Is penetration testing a career worth pursuing?

9 points by zitstif ↗ HN
I ask this due to this article:

http://carnal0wnage.attackresearch.com/node/440

I think he made some very good points that most companies don't want to take an expensive test that they'll most likely fail and they just want to be compliant.

While I can see penetration testing diminishing in the corporate environment, I think it will most likely be a constant within the realm of the military.

What are your two cents?

8 comments

[ 3.0 ms ] story [ 28.3 ms ] thread
I'm not sure HN is the best community to be asking. Remember it was originally called "Startup News".

That being said -- pen tests are still valuable -- and PCI DSS mandates them. So there is definately a market for them.

I know the latest pauldotcom episode I listened to covered the "is pen testing dead" subject once more... Worth a listen to if you don't already and are interested in the field: http://www.pauldotcom.com/security-weekly/

No. Nowadays, pen-testing is something for entry-level security workers, often using stock tools. The whole "hacking" scene came apart when someone decided to certify "ethical hackers" after someone else decided to fly planes into buildings.
Entry-level using stock tools? That was the nineties. Hacking scene came apart due to ethical hacking certs after 9/11? No. The hacking scene was all about hacking in the beginning. Then some people turned white-hat and got security jobs. Then most people in the scene got security day-jobs by releasing tools and 0days to market themselves. Then organized crime started hiring hackers for projects. Now hacking is all about money, be it a security job or working for the Russians.
Security in general seems to be doing fine (ask tptacek), but I'm not sure how large the market for really good pentesters is - you'll need to be a lot better than Metasploit etc, which is difficult, and will penetrate almost every network, which is embarassing to your employer.

You can make a fairly decent living running Metasploit and turning the results into a nice report, too - but that's not "penetration testing" (as it is/used to be understood.)

Be better than metasploit? Run metasploit and turn in the results? You don't know what metasploit is.
That's not an entirely unfair criticism. ;-)

Would you like to try to improve on my comment?

Right now we have vulnerability assessments and penetration tests. There are still people who confuse the two. Chris Gates (author of the article) is talking about another tier emerging in the field: attacker emulation.

Right now penetration test can mean many things. It can mean a standard CEH/CISSP/other cert trained monkey running tools and generating a report from within your DMZ for two weeks. Or it can mean a dedicated team spending their days like a stalker in a dark basement putting LinkedIn profiles and IP addresses on a cork board until they see the opportunity to strike.

They're different tests needed for different situations. I do not know how big the market will be for these advanced tests, but some organizations need and will pay for them. It's fun work if you can get it.

So the article is drawing this line and saying: "hey talented guys, there's real work for us… we just need to be aware of what it is and not get discouraged". Penetration testing isn't dead, it's just becoming automated and the lower tier of it is becoming more well defined. The cool stuff still exists, we just need to call it something else.

How's that? As for making a career out of it? I'm not. I pen test now, but only because it's fun. Once the fun wears off, I'll go do something else.