Jump from experienced web developer into pen tester ... does it worth it?
PetyrVeliki
Registered Users Posts: 1 ■□□□□□□□□□
Long story short:
I'm a senior full stack web developer and a few weeks ago I lead a workshop on Progressive Web Apps. For this workshop I had to do a lot of setup on a Linux box - FTP accounts, web server, SSL, etc. ... and I really liked it. I've done such things before, but this time all was successful from-the-first-time ... and I really enjoyed the final result ...
So I decided to check if such work is for me and therefore I researched a little bit - the knowledge, the certifications (LFCE and RHCE) ... but unfortunately I saw it's less paid than my current job. At least in general.
During the research, however, I met articles and forum topics on pen testing ... I liked the topic and now I'm really considering beginning to dig into this.
Can you help me with some opinions on this, taking the following into consideration:
PROS:
CONS:
==========
However I already started watching videos and reading articles, mostly to "see" whether this IS for me or not.
To summarize: any advises are welcome
Regards,
P.
I'm a senior full stack web developer and a few weeks ago I lead a workshop on Progressive Web Apps. For this workshop I had to do a lot of setup on a Linux box - FTP accounts, web server, SSL, etc. ... and I really liked it. I've done such things before, but this time all was successful from-the-first-time ... and I really enjoyed the final result ...
So I decided to check if such work is for me and therefore I researched a little bit - the knowledge, the certifications (LFCE and RHCE) ... but unfortunately I saw it's less paid than my current job. At least in general.
During the research, however, I met articles and forum topics on pen testing ... I liked the topic and now I'm really considering beginning to dig into this.
Can you help me with some opinions on this, taking the following into consideration:
PROS:
- Experience as web developer will be helpful there.
- Even if I don't end up doing it - the experience in pen testing will help me be a better developer.
- Currently I'm using mostly Linux environments - at work and at home - so I already have some (minimal) knowledge to start with.
- The salary will be comparable to the one I currently get, and with a mortgage this is important
- The topic is interesting and so far I like the stuff
CONS:
- In a few months I'll get 35 years old ... and spending a few years from now on to dig into a new area ... looks a little bit like I'm "too late and too old for the party".
- I already see that it's hard for me to memorize some stuff ... for example - a lot of Linux commands. I'm confusing a lot of them (find vs grep let say: find requires path at the beginning while grep - at the end) - and I can not memorize that well. That's why I'm referring to the "man" for the specific commands, and I'm doing this a lot.
- Eventually I will have to start over my career, while I already have something solid (~10 years experience so far). This makes me feel like I'm risking a lot.
==========
However I already started watching videos and reading articles, mostly to "see" whether this IS for me or not.
To summarize: any advises are welcome
Regards,
P.
Comments
-
olaHalo Member Posts: 748 ■■■■□□□□□□It may be difficult to jump directly from your current position to a pentesting position even if you cert up.
Most likely you would have to take a pay cut a lower level security analyst or SOC position before working your way up to pentesting.
However if you know someone or have an opening within your own company then I say take the chance and go for it. You could always fallback on your web developing. -
TheFORCE Member Posts: 2,297 ■■■■■■■■□□I actually think you might not be too late and no need for a pay cut. You already have 10 years of experience as a web developer, all you have to do is put some security into that. The jump is not that bad, i dont think so.
Look at the below link, I think this will align more witj the experience and knowledge that you have.
https://www.offensive-security.com/information-security-certifications/oswe-offensive-security-web-expert/
The rest will follow as you start to change more into the security mindset. You are already have the programming knowledge to find holes or to develop code that instructs a web app to do what you want it to do. It might be a good jump if you enjoy it. -
aderon Member Posts: 404 ■■■■□□□□□□Most likely you would have to take a pay cut a lower level security analyst or SOC position before working your way up to pentesting.
I hear this a lot and I've really begun to wonder why this is? I work as a security engineer and deal with just about every kind of security product there is, but other than working on the vuln scanners I don't see much of a direct correlation between what I do and pen testing.
Granted, I'm no pen tester, so perhaps my expectations of what they do is way off. But, from my understanding, it's a lot of scanning, looking for vulnerabilities, creating or finding an exploit to use (perhaps modifying it a bit), using the exploit, using your newly found access to try to find additional info for elevating your account and spreading to other machines across the network, and then reporting on everything and relaying that information with the client.
I can see how the supplementary skills like, knowing linux, nmap, wireshark, python or some other languages, networking, HTTP, general IT, creating reports, interfacing with clients, etc would help, but I don't think any of those can only be gained exclusively from working a security role. Is it just that HR demands a security background before they let someone in that kind of position? Or is there a technical reason why you'd need to have a security background to work as a pen tester?2019 Certification/Degree Goals: AWS CSA Renewal (In Progress), M.S. Cybersecurity (In Progress), CCNA R&S Renewal (Not Started) -
PC509 Member Posts: 804 ■■■■■■□□□□Hit vulnhub.com and grab a few ISO's. Go through the walkthroughs and see the techniques. Eventually, you should be able to do it on your own. But, you learn a lot of various commands in the process and how they work (if you can't figure it out, you usually go look and find out). It's very fun stuff. But, by doing it that way you'll learn more Linux, get to do actual pen testing on vulnerable platforms, and some of them are based on vulnerable web applications which helps you with your current position as well.
If you decide it's not for you, nothing lost but time. -
IronmanX Member Posts: 323 ■■■□□□□□□□PetyrVeliki wrote: »CONS:
- In a few months I'll get 35 years old ... and spending a few years from now on to dig into a new area ... looks a little bit like I'm "too late and too old for the party".
I'm sure you could apply your web development skills into a career doing web application pen testing.