Andy Gill, a Penetration Tester at application security specialists Pentest and former Challenge contestant, shares some advice and tools to help you develop your skills and build a career in cyber security.
This post first appeared on ZeroSec, you can find more of his thoughts here.
I’ve been meaning to create a write-up on how to get into the industry and certain resources to check out for different skillsets. So here it is, there are lots of different routes into Pentesting however there are two main things to keep in mind. Firstly, who you know and second what you know, these are both very easy to achieve. Addressing the first point, the easiest and best approach to this is to get involved with the security community both locally by attending meetups and around the country by going to conferences. Whilst at events it is important to mingle and gain contacts, some people will see this as more of a challenge than the technical aspect however in this industry it is very important to be able to network and talk to people. By doing so you can acquire business cards and industry contacts, this will stand you in good stead for the future as you never know when you might need to call upon a contact. In regards to the second aspect of things to keep in mind: Technology, it’s important to actually know what you are doing and how to approach things, here is a short list of resources to check out and some general hints and tips for getting started in learning and application of the particular skillsets required.
- OWASP Web Goat
- OWASP List of Vulnerable Web Applications
- Damn vulnerable web app
- Pentester Lab
- Over The Wire
- CTF Time
There are more but certainly these are a good start, in terms of other materials, if you can stretch to it, I’d suggest the following books to get your teeth into:
- Web application hacker’s handbook 2
- Hacker playbook 1
- Hacker playbook 2
- Red team field manual
- Blue Team Handbook
The physical books are nice to have however you can source them on the internet using advanced Google searches, but I’ll leave that up to you.
Alongside the resources it is also useful to familiarise yourself with the standard toolsets which are usually manual testing with Burp Suite and using Linux command line, the OS of choice as an industry standard is Kali Linux.