Recap
OK, so it’s been a little while since my last update. Christmas, combined with progressing a property transaction have taken me away from this blog for longer than I would have liked. Combined with the ongoing Azure security studying as well, it almost feels like I haven’t got much to report at this point.
Anyway, to the topic at hand; penetration testing.
Security Qualifications: Dope or Nope?
How could I go about getting in on this gig? Oddly when looking up people on LinkedIn who are penetration testers, nearly all of them have either a computer science or cyber security degrees. Those who didn’t, seem to have a sparse set of qualifications.
This led me to wonder how they could actually demonstrate their competency in the field? Watching a Youtube video on MalwareTech’s channel titled “Do InfoSec Certifications Matter”. The channel’s main man Marcus Hutchins states that there are other ways to demonstrate your value. For example creating a blog about your work and keeping your coding portfolio in a public GitHub account. GitHub can act as an accessible reference that verifies your work, just as much as any certification.
I guess so far I have achieved the setting up a blog part, but I have yet to post anything that demonstrates my InfoSec knowledge. As for GitHub, all I know at this point is that it’s used for hosting source code and applications, complete with version control and community interaction.
So at this point, where do I go? Another message that came from that video is the fact that certs help when starting out. This is mainly by giving you a means to understand the jargon of specific product lines. For example, you may take the AWS Certified Cloud Practitioner exam just so you can demonstrate that you know Amazon EC2 is just a brand name for virtual machines.
Weighing Options
As I have previously mentioned before, the one cert that does seem to matter is Offensive Security’s OSCP. If I am to operate in the UK as a penetration tester, then having additional certs from CREST such as the CPSA and CRT would allow me to work on Government projects. However a fairly recent scandal reported in The Register, stated that one of their affiliate organizations had extensive cheat sheets to aid their staff in passing the exams. What impact this has on CREST’s credibility going forward is yet to be determined.
Regarding degrees, I’d have to do it part time and likely through something like the Open University. This would mean committing 16 hours a week over 6-8 years, just to obtain a Bachelor of Science degree. During this time I suspect the InfoSec threat landscape and even technology in general would have evolved quite heavily over this time. Therefore I don’t think it would be wise to pursue this particular qualification now. For masters degrees, the only professionals I’ve seen with them are senior managers and directors. I guess if I wanted to move into that kind of role in the future, it would be something I’d have to consider.
Going Forward
I feel at this point, it will be all too easy to over complicate things. So I will be doing the following:
- Research the OSCP syllabus.
- Map out the core skills and tool knowledge required.
- Find training or project activities to develop the above.
- Assess my progress by signing up to VulnHubs and/or Hack the Box and seeing if I can pop some boxes.
- Review and assess from there.
The above sounds simple enough, but having looked through said syllabus, it’s actually a lot of work. This is not something I am going to get done in say, three months of part time studying. Going forward, further blog updates on this topic will likely be about the different tools and skills I’ve covered upon while learning.
Have you thought about doing commits to something like the BSD Project?
I think I’d need to develop a far stronger foundation before committing to a project like that. But it’s something to consider.