I landed an IT Security Professional position for this small insurance carrier about a year ago. I was a jack of all trades sysadmin before landing this job. A giant portion of the security job was vulnerability scanning/pen testing 50 websites and 20 web apps. I was 24 years old, only had an associates degree in IT systems administration, and was using all of my Sec+ knowledge to get this done.
I had a good understanding of IT-Sec and NetSec due to being a sysadmin, but didn't have the high level understanding. I had a blast learning about it and using the tools to find vulnerabilities and tell our DevOps team about it. I used Burp Suite, Nmap, SQLmap, Metasploit, Armitage, (lots of kali tools) etc. and I learned all of this from youtube videos and hacking IRC chats in a matter of months.
My bosses were incredibly happy with the reports I was generating and eventually as a part of our contracts with the big boy insurance carriers (New York Life, State Farm etc.) we had to get an external pen testing/security company to come in and do an audit. They didn't find anything big and my bosses were very happy to hear that.
Eventually the pay at that job stagnated but the responsibilities kept growing so I reached out that same pen-testing/consulting company and actually landed a security consultant job at the age of 25... I'm making 6 figures and I only have an associate's degree, no major certs other than Sec+ course I took in college, and definitely lack 10+ years of hacking experience it takes to become a consultant.
Is this what pen-testing is nowadays? I brought this up with a co-worker and he laughed and said "the requirement for a corporate level pen test is not as extreme as you think it is." Is this true? What happened to hacking? Are the tools we have now really that advanced that we don't really need manual prodding? SQLmap literally tells you the command you need to type to mess with an SQL server!
EDIT: I'm a Security Consultant, on the sales side of the organization. I do launch initial vuln scans and prod around a bit, but we have actual pen testers that know all of the programming languages and manually prod around the environments. I'm just wondering if I really have the knowledge to do this job, it's not that difficult but hearing actual pen testers tell me that I could learn this actual pen testing stuff in a year is kind of weird. I always thought this stuff was really really difficult.
[link] [comments]
from hacking: security in practice https://ift.tt/2UthRpb
Comments
Post a Comment