[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Getting into the security industry

From: "Erik Harrison" <eharrison@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Getting into the security industry
Date: Tue, 4 Mar 2008 17:06:31 -0500

Hey,

I'll give you some examples which I've seen first hand to be
successful. It's always going to be difficult getting into anything
without formal experience, but there are other ways to demonstrate
experience and more importantly knowledge of a subject which you would
be employed for. Disclaimer: I'm jaded, so that is reflected in my
responses.

1 - Do it anyway. The vast majority of people in IT are self taught.
While it won't get you the job, the interview process should
demonstrate your knowledge

2 - Promote. Accept a less than ideal position with a company and
probe around. Lower paying/more menial jobs are easy to get and even
easier to promote out of. If you can get the attention of someone else
in another department either by volunteering, or going out of your way
to demonstrate your knowledge, chances are they'll pick you up or if
nothing else give you a chance to prove you're worth taking you in.

3 - Network. Talk to friends, friends of friends, join local groups
focused on your interests. Don't be afraid of the small groups either,
if its a local OWASP chapter you're probably going to be there with a
handful of other people, but they're probably really well connected in
the industry. With experience comes contacts, and the security
industry is small. You'll run into people that know your past
employers, etc so try to keep in good standing and don't burn bridges.

4 - Aim for smaller companies. If you look good enough on paper to
pass the initial email and phone screening, then you'll likely be
interviewing with someone who knows what you're talking about or who
may be your boss if you get the job. Be comfortable and confident
about what you're saying. If you've spent enough time pouring over it
in your spare time, then you DO know. The only thing you dont know, is
how they do it. The transition is easier than you think. Smaller
companies need someone to do everything. It's a great chance to soak
up all the experience you can handle and when you've proven you can do
the job, demonstrate you need someone else to help you out and
delegate the crap jobs to them, focus on what you want to do :D

In my experience, I joined an ISP / MSSP combo company. Worked there
maintaining their systems and showed interest in IT security and
auditing. Eventually, a manager noticed my interest and exploited my
eagerness to take on work. After a few initial assurances on smaller
projects I was assigned a full VA and audit report for a large
account. Since I did a good job on that, I was given more and more
work, furthering my skills in that area.

With that, when you feel you've taken on as much as you'll get out of
a company, jump somewhere else and press for some sort of 'specialist'
title. It doesn't really add more value but it makes you easier to
understand to employers when you inevitably apply elsewhere and you
might feel warm and fuzzy when people ask you what you do. It's a more
lateral translation between company/responsibilities A and new
company/new responsibilities B.

Above all else though, stay current. You should know the industry
changes far quicker than any employer can train you on. Subscribe to
every list you feel is relevant, if you're obsessive enough you'll
actually read them all each and every day with a mug of tea or coffee.
Stay active in your own projects, you'll learn more this way and you
have the access and authority to tinker around with things you wouldnt
be able to on the job.

If you're really into it, you'll find a way. Always keep it in the
back of your mind, even if you can't get anything this year, next year
you may.

The list may now begin its analysis and destruction of what I've posted.

Enjoy, and goodluck!

On Tue, Mar 4, 2008 at 4:01 PM, Tassi <Tassi@xxxxxxxxxxxxx> wrote:
> Hi
>
>  I am trying to get into the security industry and have been reading web
>  application security books and using any resources I can find to get
>  some hands-on experience by using resources such as Foundstone's Hackme
>  bank/books/casion, Webgoat and buggybank but am finding it difficult to
>  get an real world commerical experience hence am unable to get any
>  Junior penetration testing roles because of this.  What is the best way
>  to go about trying to get into the security arena or is it just a lucky
>  break I have to try and get?
>
>  Any assistance would be appreciated.
>
>  Thanks
>
>  T
>
>
>  ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Getting into the security industry
  - From: Tassi

Prev by Date: Re: [WEB SECURITY] Getting into the security industry
Next by Date: [WEB SECURITY] Testing MMx stack
Previous by thread: Re: [WEB SECURITY] Getting into the security industry
Next by thread: [WEB SECURITY] Testing MMx stack
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site