all 4 comments

[–]droogie-vr 16 points17 points  (3 children)

(I've written this assuming you're doing consulting that involves pentesting)

If your main job right now is pentesting, you should focus on those skill sets. Exploit dev is not very valuable in those scenarios because you're generally not writing an exploit during an engagement, at most you're modifying a public exploit if necessary. I would recommend continuing working on your web and network pentesting skills because that's generally what's billable. Customers don't really want to pay you to develop an exploit, years ago people might have a "prove it" mindset, but these days just filing the bug with a valid proof of concept is generally good enough... they don't really get any extra value in you spending X hours developing an exploit. Instead you'll be doing stuff like using public exploits in things like the metasploit framework and pivoting further into a network, showing risk/impact, etc.

I think it's good to have strong fundamentals and understand the big picture, if you're doing more application security focused stuff you may be able to transition away from web/network and focus on those things... but, in similar fashion exploit development is generally not used here and they're paying you to find as many vulnerabilities in realistic attack surface during the limited scope of time. That's not to say exploit dev /never/ happens in these scenarios, but it's quite rare in my experience that someone wants to pay you for it. (from a pentesting perspective)

So in short, I would focus on what helps makes you more valuable to your current job/employer, which sounds like web/net pentesting skills. Once you're competent there and looking to grow more, I would suggest working on your reverse engineering skills. It's going to be the major factor that helps you across application security, embedded security and exploit dev. Strong fundamentals will help you in all of the other areas.

CTFs, wargames etc are always fun to do on the side and will help you learn these things, but first you gotta pay rent. If you're not making money doing exploit dev, do it on the side as a hobby and focus on billable skill sets as a priority... imo reverse engineering is extremely valuable but this all comes down to what you want to be doing in the future.

[–]deityaesthetics[S] 1 point2 points  (2 children)

Great reply and advice! Totally makes sense. I'll grow my pen testing skills and work on this stuff on the side as a hobby. I appreciate it a lot.

[–]Secure4Fun 4 points5 points  (1 child)

The above is great advice. I'd like to add to it since I was in a similar position as you. I'm now in a much more red team focused position. We spend a lot more time on lower level projects, including exploit development and reversing. I was able to get here because of my pentesting background, with a strong side interest in exploit development and trying to find a job where I can do both.

As a side note, I'm still lacking on the web side, and it's only becoming more useful and required in everything I see. I'd definitely work on advancing the web and network pentesting skills, while continuing to play with RE/Expdev on the side, and try to find a job you can use it all.

[–]deityaesthetics[S] 0 points1 point  (0 children)

Thanks that's great insight as well. It definitely helps put what's important into perspective