Web Application Penetration Tester Work Hours

Hello Everyone,

First, I would like to say thank you to everyone on this website. The information and experiences that you put on this site regarding certifications have been really helpful with me acquiring my certs. Thank you so much!

So, I am in a Security role right now and my educational background is Information Security. I am thinking of becoming a web app pentester, however, I am wondering if web app pentesters have to work after hours regularly. I have responsibilities outside of work which are incompatible with regular after hours work.

I was hoping to get some input on how the work life balance is for a web app tester. What are the typical work hours. Other pros and cons. I don't really want to spend a lot of money and effort on web app tester certs and then find out that I have to work after hours regularly or work really long hours. I appreciate your help in advance.

Find more posts tagged with

Comments

JasminLandry

Hey @The_Interceptor and welcome to TE!

I do web application penetrations tests pretty often and yes I do need to work after hours sometimes. The only reason being that the application owner don't want to take a chance if something messes up during production hours. But like every question in the security field, the answer is "it depends". So depending on the company you work for, you might not need to work after hours. But for me I spend quite some time doing bug bounties so my life balance is pretty bad right now! I have to limit the number of hours I do bug hunting so I can spend more time doing other stuff and not sitting and staring at my screen all day long.

The_Interceptor

Thank you for your input Jasmin. It sounds like you might be involved in doing freelance work. I am wondering if this is also the case in corporate environments. How do you like the field overall. Is it as exciting as it seems? Is money and demand very good? Thanks.

JasminLandry

I actually am in a corporate environment. Depending on the department and application they own, they don't always want us to do tests during the day unless it's non prod. It's actually a policy, we can't do anything unless we get permission from a director or someone that's higher up. I've never brought a site down but people are always a bit worried about this stuff and what can potentially happen.

I really love the field, the community is great. I'm part of a few Slack teams where you can chat and ask for help from other ethical hackers or even just Twitter. And yes the money is very good, well it is for me anyway. I've seen someone on Twitter who does only bug bounties as a living, he doesn't have a job and in 2017 he's probably going to get close to a $1M, he's up to around $750K right now. The money is not that good in a corporate environment but I won't complain as I still make good money for my age.

ITSpectre

Good thread so far. Im interested in this because this is my goal after my OSCP....

ITSpectre

JasminLandry wrote: »

I actually am in a corporate environment. Depending on the department and application they own, they don't always want us to do tests during the day unless it's non prod. It's actually a policy, we can't do anything unless we get permission from a director or someone that's higher up. I've never brought a site down but people are always a bit worried about this stuff and what can potentially happen.

I really love the field, the community is great. I'm part of a few Slack teams where you can chat and ask for help from other ethical hackers or even just Twitter. And yes the money is very good, well it is for me anyway. I've seen someone on Twitter who does only bug bounties as a living, he doesn't have a job and in 2017 he's probably going to get close to a $1M, he's up to around $750K right now. The money is not that good in a corporate environment but I won't complain as I still make good money for my age.

What is your typical day like? Do you spend more time writing reports or penetration testing? or is a mix of both? Also what are some skills you have acquired on the job... that a cert will not teach you?

Also forgive me but what is a "bug hunt"? is that where you get on a system and look for bugs and exploits?

The_Interceptor

Thanks for clearing that up. Looks like it does involve after hours work. Web app tester at my current job also has to perform after hours testing a good portion of the time. I figured it may be different at other places. Your input is really valuable and I am interested in seeing if other responders have a similar work schedule. I was really hoping that it can done during regular work hours. Since you are testing apps I felt like you can get a copy during the regular hours and do your work. May have to take another route if that turns out to be the norm for everyone. May concentrate on a different branch of security at work and do web app on free time when possible. That way I decide when I work. Money that can be made with bug bounties seems awesome! Thanks for your help.

JasminLandry

ITSpectre wrote: »

What is your typical day like? Do you spend more time writing reports or penetration testing? or is a mix of both? Also what are some skills you have acquired on the job... that a cert will not teach you?

Also forgive me but what is a "bug hunt"? is that where you get on a system and look for bugs and exploits?

I spend most of my day penetration testing with the other parts being reporting and meetings. I don't spend that much time reporting because I take notes and screenshots along the way so I don't have to get back to it later on.

To be honest with you, all skills that I have acquired on the job is all based off of certs, books, reading blog/forums, and also Hacktivity on HackerOne. What I have learned the most is using the tools that comes with it. When I started doing this, I was using Burp and I wasn't really comfortable with it, but now that's not the case anymore as I'm really comfortable with it, I have it open almost all the time.

Yes bug bounty hunting is pretty much that. You look for bugs like XSS, XXE, CSRF, LFI, RFI, etc on web sites and then they reward you for what you found. For example, I found a few bugs on some Microsoft sites, another one on eBay, Oracle, ISC², Sophos, Netgear and a few private programs and got paid for them (not all of them pay though but I still got on their Hall of Fame). Most of the programs are only web based but some do have like reverse engineering, IoT hardware related stuff, mobile apps, source code reviews, etc. Feel free to DM if you want more info on this. It's a great way to learn and get payed at the same time.

ITSpectre

JasminLandry wrote: »

I spend most of my day penetration testing with the other parts being reporting and meetings. I don't spend that much time reporting because I take notes and screenshots along the way so I don't have to get back to it later on.

To be honest with you, all skills that I have acquired on the job is all based off of certs, books, reading blog/forums, and also Hacktivity on HackerOne. What I have learned the most is using the tools that comes with it. When I started doing this, I was using Burp and I wasn't really comfortable with it, but now that's not the case anymore as I'm really comfortable with it, I have it open almost all the time.

Yes bug bounty hunting is pretty much that. You look for bugs like XSS, XXE, CSRF, LFI, RFI, etc on web sites and then they reward you for what you found. For example, I found a few bugs on some Microsoft sites, another one on eBay, Oracle, ISC², Sophos, Netgear and a few private programs and got paid for them (not all of them pay though but I still got on their Hall of Fame). Most of the programs are only web based but some do have like reverse engineering, IoT hardware related stuff, mobile apps, source code reviews, etc. Feel free to DM if you want more info on this. It's a great way to learn and get payed at the same time.

Sent you a DM!