INSIGHTS How to make it into info sec

Hello reader, if you’ve just started your first job in information security or you are looking for one, this material will definitely answer some of your questions.

I also prepared something sweet for the dessert — in the end of the article you will find a LaTeX template for penetration testing reports I created when I did the eWPT exam, but we’ll talk about that later.

First, let me tell a little about myself. One and a half years ago I graduated from my Master’s program in Computer Science and I was super excited to start my first job in information security field. I’ve been interested in hacking for a long time, so my goal at that time was to work as a penetration tester. But penetration testing is not the only thing you can do in info sec, right? So what else is there to do for a fresh graduate? After four months of job search, countless job applications and about 20 interviews, I can break down most of info sec jobs in Europe into several categories:

  1. Penetration testing. Here consultancy companies dominate the market. They are one of the few who are willing to invest resources into teaching junior engineers. In my experience, these companies have a clear professional growth plan and a senior mentor for every new employee, which is pretty important in my opinion.
  2. Security analyst / Security Operations Center (SOC). This kind of job is more on the defensive side of security. If you are into incident response, investigations and monitoring for threats — this is definitely for you. Companies that offer these kinds of jobs are mainly looking for people who can process large amounts of data and detect malicious patterns among thousands of events.
  3. Code review. Personally, I think that code reviews are boring, but there are companies out there making money by reading someone else’s bad code, so I guess some people like it.
  4. Hardware security. Compared to consultancy, there are not many jobs in this category, but also not many people are into it, so there’s less competition.

The above list is, of course, not complete and based only on my observations. Besides those, there is an emerging blockchain field, DevSecOps or SecDevOps (whatever you want to call it), GDPR-related jobs (but I’ve never seen anyone hiring juniors for this) and others.

Below I will provide some interesting materials that helped me to get several job offers for penetration testing positions. Spoiler alert — university skills are not enough to get a decent job.

Free Learning Resources for Security

If you are a complete beginner, I can recommend the following web sites:

  1. http://overthewire.org/wargames/ → it contains challenges of increasing difficulty that cover many security topics like web application security, crypto, binary exploitation, etc.
  2. https://www.wechall.net/ → same as above, but different challenges.

When you feel more comfortable with the tools and vulnerabilities, there are multiple projects that you can host locally and practice your hacking:

  1. OWASP WebGoat.
  2. DVWA — damn vulnerable web application.
  3. OWASP Juice Shop — my personal favourite.
  4. Metasploitable.

Some other places where you can find cool security challenges:

  1. https://www.vulnhub.com/
  2. https://www.hackthebox.eu/

Commercial Courses and Certifications

There are dozens if not hundreds of paid courses out there and all of them promise to make you the best hacker ever. Personally I don’t have experience with many courses and certificates, but I can recommend a few that I took myself. First of all, the University of Maryland has three amazing cyber security courses on Coursera that anyone can benefit from:

  1. Software Security.
  2. Hardware Security.
  3. Cryptography.

Regarding certifications, there are quite a few of them offered, but they are mostly theoretical. If you are interested in practical certifications to learn hacking and prove your qualification the best are the following:

  1. OSCP — this is the most popular practical certification for hackers. Personally I did not do it, but I know from many people who did that it’s worth its price.
  2. OSWE — this is a rather new certification focused specifically on web application security.
  3. eLearnSecurity — this organisation has many practical security courses. I took one of their certifications by myself. Below you can read my review of their Web application Penetration Tester course and exam.

eWPT Course and Certificate

I will split my review into three parts: course materials, labs and the exam.

Let’s start with the course materials. I was impressed by the level of detail and quality of the material. It’s suitable for people with and without prior knowledge in web application security. The course has been updated in August 2018, so it’s more or less on track with modern technology stack. Out of 15 modules I was not happy only about 2 things:

  1. Flash module. Seriously, Flash is a deprecated technology not supported by modern browsers anymore and will completely die in 2020. For me it was more of a “good to know” thing, than something practical.
  2. In the module about web services, they give a much higher preference to WSDL and much less to REST. Maybe it’s just my perspective, but I see RESTful web services much more often being used in production environments than WSDL.

Now, about the labs. Here eLearnSecurity also took a nice approach to teaching. In scope of the lab materials you can interact with labs — tasks with a detailed step-by-step solution available, and challenges — tasks where you have to find a solution by yourself. If you play CTF or solve other challenges online, the labs might seem too easy at first, but I believe this is intended for beginners. The further you go, the more challenging the tasks become. To be honest with some challenges I had to scratch my head for many hours before I could solve them.

Finally, the exam. It was truly a bittersweet moment for me. Only after starting the exam I realised that even though the course materials were updated recently, the exam was at least 5 years old (I guess that’s why the course is v.3 and the exam is v.1). After completing all the labs and course materials the exam scenario was too easy for me, I managed to find the majority of vulnerabilities and fulfilled the requirement to pass in 2 days. Unexpectedly, the most challenging part for me was to write the report, as I had never done that before.

After completing the eWPT course and exam, I can conclude that the latter is more oriented on students’ report writing skills and less on the ability to find vulnerabilities, unlike the labs and course materials. In the end I am satisfied with the course, but I hope they will improve the exam scenario in near future.

Penetration testing report LaTeX template

The one and only LaTeX template for penetration testing reports on the Internet. No kidding. Check it out on GitHub:

https://github.com/robingoth/pentest-report-template

P.S. the report looks much better when there’s more data in it.