Ask HN: How did you get started in Network Security/Penetration Testing? |
Ask HN: How did you get started in Network Security/Penetration Testing? |
It’s also a huge field. Try checking out security in your current discipline. I was a web developer in 2013, so it was natural that I was inclined to look at SQL injections, XSS, packet sniffing, Etc. I already understood the domain. That is easier than jumping into reverse engineering firm ware if you have no xp.
Now after a couple years of practice, I’m recommitted to security. Huge issue in our current tech ecosystem. I was just approved to take CEH and will be taking it next month. To make it official. If you need some structure to your learning and want to make a career move, check out getting an industry base cert like the CEH or offensive arc cert. most security jobs prefer candidates to have at least one, and they’re not incredibly difficult.
Happy pwning!
What the CEH does give people is a curriculum that they can adhere to. Not everyone can wrap their head around a complex subject like infosec alone. It's not a badge of honor, especially in a niche like infosec. But it does show you're serious about the field and willing to make a financial commitment. That's why i'd say it's worth considering if you're looking to make a career move. Of course, look at every other option and choose the best fit for you.
OSCP is no fucking joke. It's hard.
Honestly, I just got tired of being THAT developer who willingly shirked his security duties. I always let someone else 'handle it'. In comparison now, I'm much more confident because I know (more) about securing the network and underlying ecosystem that my applications live in.
I think most people hiring want to see a developer who is excited and puts out lots of work. I've always been pursuing this in my free time, which goes a long way to show that I am truly interested in the subject. But at the end of the day, your cert can't secure a network if you can't. Get the KNOW and you'll find an opp w/ or w/out the semantics.
Hope that helps.
I'm actually 15 at the moment with basically no experience besides messing around with kali tools like a script kiddie.
Got any tips for programming languages to learn/where to learn?
I appreciate the post!
If you're looking for things to start getting into security type learning, you could do a lot worse than start with CTFs (https://ctftime.org/ctf-wtf/) Whilst they're not identical to what you'll face as a security tester, they cover a lot of similar skills. Also you'll likely meet people in the industry by doing them.
There's also sites like https://pentesterlab.com/ which have free examples of pentesting challenges.
A lot of quick scripts are written in Python - you may have noticed this in Kali.
Ruby is what metaspoilt in built upon, meaning a lot of the modules are also ruby.
Both are great languages. In regards to where to start with learning them, take a look at https://www.codecademy.com, both are featured there and give you a nice gentle introduction to their syntax and ways of workings.
Also for Python there's https://learnpythonthehardway.org which is awesome, and https://automatetheboringstuff.com which is a little more practical to begin with.
Once you feel comfortable with the language(s), go read the source code for those scripts or modules in Kali and see what else you can pick up.
If you're serious about infosec and not just want to run tools and call it a day, I suggest covering the basics first:
- programming: would be cool if you learn not only some language but programming “as art and mindset” in general. This includes your typical Computer Science courses, algorithms etc. Great if your school or university teaches those but you can always fall back to online education platforms.
When it comes to language, I'd recommend Python over Ruby. Granted, the latter powers Metasploit, but a lot more tools and wrappers around tools are written in Python. Once you know Python, creating Metasploit modules won't be a problem because a lot of things are handled by the Metasploit Framework.
Also, this comes from a highly subjective Python developer but suggest to learn Python 3, despite a lot of infosec tutorials and tools still using Python 2 (e.g. socket programming). It's easy to fall back to Py2 if you need but you'll have the power of latest and greatest if you go Py3 because not everything is backported. Most books contain a lot of useless material and are pretty slow-paced and I'm not a fan of “Learn Python The Hard Way” either. I personally started with “Learning Python” by Mark Lutz; after about a third into the book I ditched it and just went practicing and googling for answers. Cannot vouch for “Automate the boring stuff…”. You do you but in the end it all comes to practicing.
- networks: almost as important, if not more important than programming. Web pentesting, internal network pentesting, malware reversing, DFIR, even some part of exploit writing constantly interact with networks and analyze traffic.
- OS: for starters, tinkering will be enough. Familiarize yourself with Windows (console, registry) and some flavour of Linux (shell, permissions, important files etc.), preferably Debian-based because they are popular in CTFs and tutorials. Install and configure some software like web servers, databases, development environments to get the hang of it.
Where to learn:
Google, obviously.
https://pentesterlab.com/ is great for web pentesting. They have free tier with pretty okayish explanations and exercises. They also have “Bootcamp” section which covers some network, programming and Linux stuff.
LiveOverflow's Youtube channel has a playlist called “LiveOverflow Binary Hacking” which is a great primer into exploit development on Linux. For Windows, you should probably check Corelan series: https://www.corelan.be/index.php/articles/
https://www.vulnhub.com/ has machines for practice. Not all of them are great but you may learn a lot by reading writeups.
When it comes to certifications, they all serve their purpose, even CISSP and CEH. I did OSCP and while I won't call it “10 out of 10”, it's decent and probably the best one when it comes to skill practice and cost. It targets internal network pentesting, though, which might not be that useful if you choose other field.
Did I mention Google?
Jokes aside, go with Python. It was my first language and to this day I can't think of a better language for people to start out with!
Good luck to ya!
(ps, if you do go down this route, try to find a job at a company with a good security culture. starting one from scratch is walking a road of broken glass)
I think that's a little silly. I work for one of the top security consulting firms and it's just not my or anyone else I know's reality. In fact, the total opposite seems to be true. We have talented code reviewers and tool writers move on to work at tech companies all the time. These people are still interested in security and from what I've heard, they end up working on or even leading some really cool software engineering projects.
I suppose if you woke up one day and decided that you're no longer interested in security at all, it may be difficult to pivot back if you stopped writing code. But that does not sound like the typical person who was originally interested in both security and code. Most security consultants I know who came from writing code really excel in security doing code review, architecture review, tool dev, etc. and those are all things that can translate back into software engineering experience on a resume.
Of course some people's experiences will differ. There are plenty of employers out there who are biased or looking for a very specific background. But these cases are far from the norm. Perpetuating the whole "security is a dead-end, life-long job" narrative is spreading needless FUD and prevents the industry from maturing.
It's not quite as clear-cut as that, but if you're out of the game for N years, it's really hard to get back into it. Especially when you're not younger than 30. Ageism is a real thing.
I've seen companies filter candidates based on their score on such platforms. For example, for a junior position in penetration testing, they asked for at least 3000 points on root-me (but it was a few years ago, the number of challenges on the site has increased so it would make sense if they had increased their minimum points requirement).
Compared to certifications, it has two enormous advantages: it's fun, and it's free. I've started that way and never regretted it. I've not needed a certification to land a penetration testing job in a serious company (this was in France though, I don't know much about practices in other countries).
/r/netsec is no longer the smaller, more personal community it was when I started as a mod (7 years ago now?). If you're just starting out, one of the things I recommend most is finding a meetup in whatever city you live. It's hard to underestimate how useful an in-person conversation over a beer or two can be when you're early on.
I guess my advice for you would be: take your netsec team out to lunch once in a while! :-)
My advice to you if you are just getting started in the infosec world is... don't do it! Short of the increased attention to encryption and various better authz/authn standards... the newer crowd doesn't want to hear anything about the vulnerabilities in their code. 9 times out of 10 the only reason they'll resort to testing anything is to cross off a corp checkbox somewhere. Keep in mind that nobody likes policy and you'll be associated with their hatred for it.
Can confirm.
The way it usually works is that Company X has N dollars allocated for security. Company X (or rather, a person or a team at Company X, with his/her/their own internal and external priorities and motivations) buys a service - recurring automated tests/assessments/pentests &c. This is where the usual corporate bullsh*t kicks in. If they want to show that they've done a good job in securing something, they buy a pentest over a short duration for a minor thing and then they claim "<trusted security vendor Y> said we were secure". If they want more money, they obtain data to show that. The infosec companies has a "customer is always right" mind-set. It's business.
You can probably get good cash just for telling people to use TLS. Green padlocks and all that.
EDIT: also, to differentiate infosec from regular security, don't forget to prepend "cyber" to everything.
In my senior year of high school, I was handed a brochure for a scholarship program offered by an engineering school that paid your entire tuition if you studied cybersecurity. I didn't know much then, but I knew loans were a bad thing, so I went with it and attended that university. The final hook was a Capture the Flag (CTF) game hosted by the school. I had not pursued obtaining the scholarship until that point but playing in the CTF got me exposed to the other students and convinced me to go through it. You can read more about the NSF Scholarship for Service (SFS) program here: https://www.sfs.opm.gov/StudFAQ.aspx
I like to characterize myself as one of the first class of graduates with specialized degrees in cybersecurity (at least in the US). Anyone older than me is usually entirely self taught, anyone younger generally had exposure in an academic setting. I was about half and half. For reference, I am 32. I think the NSA Center of Academic Excellence program had a lot to do with that shift. Many US universities were first getting certified with new coursework to meet that standard through the mid to late 2000s, right as I was attending college. https://www.iad.gov/nietp/reports/current_cae_designated_ins...
FWIW I wrote a short career guide to help others trying to make sense of the field and how to get started. https://trailofbits.github.io/ctf/intro/careers.html
In fact, this year's Flare-On challenge just started today! It's an online game composed of 10-20 reverse engineering and forensics challenges that takes place over the next few weeks. There will be solution writeups after the challenge is over so you can learn how to solve whatever got you stuck. Give it a shot! Flare-On always gets great reviews for being fun to play, and online games (CTFs, wargames, etc) are a great way to get yourself started and add something to your resume. https://2017.flare-on.com/
I am now the CEO and co-founder of Trail of Bits, a high-end software security research firm. I will probably never quit the field. You can read more about what we do here: https://www.trailofbits.com AMAA?
Let's just say I was forced to show up at the principal's office at several educational institutions during my youth :).
I now sometimes make money doing white hat stuff.
But seriously, I got started by writing exploits for long tail web apps.
I lovingly refer to this as "clubbing baby seals" and it is overwhelmingly common among younger hackers looking to polish their skills. :-x
http://www.dejavusecurity.com/
I explicitly told them, via email, I have ZERO experience pen testing, or anything related to hacking. I'm a terrific software engineer looking to pivot into this market, would take a salary cut to get my feet wet and be mentored. Would this be possible? Are you guys remotely interested in an arrangement like this?
They say great, when can we sync up? That's definitely something we can do.
So we set a call up and the call takes literally 39 seconds, I'll never forget it. He asked me what experience I had, and I reply: None whatsoever, like I mentioned in my email I'm interested in jumping into this line of work though.
"Thanks but we're not going to move forward."
Before I can even say thank you for your time, goodbye, the dude just hangs up the phone on me lol.
If you are interested shoot careers at carvesystems dot com an email.
Thanks, Adam
I have found exploits by knowing the quirks of all sorts of libraries and I have to be able to understand how things work on a deep level. But because a lot of the job is tracing other peoples work and finding gaps in their logic, you don't have as much 'dev' time in the traditional sense. Most of your coding turns into ways to prep your exploit. Your life gets wrapped up chasing obscure malloc bugs or strange chrome behavior rather than contributing in normal developer ways and companies don't recognize this as transferable. I'm only a little bit bitter about it, but I love my work. I just hope the pay stays solid and I don't end up in a dead end job later in life.
Also it's really hard to be good in this industry. It is almost entirely driven by the top 1% of people and as someone who is not in that demographic it feels like a constant struggle to keep up.
It looks like you and the parent poster are facing the usual company that is looking to hire a cheap 20 year old web dev with little experience. Not a good fit for you.
If you work as a pentester or network security staff, then you might be trading a career in software development for a career in operations. In that career, it's more likely that you will be challenged _use_ tools, build processes, or fight political battles for consensus, rather than build software.
On the other hand, there are many firms that hire primarily for security engineering and focus on building software. Any skills you have in software development will stay current, and your work in security would make you a better, and more desirable, software engineer.
Anecdotally, I can name many people who have made the jump from security engineering to positions like VP of Engineering, CTO, or simply software engineering.
What will get the attention of someone who hires (like you) to think that they will be a good fit?
Sidenote, I think the dev job for ~2 years out of college then moving to security is a smart move. You're 100x more effective as a security engineer if you have a strong background in development. I'll say that we definitely prefer to hire software developers and teach them security.
Security is one of the few fields that can truly benefit from a holistic approach. Really good QA people who can code and work directly with both marketing and engineering can lay the same claim to their field.
Once you have enough experience in development AND security, it's easy to add product life-cycle[0] considerations into the mix. When you get that far, you're expanding into architecture and workflow engineering. And this is where it gets interesting...
If you end up being responsible for security matters as part of engineering workflow, you will find yourself also deeply involved in compliance. People who have solid background in development, work on architecture or product life-cycle, focus on practical security, care about engineering workflow -- and can tie all this together to satisfy compliance requirements are rare. Very rare.
Not to mention employable.
The ability to meet ever-changing compliance requirements WHILE maintaining sanity, engineering workflow and development velocity is already in high demand. It can be very satisfying too, because you end up covering architecture, production systems, development and business needs, all together. The approach has to be holistic, because nothing else works.
The common wisdom is that security is a process. It's also a mindset. And a mindset can be taught...
0: Magic acronym is "PDLC" - Product Development Life Cycle
So I don't know how we decide whose anecdote wins here :p
That's a harsh way to frame it, but it's also accurate. (I'm speaking from experience FWIW.)
In other words, you could have become an ML engineer anyway. No reason to risk it by becoming a pentester.
I know dev salaries in the US are very high, but in other countries (e.g. the UK) security posts can pay pretty well relative to many development posts.
In terms of options, there's a fair number of options available after pentesting, although most of them revolve around security in one guise or another. On top of the obvious moves into IT/Infosec management, there are new fields in security which open up alongside tech.
Recently there's been an expansion with fields like malware analysis, blue teaming, incident response and red teaming showing quite good expansion.
Within "pentesting" there's areas like IoT, Automotive, maritime etc which can offer moves for people wanting to move on from more trad. pentest roles.
I wouldn't really recommend being a pentester either, but there is plenty of need for people who understand security and can code to write software.
It seems like you're having a tough time, and maybe ageism is a factor here, but none of what you're saying really meshes with my experience.
Obviously, if you enter a job where you have to "fight for dev time" as the sibling comment you refer to mentions, then your skills as a dev will suffer. That's not a good career path if you think you might want to return to software development one day. Find a job in security engineering, of which there are many, where you have to fight to take breaks from coding instead.
I think people have a confirmation bias that the security industry is made entirely of "netsec/pentesting" jobs since the news cycle is driven by hype from bug hunters, consultants, and vendor FUD. There are enormous numbers of people working on designing and building new security tools, capabilities, and research. Do that.
Finally, I'd like to say that if my own company wound down tomorrow, I am confident that every single one of my ~30 engineers could find a job in software engineering in an instant.
Edit: Also I do believe your claim about all 30 of your engineers being able to find work elsewhere. You have to admit the average employee you have probably isn't reflective of anywhere near the average of the industry or even the enthusiast community.