This topic contains 1 reply, has 2 voices, and was last updated by taken_every_username 1 month, 3 weeks ago.
- November 27, 2020 at 12:20 am #334465
I’m a software engineer currently, I’ve worked in backend dev, frontend dev and then transitioned into systems where I’m currently writing C and C++ code for a range of platforms and architectures. I recon I’ve got very good knowledge of software (high level web stuff and low level hardware programming) and have dabbled around security when implementing projects in the past. I’m good with networking too. However, I’ve never done any genuine black or gray box pentesting. Its always been testing applications I have written. I recently started playing some online challenges like the CTFs on hacker101 and I’ve got some of the ones recommended on the pinned post here on my todo list.
I’ve been considering a move into white hat hacking and just want to scope out how this field looks and whether the reality sounds as fun as the vision.
Is this a hobby or a career path for you? How much does the career differ from the hobby?
If you do this as a career, what is your job role and what does it generally consist of?
Are you working as a tester where you are validating newly built features?
Is the work contract based (agency work) or are you part of a permanent team in a non-security company?
Are bug bounties at all feasible for making money(they seem too good to be true)?
So far I’ve been writing quick scripts myself, but there is so much noise about things like Kali or Parrot.
While i see the incentive, I’m a little too married to my flavor of Arch and i3 and don’t like the idea of pre-installing a bunch of tools which I don’t know how to use. I would much rather iteratively build a library of tools that I know how to use and can rely on (very Arch mentality, i know).
Does Kali and Parrot actually get used in day to day jobs?
If not, what tools are common in the job area?
It seems like most of this stuff is FOSS, which I would much prefer to proprietary tools. This field doesn’t look too sold out to massive corporations yet, but I worry it will be soon (*sideeyes* burp). Are the proprietary tools worth it at all or is the FOSS stuff enough?
I really appreciate the help, its very tricky to dig through all trash information on the net, which seems increasingly saturated with low value articles and bootcamps. Getting some advice from people that have navigated this already is priceless.
- November 27, 2020 at 12:20 am #334466
I’ve been doing all the things you listed (freelancing/ contract work, employed as full-time pentester, software and feature tester, bug bounties). Right now I’m employed full time but thinking about going back to freelancing while transitioning back to a career in academia.
What’s my job role? I work with clients to make sure whatever they want tested gets properly tested. Products, whole companies, web apps, hardware, anything basically. Most customers come to us out of compliance necessity. The only thing I did not expect in my role is the amount of resistance by clients. Everyone you interact with usually has incentive to not let you find issues or wants them downplayed or removed in the final report (developers, tech/business leads, investors, etc). Dealing with these people takes up a surprising amount of my time.
Are bug bounties worth it? Not as a main income source, and much less so when you are just starting out.
On operating systems: It doesn’t fucking matter. I also use my Arch with i3 and just get whatever tool I need for the job, although most of the time I just hack together a script with some Python libraries.
The field will not be sold out anytime soon. I’ve seen plenty of pentesters that throw Nessus and Burp at things and call it a day, but there is a world of vulnerabilities they are gonna overlook.
If you got any other questions feel free to DM me.
You must be logged in to reply to this topic.