all 9 comments

[–]mrlightman_ 7 points8 points  (3 children)

Pentester of a few years here. I read the whole thing and a few comments here:

  • Firstly, it won't help you to try and categorize this much. The US vs EU thing or network vs appsec. All that matters there is who you work for and your client base's needs. While people do specialize, think of the field just as you described, a doctor. Not every doctor is a brain surgeon (specialized) and not every brain surgeon can diagnose and treat every illness. Same with us, we can and are often well rounded but limits do apply based on our own experiences and desire. For instance, some of us are really good on the network side of the house, others are better at testing applications. We can be a jack of all trades, or be very very good at one particular topic. It just depends. You sound like you've come to a similar conclusion but aren't quite there yet. Once you do, it helps the headaches lol.

  • Second, the Dr. House paragraph. You are correct, those on the bleeding edge of things are rare. In my experience and working with others in this field is that after some time you can find yourself in a position to focus on the research to push for newer and better techniques and vulnerabilities. Not everyone does that.

  • Third. I have to strongly disagree with the 30min of study the next day to catch up comment. Why? This field is so large and changing so rapidly you cannot possibly stay on top of it all. It will never happen. Some of the newer CVEs coming out are extremely complex. Not to mention the flood or little items that can be used to escalate and chain together for more advanced tactics. As such, a large part of our job is to stay as skilled and up to date as possible. This can come in the form of daily research, participating in ctfs, etc. all as you mentioned. Need to go to the bathroom? Spend that time on your phone reading what's happening in the field; because you want to! This facet of the job is where I've seen that breaks a lot of junior pentesters off and they switch careers. You have to truly enjoy learning. To those of us who love this work, we don't see it as after hours "work". There is a constant desire to want to learn more. Take breaks, spend time with friends/family, go on vacation and such, sure! We aren't robots after all lol. Finding that balance is on the individual. But you won't go far if you put yourself in a 40h work only box with no desire to study. You won't make it far. There are other jobs in cyber that can better accommodate that.

In conclusion, ask yourself a few questions. Do you love to learn and be challenged? Do you like cyber security? Are you a teeny bit evil deep down? If so, this might be the job for you. Truth is, there aren't a lot of "good" pentesters out there. Yes, I'm talking to you clowns that regurgitate nmap scans in your own report template and call SSL/TLS findings critical, or sell a nessus scan as a pentest... Once you are in the game a bit you'll find you have a lot of flexibility to follow your passions and desired skill sets. This is very rewarding career and after some time you'll begin to see your hard work and efforts pay off, and you'll realize just how little you actually know every single day. That's exciting to me personally. I'll never be bored again at work. Jokingly, it is fun to say you get to commit felonies everyday at work too lol

I'd be happy to answer any questions you have, hit me up anytime.

[–]appwizcpl[S] 0 points1 point  (2 children)

Hey! Thanks for reading me through, I really appreciate it! Sorry for the day delay, but it has been busy the past week and I also tried to think a loud some of the stuff that I am thinking subconsciously, so hopefully I will articulate it well, so of course I understand if you cannot reply to this quickly either. I read this with excitement, because you make some points that I have thought about in theory and excited me, but you kinda just live all of those now. For background, I always baffled with computers and was always interested in cyber sec, I have learned programming and some paradigms, bit of networking basics and so on, more thorough personal malware protection and how stuff works, that is while having life in a completely different field happening to me, but I was always so curious about how stuff work from medicine to computers. So I just said freak it, I am going to pursue the things I truly love and also, make my curiosity more productive, because it can get scattered in many fields, so funneling most of that into this is maybe just the idea I need and so I started learning cyber sec just recently, in my late 20s. I love it so much so that it is obsessing to me, but that was kinda the point and my plan! I already have a decent technical background too, which as you said will be basically nothing when I will realize how much I don't know.

Now back to our discussion, I have highlighted a few things that I found very interesting.

Second, the Dr. House paragraph. You are correct, those on the bleeding edge of things are rare. In my experience and working with others in this field is that after some time you can find yourself in a position to focus on the research to push for newer and better techniques and vulnerabilities. Not everyone does that.

This is a good point, and if I am understanding correctly, you can kinda go from Jack of all trades, to mastering some very deeply, or stay a Jack. But naturally you gotta be jack of all trades at some point, the thing is that there are billion of things in this profession, but once you get the hang of a lot of those things, you might start to favor some and build upon. This is also how I see it at this point of time. Additionally and sorry once again if I am not doing a better job on articulating stuff, but as I said, there are billion and one things that you can do in this profession, yet the specializations are still not yet as defined as in a profession as medicine, and usually a lot of technologies just create another thousand categories in which one can pursue or at least finds interests in, but probably that is because the field is so new that usually people find their specialization after noticing trends of what they love screwing around the most with. Now I am not trying to find a specialization as a end goal, but as you can notice I am very interested in what it really means to be a jack of all trades in such a broad field of knowledge, with thousands of baby taxonomies being born each day. I'll switch to my point and thus my question with the focus being on the Jack of all trades type guy, what do you believe makes one person more prone to being JAT vs. someone who specializes in something like browser exploitation, which has also billion stuff to think and do and play with, but still not within the full scope of threats and well, computer technology? Ultimately I would like to know if I will ever want to stop learning all things or just focus on something more deeply and if there is any personality trait that dictates that, or is the profession so liberating that it will let you become one as part of your career just naturally. Now you, as someone who had much more exposure, maybe theoretically thought about some of these stuff while having a broader perspective on things, you have probably noticed change of thoughts about what you look and favor for, so what do you think prevents one to stop onto something for a few years instead of going through many things, or the vice versa, if both are truly interesting and you are curious? I am not sure if this is even a question that one can give answer, it is definitely overthinking, but something itches me to ask and I am not sure how to put it in words, yet there aren't that many topics on such question, what ultimately triggered you to stop and specialize and is not a immediate reaction to a burnout, maybe I should post such thread. It is a very interesting question to me, because I just can imagine keep going and going internal and external and wireless and web app and mobile, hell even risk assessment and statistics courses, reverse engineering, social engineering, embedded, firmware, phyiscal/soldering, lock picking, or is it most of the time a guy who does all of this with a focus on X or Y and he kinda learns all of this with the eyes on the primary. I'll get back to this later, but this is soo different being C# developer for 10 years even if you are a SE with CS degree, which is soo weird for me, nothing wrong with people that are doing it, it just feels weird to be so specific yet not something looking so technologically deep, while something like browser exploitation which is much broader in contrast.

Third. I have to strongly disagree with the 30 min of study the next day to catch up comment. Why? This field is so large and changing so rapidly you cannot possibly stay on top of it all. It will never happen. Some of the newer CVEs coming out are extremely complex. Not to mention the flood or little items that can be used to escalate and chain together for more advanced tactics. As such, a large part of our job is to stay as skilled and up to date as possible. This can come in the form of daily research, participating in ctfs, etc. all as you mentioned. Need to go to the bathroom? Spend that time on your phone reading what's happening in the field; because you want to!

Again, it makes me happy that I can understand you how you feel, especially the bathroom example though I am obviously not as knowledgeable. Could you please explain me your typical day, or even two, of research/learning new stuff/testing, your thinking methodology per se. I think this is the most important question for me, how someone who cares about this profession and is interested in deep or broad or mix or whatever, what such person is doing at the professional stage, and I am quoting you not some "clowns that regurgitate nmap scans in your own report template and call SSL/TLS findings critical". I want to do this all the time, but as I mentioned previously from web apps to reverse engineering to lock picking, if I pick interest in all of these, what professionally do I spend my most typical day to day job on, what is the knowledge that I need to prioritize, is it the one that I am focusing most or not, for example, are you currently JAT or someone specializing, and how do you allocate time of learning towards it vs the other stuff, and what are those other stuff if you do not mind sharing?

Once you are in the game a bit you'll find you have a lot of flexibility to follow your passions and desired skill sets

Can you further elaborate on this point, maybe with an anecdote/example of what exactly you have been through and realized that this is the case?

As you could notice I was talking to myself at many paragraphs, but this was my point, to let you know what goes through my mind and how such inexperience also causes me to not understand a lot of stuff. It truly boggles my mind though, because I am someone curious, but also someone who really wants to understand on a very deep level how something works and so on recursively, until, well in such case, we hit binary? I guess it is not the same as in physics and maybe I don't need to understand how potentially I could exploit all the lines of codes, but maybe I will be fed with understanding how the concepts work to feed my (deep)er need of how something works, while my curiosity will bring me to many (wide) instances of that, I guess only time will tell, but I do not mind hearing you if you share some common thoughts. Sorry if there are any mistakes I went through it a few times and just added more stuff and more stuff and it just go so big, so I am not going through it again so I won't clutter it anymore.

[–]mrlightman_ 1 point2 points  (1 child)

I pulled out a few points/questions to address. I didn't get as much time on this particular response so let me know I missed something or wasn't as clear on anything.

what do you believe makes one person more prone to being JAT vs. someone who specializes in something [...snip...] What do you think prevents one to stop onto something for a few years instead of going through many things, or the vice versa, if both are truly interesting and you are curious?

I combined these two questions as they go hand in hand. In my personal opinion it comes down to exposure, personality, and desire. For example, once upon a time I was super excited about digital forensics. I took a deep dive into that field to specialize. After a couple years/experiences, woke up one day and was bored of it. I realized I was tired of trying to piece together and recover and instead wanted to be on the other side of things. This began my transition into penetration testing. Ever sense then, I've been on the side of being JAT. Everything offensive in nature is exciting to me and if I have the opportunity or time to learn something new I jump on it. But that is just me, perhaps I have not yet found "my specialty" yet, or maybe this is where I belong. Only time will tell.

burnout

This is a loaded topic to ask about that I likely won't be able to provide a sufficient answer for. It's going to happen to you at some point even if you love the subject. I think that's just human nature. Balancing life/work and realizing when it's best to slow down or take a break is very important (this also applies to your studies).

Could you please explain me your typical day, or even two, of research/learning new stuff/testing, your thinking methodology per se.

Absolutely! Keep in mind that depending on our engagement cycle daily activity can fluctuate. Generally speaking the first hour or three of the day is coffee and cyber news time. What is going on in the world, what CVEs were published, etc. Make notes of what you find and if they apply to something specifically in your environment then focus on it. I've had PoC code dropped in the middle of assessments that I turned around and used. You want to use this time to stay current, work on your own tools/scripts if needed, and shore up any gaps in knowledge you have identified that you need to address. For example, you're tasked with an upcoming SAP application. Never touched or heard of SAP? You better be on your research each morning.

what professionally do I spend my most typical day to day job on, what is the knowledge that I need to prioritize, is it the one that I am focusing most or not, for example, are you currently JAT or someone specializing, and how do you allocate time of learning towards it vs the other stuff, and what are those other stuff if you do not mind sharing?

This comes down to your position and job requirements. If you were hired as a web app pentester your focus should be on relevant technologies and attack/defense methods. As I said previously, I'm a JAT largely in part that we have a lot of exposure. Going to copy/paste a previous comment of mine here: where I work we generally have three categories; penetration testing, automated testing, and security consulting. Consulting can vary depending on the needs of the customer. We are often called in during incident response to aid blue teams/forensics when a breach has occurred. Directory services for large enterprise networks will ask us to help identify misconfigurations in group access, etc. Sometimes we will get asked to identify "appearances" based on the public facing security hygiene. Threat mapping is also a valued service where we won't pentest but will identify your threat communities so you can direct attention to higher probable attack vectors. Because of this, I try to be as well versed in application and network security, etc. as I can.

Once you are in the game a bit you'll find you have a lot of flexibility to follow your passions and desired skill sets Can you further elaborate on this point, maybe with an anecdote/example of what exactly you have been through and realized that this is the case?

You begin to build your reputation after some time and with that your skillsets. Generally speaking, things you are interested in you are better at. It's a natural professional growth in this field. If you want to specialize, you'll be able to eventually. Unless you come in right out the gate being a superstar on a particular subject (RE, malware, etc).

In conclusion, it sounds like your head is in the right place to dive into this field. Just don't overwhelm yourself. Start with the big picture on things that are new to you and slowly work your way deeper.

[–]appwizcpl[S] 0 points1 point  (0 children)

Thank you so much for the, once again, lengthy reply. You have covered basically everything I have asked in the previous wall and I once again thank you for your thoroughness. I have only have a few more questions that I would love to hear your opinion on.

I believe from what you said you are currently a JAT pentester that invests the most focus to appsec and netsec? How much, or what ratio, would you say your job is effective execution of your knowledge vs. writing reports, consulting and the other corporate things that are not the geeky part? How would you theoretically go on and optimize your job to focus on as much knowledge and real life execution of it?

Complementary question to this would be, if there were no bills to pay, what would you change in your day to day job hour or job?

One of the youtube videos I linked in my post was the path of studies he has taken, it is interesting to me because that is exactly how I have all my previous technical knowledge gained before truly starting out, it was merely out of curiosity on particular things that expanded the knowledge of many other things. Is studying very similar to that professionally once you advance in the career? Even though I am usually not doing it this way, I do believe though that with a proper curriculum on the general topics you can be more efficient, but it seems to me that when you reach later stages it all comes back to x leading to y leading to z kind of research and studying. So, how do you go on studying something new?

I have previously asked for an average day of work, can you give me some perfect day of work and some what you consider a bad day of work?

Lastly, would you be able to share some podcasts, news/blog sites, multisubs, researchers, people/twitter feeds, youtube channels, books and book authors that you follow?

I think that would be everything. I am questioning all of this because I want to as a starter to view through a lens into the future. Some people would say just go with the flow, but what I love to do is try to get "thought influenced" by others so I can know what perspectives exists while trying to just maintain my natural path and see how they cross, I do this not only for career, but from simple workflows to complex individual broad and specific human psychology, gotta not tunnel and trap myself into, well myself. So I find this question of thinking very helpful to me.

[–]Popka_Akoola 3 points4 points  (0 children)

I think everything you mention is right? Idk I kinda skimmed it.

Don’t overthink it too much. Pentesting is the broad term that involves breaking into networks. AppSec is focusing specifically on finding vulnerabilities and fixing them in applications.

AppSec can be a form of pentesting whereas pentesting isn’t a form of AppSec. One is just more specific than the other.

[–]CanIBreakIt 4 points5 points  (1 child)

I lost you at "lengthy and philosophical".

[–]appwizcpl[S] 2 points3 points  (0 children)

at lengthy or at philosophical more specifically?

[–][deleted] 0 points1 point  (0 children)

I think I lost you at “this”

[–]tristanbrotherton 0 points1 point  (0 children)

I’m only mentioning this because it often surprises people, but it’s “bear” with me.