HG - Penetration Testing Experience and How to Get It

thank you for coming for the continuation of day two of Higher Ground I'm Kathleen Smith yes it's Kathleen on Twitter I'm the lead and creator of Higher Ground because we wanted to create a safe and valuable space for people in the community to learn about their careers get advice get feedback be able to have beneficial conversations rather than being hounded by a recruiter in the afternoons we do career coaching and resume reviewing resume reviewing is done by recruiters that I trust and vet that are part of the community and then career coaches who have had more than 10 to 15 years experience and have had a varied career so that we know that they can provide you advice as far as

different challenges that you've had or if you want to switch around from one industry to the next I'm really excited to have Phil with us this morning I've always seen him presenting at other conferences and I finally got up enough or you know gumption to ask him to submit a talk because I can't pick I have to just ask people to submit just so you know we are recording this so Phil's going to have to stay really close to the mic but also you don't need to take screenshots of what he's going to present because you can just go back and watch it on YouTube later so with that Phil thanks for coming and joining

us here thanks for having me thanks everyone for joining today and uh thanks to Kathleen for uh in uh recommending me to submit a talk here so this is a this is awesome Village for me because uh one of the things I love doing is helping other people uh a few years ago you know I've always been a competitive person I used to compete in powerlifting and I worked in a jewelry store before selling jewelry and always wanted to sell the most oh you know whenever I was 15 I got shot and the bullet pumped through my heart and I actually almost died from it but the thing I was worried about was laying on the ground before the Amos got there

is that my 250 pound bench press would be passed up by my classmate so I've always been super competitive and you know in the industry you know you always try to be competitive too and it when you get to be almost 60 years old it's hard to keep up with the younger people it's easier to stay up to three five a.m in the morning learning whereas you get older it gets more difficult you need more sleep to recuperate and one of the things I started thinking about is that the play towards my strengths is always a lot better mentor and coach than I was a pen tester although I did well as pin testing but I'm patient I

like helping people I'm a pretty decent listener so that's what drew me to that area so it's honored to be here and this is actually the perfect Village for me to be speaking at so for those of you that don't know me I'm Phillip Wiley I have my cissp oscp and Sans web app pin testing certifications so my current role as manager of tech evangelism and enablement at cycognito So speaking is part of my job doing webinars podcasts going to conferences as well as education internally because our product does some of the things that pen testing does and security assessments do but to be able to explain to ourselves people how those items work so it was a good

good fit for me so I've been in uh offensive security for a little over 10 years a total of uh 18 and a half years in cyber security prior to that I was a CIS admin for a little over six years and so I used to teach ethical hacking and web app pin testing at Dallas college and really that's what all got really got me started in speaking at conferences because my book The Pen tester blueprint came from a class lecture which got turned into a conference talk and eventually a book so also run a couple different groups the pawn school project and Defcon 940 in Denton Texas I'm the concept Creator and co-author of the pen tester

blueprint and I host a podcast called The Hacker Factory podcast on itsp magazine so if you're interested in hearing some inspiring stories and advice from others it's a good good platform we've had Dave Kennedy Alyssa Knight but the interesting thing is is the people just got into the industry those are the ones that usually uh interest people the most and so I like to share this slide of how I got into to uh pen testing because when I graduated high school in 1984 I was a power lifter you know and just you know your stereotypical uh you know Meathead power lifter you know all bronze no brains and I didn't think it'd ever be you know using my mind for a

living so I like to share this because some people have imposter syndrome or lack of confidence that don't think they can do it and you can if I went from being a pro wrestler to being a pen tester you can do it too if you're passionate about it and want to learn that's great some people are gifted and they learn it well but really the people that have the the passion the desire and the persistence they'll outperform the people that are gifted because they're putting in the time they like what they're doing so I started out as a pro wrestler needed a more stable career I'd worked uh putting up fences worked in retail cells was a bouncer at an eye Club did

all sorts of jobs back then physical security and other things I really liked and I really couldn't keep a job or working a place long because I didn't enjoy what I was doing I was working at a jewelry store and the the family that owned the joy store they were starting a new chain and they wanted me to be an assistant manager there but the manager of the store had someone else he liked better and I kind of learned at that point I got to get some skills and it's got to be based on something although you get in the industry there can be some politics but you know when you're working retail sales and working in

restaurants a lot of times your promotions and stuff are based off whether the manager likes you and so forth so I went to a trade school and learned AutoCAD uh did that for a while and before that I had no computer experience and I found they had more of a knack for the computer side of things so I taught myself how to build computers got Nobel Network certified and then got a course got a my first job con Contracting for a company doing server and uh Workstation rollouts so during that sysadmin uh period of my career I found out about uh information security so I moved into the security team at the mortgage company I

worked for started out doing network security also some security assessments and risk assessments and then we had a new CSO come into the company and he set up an appsec team he had more of a modern view of the way companies were doing things so I got to move over the appsec team and that's where I found out about pin testing I was managing third-party pen tests that we'd have Consultants come in and do as well as doing some vulnerability scanning I got to go to some vendor demos of uh web inspect the web application vulnerability scanner and it really got me interested and so in 2012 I got laid off and I went to work as a pen tester

and one things that that helped me and the advice I like to share is if you don't have all the experience everything needed still apply because what got me the job was I was talking to the hiring manager I'd run vulnerability scanners I worked in security I had a system in background I had some some base level knowledge I didn't have the hacking piece I'd never performed a pen test but he saw that at a home had a home lab and I was teaching myself I taught myself how to do web design I hosted a web server at home with my clients websites set up uh send mail for my mail transfer agent and hosted my own DNS so I got

this experience so he saw that I like to build things and learn on my own and so that helped me get the job because there really wasn't uh I really wasn't qualified the guy took it took a risk on me and when I got into that I had to to learn how to do pet testing so I took the oscp where I gained my hacking skills so if you want to do this apply for it I've had students that come in really uh ambitious the first day of class saying yeah I want to be a good pen tester as you but I want to do it in a shorter period of time so yeah you put

in more time and effort you put in there you can get in there as quick as you want to second week into the class he comes up and say hey do I have to read the textbook if I want to be a pen tester so I said well if you need to spend more times in Labs learn the Hands-On piece because that's important and then he turned around and at the end of the semester he got an internship as a pen tester and he was like the last one in the class that I thought would get it but just from his uh motivation and passion he was able to get the job so don't let thinking you don't have all

the skills uh you know let it pass you by on a job because you know you apply so many times and maybe you apply that one time the first time without the skills maybe you wait five or six years and unless you're you know applying you're not going to get the job so I highly recommend doing that there's so many jobs out there needed and sometimes your background kind of resonates with that hiring manager so if you're a assist admin or you worked on help desk they can kind of relate and sometimes that'll help you get fired let me get hard not fired that's a different topic yeah so uh just kind of cover some some

Basics here so what is pen testing so pen testing is a sensing security from an adversarial perspective the same way a threat actor would use using the same tools and techniques that they would use uh and Pen testing is also the shorter version of penetration tester and it's also known as ethical hacking and sometimes it's easier to explain people ethical hacking although you would tell some people sometimes I'm an ethical hacker and they'll ask you is there really such a thing as ethical hacker they don't they don't realize that you can do that I mean it's like having lock picking skills you can do that for good or bad but but pen testing or or hacking

seems to get kind of a bad rap so as far as getting the experience you know you need the knowledge but you need the experience with the tools so taking some different online courses like try hack me the hack the Box uh you know different ctfs and stuff learning how to use the vulnerability scanners like the oscp certification I don't I don't know if they've updated that where you can use vulnerability scanners but they don't let you but in real world you're using vulnerability scanners so knowing how to use those tools so using vulnerability scanners you can download a 16 IP version of nessus which is widely used in pen testing you can download that you can

scan 16 IP addresses so you could do pen tests for small companies your home lab environment and 16 IPS is a pretty good amount of ips to to learn how to use nessus so get through there and get that experience with that and also learn the different pen testing Linux distributions like Kali Linux and paired OS and you can even build your own using Ubuntu and install the tools but one of the things I'll say is when you're using one of these pre-built distros it's easier to install the tools because sometimes they do some tweaks to get tools to work so if you're trying to install something on Ubuntu there may be some all sorts of missing python type

items in there like pip uh add-ons to python to be able to install with that you have to do all that so sometimes it's easier and faster to use Cali and pair it and then pen testing tools nmap is one of the most widely used tools you'll use as a pen tester because there's even nmap scripting engine scripts that will perform vulnerability scanning whenever I perform a pen test the first tool I use to verify findings is uh nmap because there's different nmap scripting engines uh scripts that you can go through there and validate certain findings so if you go through a search for that you can find that so you need to when you're performing a pen test you

do vulnerability scanning you use other tools to detect vulnerabilities but you have to validate those findings and so that's where nmap comes into play and you can also do manual pen testing with nmap so there's like a volume script that's just vuln that you can use in your nmap scripting engine uh syntax when you run your nmap scans you can find some of these vulnerabilities and so understanding how to use nmap is very important and then Metasploit is a very popular exploit tool they have a free version whereas a lot of the other exploitation tools like core impact some of those other tools they don't have a free version so Metasploit is widely used and you can do

pretty much everything with that you can with metasploy professional when I've worked in organizations where we had Metasploit Pro I would stick with metisplay framework since I was used to the command line so understanding how to use those tools you can download metasploitable there's several different versions of that metasploitable two and three are some of the best versions but the good thing about metasploitable you're able they've created those those uh VMS originally so you could test Metasploit against it and some companies will do that also for their vulnerability scanners they'll either have a vulnerable website online or vulnerable VMS you can download to practice using their tool and the metasploitable VMS they give you enough vulnerabilities

that are exploitable that would be equal to uh numerous you know several different VMS on your system that are vulnerable so it takes up less disk space and there are exploitable uh items on there that you can use and you can find some walkthroughs to learn how to exploit those vulnerabilities and there's a lot of other different tools within Kali Linux that are very helpful so as far as commercial tools just to kind of learn this on your own uh you've got burp Suite Community it doesn't do some of the things but you got a wasps app so you can use that so there's a lot of functionality you can get out of these free tools that you

don't have to have the paid tool to learn those skills to get into the industry and so also learning the web app pen testing tools like burp Suite A wasps app and web application vulnerability scanners and one of the things too is I really focus on if you're wanting to get into pen testing is really work on the web app pen testing stuff because there's bug bounties out there that's an easier way to get real world experience and with that experience and help you get a pen testing job because you're able to describe how you found vulnerabilities even exploit them during an interview back in 2020 I was looking for a new pen testing job and I uh interviewed with a

very famous Boutique pen testing firm and the hiring manager was telling me that we have an easy time finding web app pin testers because people are participating in bug bounties they're able to give that experience there's not that much opportunity when it comes to network pen testing that you're able to find these opportunities some bug bounties will have that but you don't see that as often they usually have the things that are you know that you can test from the internet so that makes it easier for them to test so understanding that web app fantastic piece so the pin testing skills it's good to understand some networking you don't have to be a CCNA but to be able

to set up your IP information within your pen testing distribution you know if it's an environment that doesn't have DHCP you'll be able to know how to statically assign or an IP address to your your system be able to understand routing and subnetting enough so if you see an environment you're going to understand different subnets whether you're able to test from that that VLAN or move to others so you don't have to be a guru in networking but you need to know some of it and then operating systems you want to understand operating systems like at assist admin level because if you get a shell to a system if you know Linux you're able to do things on that system

to shut down services do further testing if you understand windows and know the right commands you may be able to shut down a firewall so understanding that from assist admin level is works out great and one thing I'm saying now if you're starting from you're just getting started you don't have that experience don't let overwhelm you know say I'm not going to be able to learn how to pen test I have all this stuff to learn learn in parallel as you're learning windows you're learning Windows how to install it learn how to secure it at the same time learn how to exploit Windows as you're going along so you don't have to wait and get through all this and then

start the hacking piece kind of do it in parallel as you're going along so understanding the hacking and Pen testing piece that's where I was at when I got my first pen testing job so uh platforms like hack the box and try hack me are really good I really like try hack me because it's very beginner friendly they've got some basic level stuff that you can go in there to learn and it advances and and you gain more advanced skills you go along but at least it starts you at an easier level some some platforms like offensive security when they came out they were more geared towards helping providing certifications for people that were pen

testing so you had to be at a certain level before you do that or there was a lot of study to prepare for that and so some of these they've gotten better with some of their prerequisite training materials for the oscp but things like try hack me is very cheap and they've got some free room so that's a good place to get those hacking skills and reverse engineering is a good skill to have you know if you find like an Android APK file on a network while you're doing a pen test it may have some ink some credentials that are contained in there hard-coded credentials so maybe they give out the APK you're able to

authenticate and you get access to the system so look for those hard-coded credentials uh any kind of database information how to connect to databases and uh Java files Java jar files can be uh reverse engineered defined default credentials database information other things helpful on a pen test so the reverse engineering is not as complicated as it sounds you know understandable Basics are coding just looking even viewing the source of a web page looking for maybe some uh hard-coded credentials database connection information sometimes in the HTML hidden field sometimes there's good information there that you can find coding is and scripting can be uh this is kind of not required to get started but as you advance your

career you may want to do that because if you're able to write your own tools and scripts once you get to that advanced level it's going to help you progress in your career but when you're starting out you don't have to do it I see a lot of people that they want to become a pen tester but they're going to Learn Python first now start learning and you can learn python along the way and then also like mobile and device Hardware if you're someone that really understands that that may be a place for you to get into but understanding uh mobile devices you know especially how some of the applications work because the applications for mobile devices IOS

and Android are need to be pen tested if some bug bounties actually include those as well and one of the things is too is there's less talent in the mobile testing space because a lot of things were kind of slow for people that are already in the field that maybe they were uh you know start out pen testing and they totally didn't train on cloud or some of these other devices mobile testing they have to go back and do it later so sometimes these newer technologies that are not so new now maybe like cloud and mobile learn that because a lot of the experienced professionals don't have skills in that area I mean I've worked

on 15 people uh pen testing teams at a bank and there was only like maybe two or three of us and you have to do mobile pen testing and sometimes it's not always that's up to you to learn on your own and sometimes you don't get the opportunities to do that in organizations but so if you're really trying to break in learn that some of the upcoming Technologies or some things that are really hot now is API knowing how to API pin test because that's another one that says not as many skills at that as well as even getting into some of the the web 3 stuff some of the blockchain pen testing and stuff

Beau Bullock from Black Hills he's got some information out there on uh be able to pen test blockchain so as we move towards that understanding those Technologies and kind of start learning that if you're just starting out you learn how to pen test blockchain 90 let's say probably 95 pen testers out there don't know how to do that so that could be your your step to get into uh pen testing and also some of those more complex areas like that could be a lot more interesting to learn as well and so getting the pen pen testing experience so bug bounties are crowdsourced pen testing so like bug crowds synac hacker one Integrity are really good

ones to start out with I heard Integrity is probably one of the better platforms because there's not as many people on it get out there get the experience if you're not finding bugs that you actually can write up that you get credit for if you find duplicates you're still finding vulnerabilities think about you know you're able to go through a job interview and you're able to tell the hiring manager how you found cross-life scripting or SQL injection during these vulnerabilities so that's actual real world experience so that's something that you can put on your resume and so pen testing is a service uh is a little different what they do with pen testing and service Cobalt

offers that synack bug crowd and hacker one I believe added that and so what they do is uh some of these I think synag may be able to pay a little better but like Cobalt you get 1500 to perform a pen test so whether you find bugs or not you're getting paid and this is real world pen testing experience you get that experience you do that for six months to a year then you go apply for a full-time pin testing job and you'll make a lot more money fifteen hundred dollars a week is not much as a pen tester but once you you know once you get those skills it's easy to make six figures working as a pen

tester as an internal resource but this is the way you get experience because you know back years ago you didn't have these opportunities to get that experience you just had to get lucky like I did and get hired by someone willing to give you a chance so these are good ways to get experience uh pro bono pen testing so any non-profits or religious organizations you could perform free pen test for them and even not only pro bono you can do low cost pen testing maybe you're making a little bit of money they can't afford to pay you know someone like Black Hills or uh trust is secular pen test you know if you charge that I've seen people that

were doing a pen test for a non-profit that was charging a thousand dollars for in one week that's very fair compared to what you know consulting company is going to charge and so common vulnerabilities and exposures cves getting cve numbers on your resume is good because there's a lot of pen testers out there that don't have cves I don't have any CVS if I could have figured out how to if I would have been the right place to record my my iPhone screen I was able to find a bypass one time back when Apple was still on the touch screen without using the home button to get in I was able to do it and apple said yeah you need to

record it with a camera or something and every time I be out at a stoplight it would come up a pop-up would show up I'd go touch it and it would open up and I'm away from home I couldn't get a camera so I was never ever to get it but regardless that was like the only closest I'd come to getting CV but there's a lot of people that don't have them because they had certifications they got in so CBE is a big thing and Joe Helly if you heard of Joe Helly he goes by the mayor he started uh playing around with finding cves and he's able to find a lot of them and so if you look on medium he

has an article called how I was born how I was born one night and found two uh cves and what he recommends is downloading some of this free and open source hotel booking software just different free softwares download in your environment install it and find the bugs and then write it up you get cves on there that's going to go a long ways towards helping you get the job some cases some hiring managers would hire someone for cves over they would like a oscp or some other certification because this is going showing you something you did in real world opposed to an environment used for for testing your security skills and one of the things too when mentioning the

bug bounties and stuff once you get those skills uh sign up for Cobalt go on there and what they do is they'll give you a an assessment they give you like a vulnerable VM or a vulnerable environment or application that you have to perform a pen test against and if you do good enough you're going to get recruited so if you've got the skills to do that it's what you're gaining through all your your learning you'll be able to sign up and get on with them like I said they're paying 1500 uh per pen test for like 35 hours of work and that's pretty decent side money and then once you get the experience you can move on to full

time and so uh further information how to get the experience the simulated experience you know we were talking about bug bounties Real World Experience so ctfs are still good ways to get experience uh if you're in college national cyber league is like a national uh competition it's a CTF and they take the The rosters of people and rankings and employers will ask for that information hire people for that database if you're in a college that does the the the red team blue team games the CCDC competing in those hiring managers will hire from that so hack the Box try hack me getting experience in those environments you know if you've got a really good ranking somewhere on one of

those platforms that's good to have and then a home lab using vulnerable VMS I used to really stress that a lot but with all these other online platforms I think that's probably a better way to go because some of the vulnerable applications you find online are more real world Juice Shop is another good one you can actually can uh the Heroku cloud service you can go to Heroku and install your own Juice Shop instance and test across the internet there so using these ctfs try hack me and hack the Box are really great ways to get experience try hack me to hack the box also has a lot of great education material uh hack the box kind

of took a page from what Tri Hackney was doing and started their Academy so there's a really good way to learn learn those environments home labs are good but there's all the stuff built that you don't have to spend the time building your home Labs at one time that was really pretty much your only option but now with those those uh resources you're able to do that and so how to Showcase that experience so when you're doing these hack the Box rooms and try hack me and all this and CTS write those up write an article on medium as long as it's like hack the Box you're able to disclose and do write-ups there may be some vulnerable VMS they

don't want that disclosed but she can even do this privately so you could have a GitHub account or medium or whatever the blog platform and you can do like write-ups on the vulnerabilities you found even if you're doing bug bounties you know write up some of the findings you may want to redact it to make sure they'll see the customer information but write these up and you can actually prove it goes a long way of proving you know what you're doing and that you can communicate that and communication skills sometimes are lacking you take some of the best hackers and they're not really good at writing you know we're living a world where you're sending text

messages you're sending acronyms not completing full sentences so those communication skills are great so if you're able to go medium or write these up even do like you YouTube videos on these walkthroughs in these rooms if there's been a lot of people that have built their careers as content creators you look at the Cyber Mentor Heath Adams he was learning and did a lot of his education to to train to teach himself made all these videos and now he's got a pen testing company been working as a pen tester Kelly certifications offering certifications but he started out as a content creator and now it's such a great environment for that there's a lot of other people I

don't know if any of you uh know who Michael Patrick or Fearless from uh infosec Twitter he uh networked in the in the industry and that's how he got in and also finding cves that helped him get a job and so GitHub to display scripts so if you're writing any scripts so if you're creating some automation for some of these these different platforms you're working on put those scripts in in that GitHub so that way it goes to show you're doing things you know because you can go in some place you say you're doing all this stuff but if you can prove it you're gonna it's gonna go a long long way for helping you and your

efforts to get a job so you see a lot of people that are experienced professionals with the GitHub out there if writing is your thing right you know you can do write-ups or on different uh ctfs even your overall review of like the Sans challenge that they do each December write that stuff up people see that and they'll find you because social media YouTube all those platforms the more people know who you are the easier you can find a job for me now whenever I got started out uh you know when I got started security there wasn't Twitter LinkedIn has started out but now if you get on social media you go to conferences and network with folks it's

able to get you in there and so creating videos and writing blog posts is a really good way to get uh experience and showcase your talents and with the nice thing about Medium as a platform people that are interested in the same subject as you will find your write-ups and stuff and another prime example of someone that really took off too is Ronnie Khalil have you seen any of her oscp write-ups and videos and stuff she also does a lot of good content for Port swiger's web application Security Academy she does write-ups and videos on that and so that really got her a lot of exposure and those people can go anywhere get a job

anytime so you may not have the experience yet but if you can demo that on a display you know on a video I've seen people do talks at conferences and local meetups I saw recent college grad at one of our local Defcon groups did a talk on malware analysis analysis A hiring manager from city was at and the off in the audience and asked for his resume he already saw his technical skills through his presentation so just getting out there if it's even a smaller platform in meetups or either going online through social media those are really great ways to to get that uh exposure out there and display what you're not what you're uh

what you're learning and on your resume you know talk about the different things you're doing ctfs the different uh platforms you're on try hack me and hack the Box talk about the different rooms that you've completed and just kind of you can list this under your training under education and you can put the you know the the different skills on there and if you're wanting to be a pen tester and you're looking for that job and you're studying and training for that on your LinkedIn profile put aspiring pen tester because you're going through learning you know the same way someone is going to college to get a degree you know people know they're studying for that so let people

know that and here is my connection information so feel free to reach out to me and also if you go to my YouTube channel I have a whole semester's worth of my pen testing lectures and the the book was based on the pen Test Plus but in those videos I do some some hacking demos as well to share my real world pen testing experience when I started the class we're using Georgia weedman's book as a textbook but then we the pen Test Plus came out that year and I wanted to be able to offer my students a way to get a certification so we moved over to pen Test Plus so like I said that lectures if you go

in there there's a um a uh playlist on there with all those lectures for the pen test plus I just talked to someone recently that it passed the pen Test Plus certification and they said that the videos actually helped them in their their certification process and so that concludes my presentation but I'm happy to answer any questions that you may have

and for our audience at home if someone asks questions before you answer it yes so here's the pen test God ask the question I may not be the guy but I'm the person I help people get in the industry because it's interesting I have uh my domain name is the hackermaker.com so I really like helping people get into the industry so so definitely good at helping people get started so did you have a question questions and if you can't think of it now feel free to reach out to me on on Twitter LinkedIn I'm always monitoring my DMs and a happy to answer your question you may get out of here here's something later on and and come up with a question

but feel free and feel free to connect either way I'm always happy to connect with people one of my favorite things that come to these conferences getting to meet my friends in person to meet new people yes yeah what do you want me to it's a mic or no you just do just ask question and he'll repeat it sorry we're limited careers most challenging and I'd say probably one of the most challenging pieces was when I was first getting into cyber security once I had that base level experience and one of the things too if you're working other areas of security it's not going to be difficult to move into other areas of security but first

getting into security because I had my cissp I had some of the domains I'd worked in physical security I used to help work for a company doing CAD that uh designed prison systems security systems so I had that but uh just getting your foot in the door and sometimes if you're working for a company you're an I.T or maybe in other areas of company in other areas of the company try to move into those different groups get to know the the people in the pen test team or the security team that you want to move into you know go out there and and network with those folks sometimes they may let you Shadow them some companies have programs so they'll

let people Shadow other people in I.T or security but that's the more difficult thing and so the question was someone asked uh what was the most difficult thing getting to change careers and and one thing to realize in changing careers conferences like this are really excellent for that because especially if you participate in any of the ctfs or any of the pros versus Joe's being able to network with the people that you're competing against or that you're collaborating with really you know you you are learning that you can work with those people and then you find out where they work or that they can recommend you because I can tell you more than 80 85 percent of jobs are

filled through referrals so network of an event if you've followed someone on Twitter and you finally get to meet them building these relationships in the community is not just you know one tweet one dm one slack message it is a layering and meeting people following them engaging on Twitter engaging and Linkedin in a respectful manner is a really great way to build your Connections in another industry question okay yes uh probably LinkedIn yeah someone asked what was the the best medium to reach out to me for mentoring and I said uh medium I mean LinkedIn so yeah I do that a lot all I do a lot of cases and one thing I recommend too if

you're looking for mentors you don't have to have one specific person to take care of all of it find several people you can go to because people have different experiences and can help you out so one of the things I do is I never turn away people I Mentor but what I'll do in a lot of cases I'm able to provide someone with enough information they go off and study and learn and then they come back later on when they have other questions so yeah if anyone wants needs someone to Mentor advice you know a lot of times I'll you know message through DMs or we can set up a zoom call I'd be happy to Mentor people and give your

advice because one thing is I get a lot of people coming to me wanting because from when I was teaching people always came to me looking for entry level pen testers and I not only recommend my students other people I knew if I knew their skills knew how to do certain things I'd recommend them and I love to refer people actually uh at my former company I'd referred seven people while I worked there seven people so so one a mentor mentee relationship because they should stand closer Mentor mentee relationship is a two-way responsibility and relationship don't just ask someone can you Mentor me have three specific things that you want to get from that person and three things

that you're going to be able to provide them back it is not all take take it is give and take that's not the only one on this stage that's over 60 and I can tell you when I was starting my career there were no women in an executive position so there is something called virtual or ghosting mentoring I just found people on Twitter on LinkedIn on social media that I really liked who they were professionally and personally integrity and I just sort of sort of stalked them you know that's how we connected through Twitter we stopped each other so realize that you can stalk someone in a respectful way follow what they write read what they post engage with them a

little bit it was really sort of gratifying to me I work in the Government Contracting space and one of the people that I was stalking became the first female CIO for the government for GSA and I went to her and I thanked her for being my you know sort of mentor and she turned around and said well you've been mine so it was one of those wonderful moment so another question in the back Josh

um

yes the question was how if you get go through all these steps to learn this how do you get past HR to be able to get into hiring managers and so one of the things I say there's your networking is really going to be helpful going to your different meetup groups because I and the thing is a lot of people refer to it as the HR firewall because sometimes they don't understand you can have some certification that's just as good but they don't understand if they got a written up job description and they're fitting to that so if you know someone in the company you know I hear a lot of people sometimes if they see someone

they're connecting to LinkedIn maybe I'll know them that well maybe they'll message them and say hey I'm interested in a job in your company could you pass my resume on a lot of cases people will do that and so that's the biggest thing is directly connecting with people a prime example here is I work for U.S bank and uh I got the job there but around the same time I applied for a job at Bank of America you know kind of same type of company same type of uh experience and so forth I applied online I didn't hear from them until a year later I knew some one I got referred to U.S Bank and I got a job offer and it

was like a very minimal process I got the interview two interviews and I got the job otherwise like U.S you know if I'd applied online it might have been the same scenario because a lot of times HR uh unless you find someone like Kathleen as far as recruiters some recruiters don't understand that space so the more people you can get to refer you get to know those people and do that and sometimes like even for me if you're looking for a job I will share for people share of people's profiles say Hey you know Jason's looking for a job he's looking for a pen tester rolling your little pen tester role this is experience tag them in it

and that way they get the response and the you know the value of of my connections to help them get the job but yeah just make sure your the networking piece is very important I don't I don't even really you know really have to go through recruiters anymore just because my network networking with people and one of the things I have to say too go past just the connecting with someone don't just connect and forget about it maintain those those uh relationships because I'm at conferences I'll see people that run conferences they're they're like at Texas cyber Summit I'd run into sciatic nerd that runs besides San Antonio we would talk and I would get asked to do a workshop

or other opportunities would come up because I was talking to someone that runs Hue setcon so when you see those people make sure to talk to them periodically just say hi and and sometimes meet people for coffee when they're in town like we've we've been up before so yeah just constantly connect and just keep those relationships going because you know people will forget about you after a while but if you maintain those relationships opportunities just constantly keep coming

yes the question was uh if I had experience with purple teaming and balancing the red team with the incident response so really the thing is you have to really make sure that you're communicating and this is a group effort uh the one company I'll work for we're doing purple teaming it was a really good process because the The Defenders incident response were really interested in seeing in these exercises because one of the best ways to mature your your organization because you can perform pen test vulnerability scans and go through those iterations and remediate and you can't constantly be pen testing normally you don't have resources but if you're able to run purple team and you're able

to take tools out of the hands of attackers like mimikats different Powershell scripts uh risky Powershell hygiene and the environment so the experience I had was at a large Global consumer company it was a really good experience the I would say probably the the IR folks and and Defenders were more interested in the what than the the red team and there's some really good scripts out there like a Atomic red team has their Canary has the atomic red team scripts and some of those are scriptures you can run they don't have payloads so like you can run mimikats and it does have a payload it just has that signature so you can cut down the risk in your environment and

that's good too if you're wanting to bring in junior level pen testers or red teamers to let them use those tools safely in the in that environment

up here and

I need advice on how to important purely uh okay yeah someone said they had QA experience on the UA UA or UI ux side and there's one of how to get they work in the different Sprints for the software development life cycle and how to get pen test experience I would say familiar if you haven't familiarized yourself with like the OAS top 10 and use like the oauth testing guide start learning web app pen testing because one of the things too organizations will a lot of times have their app SEC folks or their uh devsecops will be performing Das you know they're scanning and static code analysis through that process but sometimes they're running pen testing so

if you're able to learn pen testing there may be an organization in your in your in your company that does the pen testing after you go through that process but if you're able to do some testing maybe even learn how to retest those items after a pen test if you go back and retest those things to see if they're vulnerable to make sure you're remediated before they go back to the pen test team to retest that's a way for you to get those skills and working in your area I've known several people work in QA that have moved into application security or web app pin testing so learn those skills and ports wiggers uh web

applications Security Academy is a great place to learn it's all free content and they show you how to use burp Suite which is a very popular industry tool that's good to use so I would start with that resource and oh watch top 10 oh watch testing guide kind of learn those and once people know you can do that they're going to get you to to test it because maybe they want to they need to retest it right now but the pen test team is not available for you know a couple weeks or a month you're able to test right away so that's a good way to get in there and once they see that if

they need someone in that group they may recruit you over so good question

[Applause]