Switching to security testing

**Babbage** · 1 April 2010, 10:32

WHS, I would like to know too.

**DaveB** · 1 April 2010, 10:46

Originally posted by Mich the Tester View Post

Having done a little security testing in the past and seeing as I’m getting a bit jaded by functional testing and system testing (+/- 15 yrs experience), I’m considering moving to security testing. I’ve looked into the certifications so I can see a way to approach it, but I’m really more interested to know what the prospects are in terms of contracting. How good/bad are the rates for security testers? Is it a growth market with plenty of contracts?

Any advice appreciated.

Security testing is an odd one. No one really employs internal security testers, they want external third parties to test for them so most of the industry is made up of specialist security testing companies and most of the big consultanicies have a testing arm.

The scope for contracting is pretty limited from what I've seen, I've been on the implementation side for years rather than testing directly.

Testing itself is seen as a technical job but not a particularly comlpex or involved one. Most security vulnerabilities are known and documented and testing is easily automated and scripted. Jobs dont pay hugely well and there doesnt seem to be much of a contract market.

The deep technical stuff is in identifying new threats and vulnerabilities and is more akin to coding than testing. A lot of it is done by independent security researchers and findings are usually put in the public domain for free, as a loss leader to generate security consultancy business.

**Mich the Tester** · 1 April 2010, 10:50

Originally posted by DaveB View Post

Security testing is an odd one. No one really employs internal security testers, they want external third parties to test for them so most of the industry is made up of specialist security testing companies and most of the big consultanicies have a testing arm.

The scope for contracting is pretty limited from what I've seen, I've been on the implementation side for years rather than testing directly.

Testing itself is seen as a technical job but not a particularly comlpex or involved one. Most security vulnerabilities are known and documented and testing is easily automated and scripted. Jobs dont pay hugely well and there doesnt seem to be much of a contract market.

The deep technical stuff is in identifying new threats and vulnerabilities and is more akin to coding than testing. A lot of it is done by independent security researchers and findings are usually put in the public domain for free, as a loss leader to generate security consultancy business.

thx
Might it be more of a useful sideline to testing than a career choice?

**DaveB** · 1 April 2010, 11:01

Originally posted by Mich the Tester View Post

thx
Might it be more of a useful sideline to testing than a career choice?

Probably, best bet might be to bring it up when you do other testing work where you can see it might be needed, and offer it as an additional service.

When I was contracting it was something I would offer to do for a client as part of the initial gap analysis, to show where the major weaknesses were, rather than as a test of what I'd done for them at the end of the project. I always recommended they get a third party to do it if they wanted a proper objective test.

**The Wikir Man** · 1 April 2010, 11:04

Originally posted by Mich the Tester View Post

thx
Might it be more of a useful sideline to testing than a career choice?

If you are serious about it, then I would look at the Certified Ethical Hacker qualification which would be a good to have, IMO.

I've considered doing it in the past, as it interests me, rather than doing it as something that might be a money-spinner.

**Mich the Tester** · 1 April 2010, 11:45

Originally posted by The Wikir Man View Post

If you are serious about it, then I would look at the Certified Ethical Hacker qualification which would be a good to have, IMO.

I've considered doing it in the past, as it interests me, rather than doing it as something that might be a money-spinner.

Thx

That’s the point; it’s something to get my interest rekindled as I feel like I’ve seen it all and done it all in testing. I haven’t, obviously, but that’s how I feel. I’m a critically minded type of person and I like to do things that ‘break the rules’ for the right reasons. However, obviously I’ve got accustomed to a certain income level and don’t want to see that drop too much.

**Babbage** · 1 April 2010, 11:55

Something else to consider for pen testing is a very clear statement of what you are and are not allowed to do on the network. Getting that part right needs diligence by both parties.
There are cases of people being arrested for overstepping.

So getting the qualification above would be a good start, but it was good to hear how poorly it paid, I don't think it is worth pursuing.

**meridian** · 1 April 2010, 12:10

There's plenty of material to whet your appetite on the OWASP website. Free downloads and testing guides.

The testing part's here:

http://www.owasp.org/index.php/Categ...esting_Project

As a start you could look at incorporating various security tests into existing tests (sql injection, that sort of thing) and build up a security test library from there.

**Netraider** · 1 April 2010, 12:52

I started off many years ago doing security testing. My original contracts were 5 - 10 days at a time where larger security companies had taken on to much work. Most of it was work from home as well.

CEH is ok, but if you want to get into some hard core exploit building I would suggest doing a SANS Course. To get a good insight I would also suggest going to one of these events. Also, to get an idea of what is ahppening in the market try Infosec. Its free to attend of you register before the day. I normally attend all 3 days.

From reading your posts I feel that you could also be quite good at the forensics side of security testing.

Hope that helps.

Switching to security testing