Jump from experienced web developer into pen tester ... does it worth it?

PetyrVeliki

Long story short:

I'm a senior full stack web developer and a few weeks ago I lead a workshop on Progressive Web Apps. For this workshop I had to do a lot of setup on a Linux box - FTP accounts, web server, SSL, etc. ... and I really liked it. I've done such things before, but this time all was successful from-the-first-time ... and I really enjoyed the final result ...

So I decided to check if such work is for me and therefore I researched a little bit - the knowledge, the certifications (LFCE and RHCE) ... but unfortunately I saw it's less paid than my current job. At least in general.

During the research, however, I met articles and forum topics on pen testing ... I liked the topic and now I'm really considering beginning to dig into this.
Can you help me with some opinions on this, taking the following into consideration:

PROS:

1. Experience as web developer will be helpful there.
2. Even if I don't end up doing it - the experience in pen testing will help me be a better developer.
3. Currently I'm using mostly Linux environments - at work and at home - so I already have some (minimal) knowledge to start with.
4. The salary will be comparable to the one I currently get, and with a mortgage this is important
5. The topic is interesting and so far I like the stuff

CONS:

1. In a few months I'll get 35 years old ... and spending a few years from now on to dig into a new area ... looks a little bit like I'm "too late and too old for the party".
2. I already see that it's hard for me to memorize some stuff ... for example - a lot of Linux commands. I'm confusing a lot of them (find vs grep let say: find requires path at the beginning while grep - at the end) - and I can not memorize that well. That's why I'm referring to the "man" for the specific commands, and I'm doing this a lot.
3. Eventually I will have to start over my career, while I already have something solid (~10 years experience so far). This makes me feel like I'm risking a lot.

==========

However I already started watching videos and reading articles, mostly to "see" whether this IS for me or not.

To summarize: any advises are welcome


Regards,
P.

olaHalo

It may be difficult to jump directly from your current position to a pentesting position even if you cert up.
Most likely you would have to take a pay cut a lower level security analyst or SOC position before working your way up to pentesting.

However if you know someone or have an opening within your own company then I say take the chance and go for it. You could always fallback on your web developing.

TheFORCE

I actually think you might not be too late and no need for a pay cut. You already have 10 years of experience as a web developer, all you have to do is put some security into that. The jump is not that bad, i dont think so.
Look at the below link, I think this will align more witj the experience and knowledge that you have.
https://www.offensive-security.com/information-security-certifications/oswe-offensive-security-web-expert/

The rest will follow as you start to change more into the security mindset. You are already have the programming knowledge to find holes or to develop code that instructs a web app to do what you want it to do. It might be a good jump if you enjoy it.

aderon

olaHalo wrote: »

Most likely you would have to take a pay cut a lower level security analyst or SOC position before working your way up to pentesting.

I hear this a lot and I've really begun to wonder why this is? I work as a security engineer and deal with just about every kind of security product there is, but other than working on the vuln scanners I don't see much of a direct correlation between what I do and pen testing.

Granted, I'm no pen tester, so perhaps my expectations of what they do is way off. But, from my understanding, it's a lot of scanning, looking for vulnerabilities, creating or finding an exploit to use (perhaps modifying it a bit), using the exploit, using your newly found access to try to find additional info for elevating your account and spreading to other machines across the network, and then reporting on everything and relaying that information with the client.

I can see how the supplementary skills like, knowing linux, nmap, wireshark, python or some other languages, networking, HTTP, general IT, creating reports, interfacing with clients, etc would help, but I don't think any of those can only be gained exclusively from working a security role. Is it just that HR demands a security background before they let someone in that kind of position? Or is there a technical reason why you'd need to have a security background to work as a pen tester?

PC509

Hit vulnhub.com and grab a few ISO's. Go through the walkthroughs and see the techniques. Eventually, you should be able to do it on your own. But, you learn a lot of various commands in the process and how they work (if you can't figure it out, you usually go look and find out). It's very fun stuff. But, by doing it that way you'll learn more Linux, get to do actual pen testing on vulnerable platforms, and some of them are based on vulnerable web applications which helps you with your current position as well.

If you decide it's not for you, nothing lost but time.

IronmanX

PetyrVeliki wrote: »

CONS:

1. In a few months I'll get 35 years old ... and spending a few years from now on to dig into a new area ... looks a little bit like I'm "too late and too old for the party".

35 you only have 30 more years before you retire. I'm sure you can coast on the knowledge you have know for the next 30 years.

I'm sure you could apply your web development skills into a career doing web application pen testing.