!

I don't think I agree with this, at all. It depends on what you do in security.

If you work as a pentester or network security staff, then you might be trading a career in software development for a career in operations. In that career, it's more likely that you will be challenged _use_ tools, build processes, or fight political battles for consensus, rather than build software.

On the other hand, there are many firms that hire primarily for security engineering and focus on building software. Any skills you have in software development will stay current, and your work in security would make you a better, and more desirable, software engineer.

Anecdotally, I can name many people who have made the jump from security engineering to positions like VP of Engineering, CTO, or simply software engineering.

See the sibling comment. Both stories are common, but I think my story is far more common. We don't have data so it's impossible to know, but of course you'd see a lot of people go from security engineering to VP or CTO -- those are the winners. Survivorship bias is a nasty beast.

I've only seen people make poor choices and limit their own careers. It's nothing inherent in the field of security that forces people to let their dev skills atrophy while turning into script kiddies or non-technical managers. You should be aware of what you are doing when entering ANY new field.

Obviously, if you enter a job where you have to "fight for dev time" as the sibling comment you refer to mentions, then your skills as a dev will suffer. That's not a good career path if you think you might want to return to software development one day. Find a job in security engineering, of which there are many, where you have to fight to take breaks from coding instead.

I think people have a confirmation bias that the security industry is made entirely of "netsec/pentesting" jobs since the news cycle is driven by hype from bug hunters, consultants, and vendor FUD. There are enormous numbers of people working on designing and building new security tools, capabilities, and research. Do that.

Finally, I'd like to say that if my own company wound down tomorrow, I am confident that every single one of my ~30 engineers could find a job in software engineering in an instant.

Coming from someone who holds your company in high regard and loved your companies work in the CGC I really have to disagree. You can be neither a script kiddie or a non-technical manager and still have webdev shops view you with suspicion for much the same reason node shops might see someone who has a lot of Java on their resume as someone who may not be a good fit because of 'technical baggage.' We can say that someone just needs to 'git gud' but I do think it's important to acknowledge that many times their are biases that get placed which are not always 100% rational.

Edit: Also I do believe your claim about all 30 of your engineers being able to find work elsewhere. You have to admit the average employee you have probably isn't reflective of anywhere near the average of the industry or even the enthusiast community.

That sucks, and I'm sorry to hear that. I guess we can both agree that firms with such immature views probably don't deserve your resume to begin with.

Happens and I wont pass judgement. The IoT explosion has been the best thing to happen for me in years career wise and now I get to combine the best of both worlds.

A way to validate that you're genuinely interested in penetration testing and to learn is to do challenges on sites like https://www.root-me.org/ for example. It's not necessarily realistic challenges, meaning there can be challenges on vulnerabilities you're very unlikely to see in real life, but you'll always learn something If the challenge does not teach you on some kind of vulnerability, at least it will teach you about how to think and do research, which is the most valuable.

I've seen companies filter candidates based on their score on such platforms. For example, for a junior position in penetration testing, they asked for at least 3000 points on root-me (but it was a few years ago, the number of challenges on the site has increased so it would make sense if they had increased their minimum points requirement).

Compared to certifications, it has two enormous advantages: it's fun, and it's free. I've started that way and never regretted it. I've not needed a certification to land a penetration testing job in a serious company (this was in France though, I don't know much about practices in other countries).

I dabble in netsec, but not in it. My job requires me to work with our netsec team so I prefer to be familiar about the subject matter. I usually lurk on /r/netsec and they have a good resource on their wiki[1] on getting started in netsec.

[1] https://www.reddit.com/r/netsec/wiki/start

Thanks! I'm glad you found that useful (I'm one of the mods there).

/r/netsec is no longer the smaller, more personal community it was when I started as a mod (7 years ago now?). If you're just starting out, one of the things I recommend most is finding a meetup in whatever city you live. It's hard to underestimate how useful an in-person conversation over a beer or two can be when you're early on.

I guess my advice for you would be: take your netsec team out to lunch once in a while! :-)

I got started for personal entertainment in darker corners of the internet. That ultimately evolved into me writing some of the tools people used in the industry. Eventually that developed into some SaaS products and 2 companies that we ended up selling.

My advice to you if you are just getting started in the infosec world is... don't do it! Short of the increased attention to encryption and various better authz/authn standards... the newer crowd doesn't want to hear anything about the vulnerabilities in their code. 9 times out of 10 the only reason they'll resort to testing anything is to cross off a corp checkbox somewhere. Keep in mind that nobody likes policy and you'll be associated with their hatred for it.

> 9 times out of 10 the only reason they'll resort to testing anything is to cross off a corp checkbox somewhere

Can confirm.

The way it usually works is that Company X has N dollars allocated for security. Company X (or rather, a person or a team at Company X, with his/her/their own internal and external priorities and motivations) buys a service - recurring automated tests/assessments/pentests &c. This is where the usual corporate bullsh*t kicks in. If they want to show that they've done a good job in securing something, they buy a pentest over a short duration for a minor thing and then they claim "<trusted security vendor Y> said we were secure". If they want more money, they obtain data to show that. The infosec companies has a "customer is always right" mind-set. It's business.

You can probably get good cash just for telling people to use TLS. Green padlocks and all that.

EDIT: also, to differentiate infosec from regular security, don't forget to prepend "cyber" to everything.

In school, they taught us of the existence of Wireshark. It lets you see network traffic.

I had an oppressive computer teacher in high school and I liked to pull pranks. It started out with simple password guessing, then phishing, then trojaned USB autoruns, SAM hash dumping, and password cracking, then some wifi sniffing... I never thought of what I was doing as hacking at the time (2001-2002). I just wanted to use the computer lab to play video games, and show up my jerk of a teacher.

In my senior year of high school, I was handed a brochure for a scholarship program offered by an engineering school that paid your entire tuition if you studied cybersecurity. I didn't know much then, but I knew loans were a bad thing, so I went with it and attended that university. The final hook was a Capture the Flag (CTF) game hosted by the school. I had not pursued obtaining the scholarship until that point but playing in the CTF got me exposed to the other students and convinced me to go through it. You can read more about the NSF Scholarship for Service (SFS) program here: https://www.sfs.opm.gov/StudFAQ.aspx

I like to characterize myself as one of the first class of graduates with specialized degrees in cybersecurity (at least in the US). Anyone older than me is usually entirely self taught, anyone younger generally had exposure in an academic setting. I was about half and half. For reference, I am 32. I think the NSA Center of Academic Excellence program had a lot to do with that shift. Many US universities were first getting certified with new coursework to meet that standard through the mid to late 2000s, right as I was attending college. https://www.iad.gov/nietp/reports/current_cae_designated_ins...

FWIW I wrote a short career guide to help others trying to make sense of the field and how to get started. https://trailofbits.github.io/ctf/intro/careers.html

In fact, this year's Flare-On challenge just started today! It's an online game composed of 10-20 reverse engineering and forensics challenges that takes place over the next few weeks. There will be solution writeups after the challenge is over so you can learn how to solve whatever got you stuck. Give it a shot! Flare-On always gets great reviews for being fun to play, and online games (CTFs, wargames, etc) are a great way to get yourself started and add something to your resume. https://2017.flare-on.com/

I am now the CEO and co-founder of Trail of Bits, a high-end software security research firm. I will probably never quit the field. You can read more about what we do here: https://www.trailofbits.com AMAA?

I feel like it is difficult to get hired right out of college into a pentesting/netsec role without a bunch of certs and CTFs (which you do mention in your career guide). Even then it just looks like just another qualifying tick in the checklist. Right now I'm thinking a dev job for a couple years, then move into security (which looks like what some recommend). What do you suggest one can do to show that they have the chops to take up the a good role short of getting a couple high profile CVEs? Write a blog? Write PoCs for past CVEs?

What will get the attention of someone who hires (like you) to think that they will be a good fit?

Easy! Develop software. Don't limit yourself to scripts and small utilities. Work on something substantial, preferably low-level and closely related to the operating system or hardware. If you play CTF, show me the tooling you wrote to prepare, and the process you use to review your past performance and plan your next game. Our biggest ask during our hiring process is a code sample of some kind. If you're talking about finding bugs, show me that you didn't just get lucky, that you know how to make the process reliably produce a known outcome.

Sidenote, I think the dev job for ~2 years out of college then moving to security is a smart move. You're 100x more effective as a security engineer if you have a strong background in development. I'll say that we definitely prefer to hire software developers and teach them security.

Thanks! This is great advice.

What year did you graduate? I went to grad school through the SFS program and graduated in 04. I remember hearing mudge talk and I thought it had been around for a little while before I graduated.

I graduated in 2008. I feel like SFS really caught its stride in the second half of the 2000s. I remember when NSA started making different levels to the CAE certification (Education -> Research -> Operations), and that created a rush to build out lots of new coursework and pulled many new universities into the bottom tier, and SFS along with it. I don't have data to show, but I feel like both SFS and universities with CAE were more rare or exclusive earlier than that.

reminds me that my first programming project was an msdos resident fake virus in assembly

I love it when cool teachers sneak projects like these into their classwork. I had a computer architecture class that had labs to write exploits in MIPS assembly. I'd say 19 out of 20 people didn't even know they were exploits while we were writing them. :>

slight precision, it wasn't a school project, just me and a buddy that wanted to use computers and mess with a paranoid teacher with a harmless scary message.

I never went in, but the baseline skills are there.*

Let's just say I was forced to show up at the principal's office at several educational institutions during my youth :).

I now sometimes make money doing white hat stuff.

By hacking the planet, duh.

But seriously, I got started by writing exploits for long tail web apps.

I understand the meaning of "long tail", but not sure what it means in this context. Is this an infosec term? I work in webdev and have never heard it used. Are you referring to less-commonly used web app frameworks?

Less commonly used web apps; they tend to have poor security because no-one has cared/known enough to make them not horribly insecure.

> But seriously, I got started by writing exploits for long tail web apps.

I lovingly refer to this as "clubbing baby seals" and it is overwhelmingly common among younger hackers looking to polish their skills. :-x

I can tell you how not to do it. I'll never forget the funniest interview I ever had. I interviewed with this company called Deja vu Security.


I explicitly told them, via email, I have ZERO experience pen testing, or anything related to hacking. I'm a terrific software engineer looking to pivot into this market, would take a salary cut to get my feet wet and be mentored. Would this be possible? Are you guys remotely interested in an arrangement like this?

They say great, when can we sync up? That's definitely something we can do.

So we set a call up and the call takes literally 39 seconds, I'll never forget it. He asked me what experience I had, and I reply: None whatsoever, like I mentioned in my email I'm interested in jumping into this line of work though.

"Thanks but we're not going to move forward."

Before I can even say thank you for your time, goodbye, the dude just hangs up the phone on me lol.

We have a hiring process for folks with no infosec experience. It isn't easy, but it works. The guys at Deja are solid and consulting makes for busy folks, so don't hold a low opinion of them. Probably did not pay close enough attention to the initial email.

If you are interested shoot careers at carvesystems dot com an email.

Hey anon_dev_123456, This is Adam Cecchetti CEO of Deja vu Security. Over the last 2 years Deja has spent a lot of time refining our hiring processes, but occasionally an experience like this does slip through the cracks. We are always looking for candidates that are smart individuals, interested in security, and can code, any security experience is of course a plus. If you reach out to my email adam at dejavusecurity dot com I'd be happy to discuss what happened with your call and any other feedback you'd be willing to share.

Thanks, Adam

Communications breakdowns like that are funny. I remember communicating with a recruiter one time years ago that I'd be happy to do a part time contract to fill a need that I had a lot of experience with. He calls me up and immediately starts talking salary and full time so I had to re-explain everything that was in the email conversation as if he'd never seen it.

Damn, I love their Blender render homepage


To be clear to everyone, this guy is trolling. Poorly.

In fact being involved in creating malware in any way will often destroy any chances you have of getting into any serious technical security role.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact