Getting started on a career in penetration testing
I have four years of experience in quality assurance engineering and two years of experience in testing security IAM and vulnerability products. I want to move into penetration testing. How do I get into penetration testing? Should I go for any certification like CEH (EC-Council's Certified Ethical Hacker)?
There are a number of different disciplines in penetration testing
, so let me address the question from a couple of different perspectives. First, decide what kind of penetration testing you're interested in. It could be on networks, applications or even people. Those are all specific disciplines within a broader idea of penetration testing. Given your background as a QA engineer, focusing on application testing would be a great fit. One of the hardest things to learn as an application tester is how applications actually work. Since you've been testing applications for functionality and features for many years (I presume), then figuring out how to test for security issues is not a huge jump.
Also, there is massive demand for people who understand how to break into applications and how to suggest fixes for the discovered issues. Jeremiah Grossman of White Hat Security did some research last year that indicated we'd need ten times the number of application testers just to cover 2% of the most important Web applications out there. And with the continued proliferation of Web 2.0 applications, the problem isn't going to get better any time soon.
There are two ways to break into a new career – certifications or background. Things like training and certifications tend to be for folks that can't get from point A to point B. If your background doesn't lend any credibility to what you are trying to do, then you need some level of education and/or certification to prove your worth.
But if you have a technical background and show an interest and capability to use tools out there (like Web application scanners, Metasploit, and other pen testing techniques), you can make your way into the field without having to get a formal certification. I'm not saying the CEH isn't worth the time, but really determine if you need it to achieve your objective before investing the time and money to get certified.
For more information: Platform security expert Michael Cobb discusses the criteria for selecting a penetration testing tool. Penetration testing provides valuable information on the state of security defenses, but is it essential for network enterprise security?
This was first published in December 2007