Is penetration testing a career worth pursuing?
I ask this due to this article:
http://carnal0wnage.attackresearch.com/node/440
I think he made some very good points that most companies don't want to take an expensive test that they'll most likely fail and they just want to be compliant.
While I can see penetration testing diminishing in the corporate environment, I think it will most likely be a constant within the realm of the military.
What are your two cents?
8 comments
[ 3.0 ms ] story [ 28.3 ms ] threadThat being said -- pen tests are still valuable -- and PCI DSS mandates them. So there is definately a market for them.
I know the latest pauldotcom episode I listened to covered the "is pen testing dead" subject once more... Worth a listen to if you don't already and are interested in the field: http://www.pauldotcom.com/security-weekly/
You can make a fairly decent living running Metasploit and turning the results into a nice report, too - but that's not "penetration testing" (as it is/used to be understood.)
Would you like to try to improve on my comment?
Right now penetration test can mean many things. It can mean a standard CEH/CISSP/other cert trained monkey running tools and generating a report from within your DMZ for two weeks. Or it can mean a dedicated team spending their days like a stalker in a dark basement putting LinkedIn profiles and IP addresses on a cork board until they see the opportunity to strike.
They're different tests needed for different situations. I do not know how big the market will be for these advanced tests, but some organizations need and will pay for them. It's fun work if you can get it.
So the article is drawing this line and saying: "hey talented guys, there's real work for us… we just need to be aware of what it is and not get discouraged". Penetration testing isn't dead, it's just becoming automated and the lower tier of it is becoming more well defined. The cool stuff still exists, we just need to call it something else.
How's that? As for making a career out of it? I'm not. I pen test now, but only because it's fun. Once the fun wears off, I'll go do something else.