Working As A Pen Tester / Security Researcher

[Andrei0427]

I was doing a little research on the most sought after jobs in IT, and to my dismay I see that the pen tester gets just above half of what a programmer gets. I truly love the this field in IT and was wondering if I should keep learning on security or focus more on programming. I love both subjects but I have found to be happier when dealing with security.

Plus I'm reaching the point of making a decision I wont regret for a BSC in computer science, specializing in either Web Application Development or Networking. I was wondering if anyone would like to give some advice on what the best choice I can make.

Thanks for an feedback :)

[bobbyb1980]

I'm facing a similar situation.

In my personal opinion, to be a good pentester you need to be a good programmer or at least have a working knowledge of at least one of the common programming languages.

It would be hard to write your own exploits without being a programmer.

[Andrei0427]

With that I agree, but networking shares the same importantance if not more.. right?

[CanadianTaco]

I was doing a little research on the most sought after jobs in IT, and to my dismay I see that the pen tester gets just above half of what a programmer gets.

It depends. As a pen tester you can often consult multiple companies, thus making roughly the same (if not more depending on how many consults you take on)

[telot]

I too am very interested in this. Mind sharing what resources you've found on the matter Andrei?

I've been working for the last 3-4 months on a business model somewhat like a employee-owned pen testing company. Each employee would have a share of the company and receive the percentage of profit per stock owned for every project they are involved with. I'm anticipating a team of 10-12, with 2-3 of that in administration (marketing, accts payable/receivable). Does anyone know of a pen testing company that operates this way?

telot

[nopenopenope]

Im going into the same field, from what ive read pentesters make atleast 70k a year in the U.S. and i bet you will see that number grow as time goes on with all these companys getting hacked. More and more companys will realize that its a problem and can affect them financially instead of just getting a "virus" and causing physical havoc instead of a financial havoc. The degree im going for right now is an associates in information security for homeland security. Then I plan to transfer to a university to get my masters in information assurance. And the offensive security certifications as well as the CISSP. Ill be plenty happy with what ever I make as long as Im doing what i love.

As far as a programming language goes, python and C are probably the 2 best ones you can learn. Most of pentesting seems to be social engineering, if you can get someome to basically give you all you need, then theres no reason to write 0 days. Because no one can prevent those, its the responsibility of the software companys to test, fix, and patch those. If you want to do code security and writeing exploits look into application security and exploit development.

[telot]

Im going into the same field, from what ive read pentesters make atleast 70k a year in the U.S. and i bet you will see that number grow as time goes on with all these companys getting hacked. More and more companys will realize that its a problem and can affect them financially instead of just getting a "virus" and causing physical havoc instead of a financial havoc. The degree im going for right now is an associates in information security for homeland security. Then I plan to transfer to a university to get my masters in information assurance. And the offensive security certifications as well as the CISSP. Ill be plenty happy with what ever I make as long as Im doing what i love.

As far as a programming language goes, python and C are probably the 2 best ones you can learn. Most of pentesting seems to be social engineering, if you can get someome to basically give you all you need, then theres no reason to write 0 days. Because no one can prevent those, its the responsibility of the software companys to test, fix, and patch those. If you want to do code security and writeing exploits look into application security and exploit development.

It is pretty funny isn't it? The majority of intrusions (pen testing or not) are done by suave mother fuckers smooth talking their way into a company/system. Speaking with authority or ignorance at will, seeking out the complacent or overworked employees - all social skills. The exact opposite of what lay people think of when they imagine a "computer hacker". I love it

telot

[Andrei0427]

I too am very interested in this. Mind sharing what resources you've found on the matter Andrei?

I've been working for the last 3-4 months on a business model somewhat like a employee-owned pen testing company. Each employee would have a share of the company and receive the percentage of profit per stock owned for every project they are involved with. I'm anticipating a team of 10-12, with 2-3 of that in administration (marketing, accts payable/receivable). Does anyone know of a pen testing company that operates this way?

telot

I will once I get on my laptop, I have all the history saved there. There although there isn't much to it to be honest.. just a few google searches is all.

Plus Im learning Python as a secondary language to Java, I feel its more portable and it can be compiled written on my little N900 :), I found C to be too advanced for what Im looking to learn <Memory Management> Im not too sure yet to learn it after I feel comfortable with Python. I see quite a few programming spots open for C programmers.

[telot]

I will once I get on my laptop, I have all the history saved there. There although there isn't much to it to be honest.. just a few google searches is all.

Plus Im learning Python as a secondary language to Java, I feel its more portable and it can be compiled written on my little N900 :), I found C to be too advanced for what Im looking to learn <Memory Management> Im not too sure yet to learn it after I feel comfortable with Python. I see quite a few programming spots open for C programmers.

Shit man, the world needs more Java guys...Tomcat's been shitting out jboss all over me ALL DAY LONG. Arg...Sounds good on the googling - I too have done a number of searches, just thought maybe you found some "insider" infos. Its all good. Thanks man and good luck with Java, its a fun one that is in demand...especially in my company where our last Java just quit...and I'm left to put the pieces together with zero programming skills rofl

telot

[Andrei0427]

Well Ill deffo keep practising Java, I have covered the main parts at school, so if you need any help or references just ask ;)

[Infiltrator]

While having programming skills is highly beneficial for a pen-tester, you can still be a pen-tester without having to write your own exploits.

But as a pen-tester you must be able to read and understand what an exploit code is doing.

[bobbyb1980]

I think any good hacker/pentester/whatever needs to be a good programmer. If a hacker can't at least write his/her own exploits and figure out new ways to do things, whats the difference between a 'hacker' and your average nuts and bolts tech guy? Nuts and bolts tech guys read the manuals, whereas we write the manuals.

A book I am currently reading put this question (hacker vs. programmer) into perspective for me. Personally I consider myself a security guy trying to become a programmer, trying to learn to think like a programmer. Social engineering comes natural to me and it saves my *** in most pen tests but it won't be like this forever so I know I need to get a firm handle on programming.

My book explains that hackers thrive on destruction or structured chaos, whereas programmers thrive on construction. Hackers see how to take a system down whereas programmers see how to build a system up. So similar yet so different : )

[digip]

Just from knowing some people in "the business", I would say any pentester would need to know programming at some level, and it only complements your pentesting abilities. You need to be more than just a programmer though, because you are going to need to know everything about your target, and recon along with being able to program, work in assembly and a debugger, etc, will come into play. You also need to know the inner workings of networking and protocols, how different systems work(like active directory for windows, how *nix file permissions work, etc) so a well rounded system administrator, who understands networking, programming/debugging, understanding security and network policies, and how they are administered but also bypassed when not configured properly. Pentesting is more or less a culmination of many skills rolled into one, and anything you've learned, be it programming or network administration, all helps in your skill set.

Dave Kennedy and Mati Ahoroni are two people who I look to as example. Dave is the author of SET and Fastrack and one of the founders of PTES, and Mati is one of the founders and school teachers at Offsec and head of the BackTrack team. Between the two of them, their collective knowledge covers many different aspects of IT, so I would say, yes, you need to know programming, possibly even several languages, but its only 1 piece of the puzzle.

[Andrei0427]

Indeed, Im slowly working my way to at least know half of what those guys do.. they obviously spent a lot of time to gain their knowledge.. one day...

I decided to stick to the networking course by the way and will learn a language in my free time, I already started Python.. I plan to learn C in the future for sure!

Definitely keeping what everyone said as a reference! Thanks for the insight :)

[Technoprenerd]

Hey people,

I've got kind of the same question. I am currently in the process of choosing an study/university. Does anyone has ever heard/experienced this university; Ethical Hacking University.

Anyways, I am also interested in studying international business. Afterwards I may go into the IT sector (Do some master in Management of IT, or so...).

Any comments are always welcome :)

[Phreakdaline5]

I'd like to throw my inquiries in here as well, rather than continuing to flood the forum with threads of the same type.

I find myself in a fairly similar situation. I started working on a BS in Info. Systems Security, mostly as a means to coninue learning as I earned some sort of credential, in addition to working towards a couple of certs, primarily the Cisco path. I'm finding it difficult to find very much good information on the pen testing/security auditing field. I also had the same concern, that perhaps it isn't as lucrative of a field to get into, yet is much more appealing to me. I guess in the end it's better to do something you like, but I'm just not sure if it's worth it.

Also, as it stands now, I'm a straight amateur. I've played with tools alot, call me a script kiddie yes, but I'm trying to break past that and develop a respectable knowledge base to start with. The biggest question I have is, where exactly should I start? I'm studying alot of basic networking/security in the form of certification prep, as well as any tutorials/instructionals/courses I can get my hands on for free online. As a part of that I have started to learn Java, though I haven't gotten very far yet. The problem I'm running into is having too many things I want to focus on, and not enough time for them. CCNA prep, some monstrous networking/Net+/Cisco books, online java intro from Oracle... Keep in mind also, I'm currently in the Army, and will likely be getting out in the next year or so. As such, I'm trying to get my ducks in a row to land at least a decent (something above help desk) job when I get out, where I can then continue to learn and get a little more experience.

Any advice that anyone out in the field can give is greatly appreciated.

Thanks, -The new guy.

[Infiltrator]

I'd like to throw my inquiries in here as well, rather than continuing to flood the forum with threads of the same type.

I find myself in a fairly similar situation. I started working on a BS in Info. Systems Security, mostly as a means to coninue learning as I earned some sort of credential, in addition to working towards a couple of certs, primarily the Cisco path. I'm finding it difficult to find very much good information on the pen testing/security auditing field. I also had the same concern, that perhaps it isn't as lucrative of a field to get into, yet is much more appealing to me. I guess in the end it's better to do something you like, but I'm just not sure if it's worth it.

Also, as it stands now, I'm a straight amateur. I've played with tools alot, call me a script kiddie yes, but I'm trying to break past that and develop a respectable knowledge base to start with. The biggest question I have is, where exactly should I start? I'm studying alot of basic networking/security in the form of certification prep, as well as any tutorials/instructionals/courses I can get my hands on for free online. As a part of that I have started to learn Java, though I haven't gotten very far yet. The problem I'm running into is having too many things I want to focus on, and not enough time for them. CCNA prep, some monstrous networking/Net+/Cisco books, online java intro from Oracle... Keep in mind also, I'm currently in the Army, and will likely be getting out in the next year or so. As such, I'm trying to get my ducks in a row to land at least a decent (something above help desk) job when I get out, where I can then continue to learn and get a little more experience.

Any advice that anyone out in the field can give is greatly appreciated.

Thanks, -The new guy.

Yeah I would start off with CCNA first, get an understanding of how networks, protocols, IP address and especially the OSI model layer works. As a pen-tester or security professional you need to have a solid understanding of how all these things works, in order to help you move around your targets and systems.

Its also important to put all you learn into practice, that's the only way you will gain the experience in the field. After that, you could advance into other courses/certs like the Microsoft/Net+/CEH/Security+ ones.

In addition to all the certs and courses, you will also need to know a programming language, C would be a good language to start off with, followed by Python. Also there are plenty of infoSec content on the internet, that will help develop your skills and further your knowledge.

My favorite ones are, the securitytube.net, Pauldotcom.com, irongeek.com and not to forget hak5.org

[int0x80]

Do what will make you most happy :)

[Keggy]

I might be able to help a little, the University posted for their Ethical Hacking Course I attend, I will complete the degree this year. It's advertised as the first course of its type in Europe I believe, same with their Game based degrees.

Anyway, that's important because there isn't a tried and tested method of getting students to where they should be. So if you're doing the course somewhere else it's important to actually look at what you study. At Abertay we get quite a lot of students from the likes of France so I don't know what else is out there but it is a popular course initially, although roughly 50% of students have dropped out by the third year.

The website will tell you the modules you will sit, you can usually find detailed descriptors of these modules through the site as well.

Again this is important because often there is little between the courses, I'm a networking student but have shared many modules with the Ethical Hacking lot, plus we have our own Ethical Hacking classes. We also have web development modules which generally bore me to tears, but I guess it might be worth it. So that's working with SQL and PHP/ColdFusion.

With a subject like Networking there are plenty of vendor qualification that institutes are willing to put their students through, for example I have a CCNA and multiple MCPs. While I don't think they're worth a great deal and the topics covered are really just an introduction, plus the Microsoft exams take about an hour to revise for. Most employers know this, but it doesn't hurt to have them. They have helped me get employment during the summer.

And as I say we do many of the same subjects, the only 'hacking' things we do are really very basic, but again there is scope for you to learn what you want. For example we have covered metasploit in class, (D)DoS, MITM, scanning, sweeping blah blah... With a fair amount on the laws and studying famous hackers. So it's really just and intro but they are modules that you're then able to use in the future, the degree doesn't lock you down. You're also expected to produce lectures and present these on a given subject, for example rainbow tables or SQL injection.

One of the main areas that the courses differ is the project. You form a team and essentially complete a real life (ish) project. The first semester is about learning the likes of how to plan a project, why projects fail and methodologies. Such as in the UK PRINCE2 is popular, well amongst larger projects anyway. The second semesters you are to build the project, again more presentations, produce documentation and all that jazz. While each computing degree does this, you have very different projects and again show how the course is taught, we for example had a choice of projects while the EHs created their own.

I seem to be going on an awful lot so I'll finish in short, check what the course actually contains, and look and see what modules are carried across. Many degrees at these modern universities are mashed together for no other reason than to make money. They aren't designed 100% for your course let alone the subject. Most of the modules you do are from other courses or are just very basic.

Really you aren't at any disadvantage if you go and just do Computer Science, however you may find it a little boring.

Vlek007 asked about Abertay so I'll give you a quick once over. Like most your first year will be basic, it's essentially to get rid of people. The second year you start to learn the basics beyond how a computer functions, but for example you will learn more in-depth about routing protocols, ethical hacking you really continue with more techniques and the law.

You're also expected to do most of the work yourself, the exams are pretty simple usually, and the course is laid back so plenty of time for you to actually go away and learn. Although they're more like this now so you can get a job and actually continue your studies.

As for the lectures, it's the usual if you read the website you will get the impression they invented the world, however many of them are pretty good. For example the head of Computing and Engineering is a Cambridge graduate who has worked for the likes of Lockheed Martin, and many of them have books published that you can buy on Amazon. Although the juicy stuff doesn't happen until your later years.

If you have any specific question just ask, oh if you do want to do ethical hacking you need to attend and interview and background checks.

[Radau]

As with many jobs I'm pretty sure the pay starts off low until you prove yourself and move up the ranks, I know at a company where I know the systems administrator they just hired an I.T. Director that just got a Masters in Network Security and they're starting her off at $200,000 a year. Although it is a very high ranking job it just goes to show that if you follow what you love everything will work out in the end. Better to be out a bit of money and not hate every day of your work life, than do something you hate and have a loaded bank account. That's just my opinion though. :D

[Suren white hat]

While having programming skills is highly beneficial for a pen-tester, you can still be a pen-tester without having to write your own exploits.

But as a pen-tester you must be able to read and understand what an exploit code is doing.

Yeah, When u want to be a Pen tester , u are not gonnna work alone...! u must be working for a security company whre a buncha Pen testers would be working along with you, each one of u possesing master skills in different domain ..so its not necessary to know exploit writing if we know how the code works enough..as a part of the pen testnig team ..