What career to pursue for the moment?

[stevo937]

So which job will land me a better pentesting job? And programmer or a network engineer/administrator?

I'm trying to pursue a programming job, but my experience and background would land me a networking job easier. I have experience with servers and a few certifications (network+, security+) as well. My Father is a network engineer and admin with his own business and has taught just about everything I know about computers. But I can code a mean programming, and is working on learning assembly language for finding them sexy exploits. Currently trying to understand all the registers and x86 language overall. Currently I'm memorizing the duties of the ESI (source index), EDI (destination index), EAX(accumulator), EDX (data), EBX (general), ESP (stack pointer), EBP (base pointer). I also know about searching for the all important EIP(instruction pointer). I also understand a few assembly operations like jmp, cmp, mov, and even the basics like memory segmentation. I understand overflows, but haven't quite figured out how to discover them. Gimme a few more months and I'll have a solid grasp. But because I've been lazy my grades in coding classes have fallen a little short (B's and C's). I know I could land a job as a Unix Admin, but is a hacker with a background in programmer better than a hacker with a networking admin job?

[ThePistonDoctor]

Think of it this way:

If you spend 5 years becoming a master programmer and can code any exploit to your heart's content, how are you going to get it onto the affected system?

1. Social engineering
2. Network attack/remote access

Your programming skills are useless if you have no way to dump your exploit onto the affected box. So personally, I would say understanding the networking technologies inside and out while touching up on your coding in the background is the way to go. Note that I do not say "understanding the networking technologies" in the sense that you know what routes and ping tests are for, but rather in the sense that you have actually used and configured the physical equipment (enterprise routers, switches, firewalls, etc), understand how IT interacts with the business, while also having a strong understanding of how one might go about (for example) changing their ISP, integrating an outside company into an existing mail domain, etc. That kind of stuff you will only learn as a network admin/engineer IMO and it is invaluable because it teaches you the inner workings of the IT world, as well as all the holes within them...

[orgcandman]

All that follows is from someone who has done both software engineering (currently) and network administration (10+ years ago).

Let me put it to you this way -

if you want to get into exploit writing, that's fine; just know that there are plenty of warm bodies who can code generic overflow exploit #100 (and that's buffer overflows in heap, stack, integer casting, etc.). The number of companies looking for that particular skill is not very large (and generally it's a, 'dont ask us, we will come for you'), and you're likely to get burned out quickly ("our fuzzing team found an obscure bug in this weird implementation of duff's device in this copy on cisco ios. the weaponizable exploit is due in 2 months - go!"). Additionally, assuming you'd like to eventually find greener pa$ture$ at some point, your CV makes you look like a great sustaining engineer - not a feature developer or lead. That's even assuming you find a job where they care that you know "how the metaware c++ compiler generates template code" or something else equally niche. Additionally, you get to fight with china and india every day trying to justify your job ("We can get three engineers for what we pay you; are you worth it?"). The hot trends right now are C# and Java, web technology that includes streaming video, and mobile device + social media inter-operation. Even telecomm is mostly focusing on delivering video to customers in a more efficient manner.

Network admin -
You take a lot of flak when things go wrong. When things go right, no one notices. Also, see the thing above about justifying your existence. You get to deal with a lot of terrible users who destroy your network and machines daily. They're far worse on a daily basis for your sanity than any hacker ever will be. On-call support is pretty awful, too. Especially when you miss family events to support someone who accidentally stuck a magnet to one of the drive cages and now needs to fix it.

I can't talk too much about penetration testing, but know this - what little I've done in that field (and it's only been part-time) points to it being a very tedious job. The only plus side is you get to break things when you're actually doing the test (which is pretty awesome, btw). I've been a software engineer for going on 13 years now, and before that was a network admin for a few different companies for 4 years (I ran a small IT business that did the support/setup/maintenance for multiple companies). I'd take the software job any day, hands down. I'd take feature development any day, hands down.

NOTE: take all of this with a grain of salt. If you find exploit writing very rewarding, and think you can make it work - go for it! There are people who do just that. Just know that you really need to be able to differentiate yourself from the pack - whether that's because you're an absolute super-star, or because you have a diverse background involving lots of different pieces (for instance, wimax drivers, various network protocol decoders, and varied open source projects).

[zacebid]

I currently have a degree in network security and its basically a hacking degree....Great decision


check out http://uat.edu/

Now I am an network security engineer for a dental healthcare testing agency.

[Archangel-Amael]

Kind of a generic thread title and as such, pursue a career that will 1, pay your bills and put food on your table, and 2. one that you will enjoy doing.