Ask Slashdot - Breaking Into Penetration Testing At 30
An anonymous reader writes I currently work for a small IT MPS in the Southern USA. Recently, my boss approached me about offering security evaluation and penetration testing to customers in our area due to the increasing number of regulations companies area are having to meet. My role in the company is that of a proactive systems administrator. I have strong troubleshooting skills, a moderate knowledge of Linux, and a strong grasp on Windows systems. My working knowledge of networks is a bit rusty, but I've started working on my CCNA again, and skill/knowledge of any kind of programming language is extremely lacking as I have slacked off in that department. However, I've been working with Powershell scripting, and have picked up some resources on Python. Where would a guy like me start? What can I do, as far as personal development, to give me a shot at building this "new department" within my company? Am I beyond hope?
At 30?
You're young.
Do whatever you want.
I think penetration testing requires pretty good programming skills, particularly low level type stuff.
The fact that you have not maintained any programming skills suggests that it is not something which interests you sufficiently to pursue it in your free time. I am skeptical that a person without an intense curiosity to understand how systems work at a low (i.e., code and assembly level) would find the motivation to develop the necessary programming skills and reverse engineering know-how to discover holes in systems.
But perhaps I am wrong and these skills are not required to be a successful penetration tester.
Why would it? Pen testers jobs are not to write vulnerabilities. True, someone who knows how to write vulns will make a pretty good pen tester, but you don't need to know how to refine petroleum to be good at pumping gas. A basic pen tester needs these skills (in this order): 1) knowledge of current vulns across a wide variety of platforms, and a channel to keep up to date on the latest new vulns that come out, 2) knowledge of how to find if a vuln is present across a variety of platforms, using methods that don't involve "just give me root so i can check your versions" and 3) knowledge of how to actually run some/all of the exploits when the customer looks at your report of 13 high risk issues in disbelief.
To be a great pen tester you need one of two skills: programming knowledge to put together unique exploits on the fly, or diverse systems knowledge to know how to multiply existing vulns (exploit, pivot, repeat) in order to move from system to system.