Ask HN: Best route to software dev from pentesting

3 points by wepple ↗ HN
I'm currently contracted as a penetration tester, but I find the most exciting part of my week is when I get to code new tools and actually create cool things.

I've looked at junior positions doing software development (I'm interested in mainly django and android at this point) but they still often require a fair amount of experience.

I think I've probably developed quite a bad coding style - generally my projects are small, fast, and developed for me so hardly make it to release, which is something I've been reading up on to improve.

The upside is that I know a pretty wide range of tech - as a pentester I have to do code reviews of most common languages, I know low-level networking fairly well, I obviously understand security very well, and have a mindset built around the fact that every couple of weeks I'm given an application/technology I've never seen before and have to understand it really fast.

Do you have any pointers as to what the easiest way to get into software development might be?

4 comments

[ 4.1 ms ] story [ 22.1 ms ] thread
Hi, I'm about to learn pentesting, I'm a dev/sysadmin/designer. I've not thought myself the complete lecture, but the definitive way to go for you is learning everything over @ http://mitpress.mit.edu/sicp/

I suggest that you leaern C and Python, because as a Pentester, these are the languages that are most relevant. C++/C#/PHP/Java etc. might be nice to have, but you can solve all of your tasks with C and Python more efficiently, thanks to the great Frameworks that have developed around these langauges. Checkout Continuum.io, NumPy, wxPython, wolframalpha.

If you run out of ideas, run this # pip search framework

Here's an example of what can be accomplished with Python: http://en.wikipedia.org/wiki/List_of_Python_software

Where should I start learning Pentesting? (I know Metasploit a little)

Can you code? Can you work in SFBA, Chicago, or NYC? You could contact me directly.
If you enjoy your pentesting role enough to continue doing it for awhile, start a side project (you don't have to publish it on Github if you don't want to) that's more ambitious than a pentesting tool.

Are you a network penetration test person, or primarily an appsec person? Another step you could take (talking my own book here, admittedly) is to move to an appsec firm, which will have you working in software full time. If that's something interesting to you, you can ping me directly; I probably know firms working wherever you are.

Most of my career has been as a software developer, actually shipping software. If I thought longer I could probably generate more advice, but my basic advice to you is to realize that most employed software developers are not all that great; you might be making things harder for yourself by applying for "junior" roles. Can you code? Can you build working systems? Apply for dev jobs. You'll eventually get one.

Put your email in your profile, people in HN might see this post and want to reach out.