View Single Post
  #8   (View Single Post)  
Old 25th November 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by guitarscn View Post
...I would eventually like to get into the security field and start being able to audit code for zero day exploits, on top of performing the compulsory penetration testing routine as well.
Getting past the compulsory details first, here are two introductory C titles:These have been around for a long time, & many reviews can be found for each. I haven't read, used, or taught from either, so I cannot vouch for their fortitude.

I, too, learned C from K&R2, & I am also of the opinion that learning C as a first language is problematic. Others here may disagree, but anyone wanting to discuss this point should do so in a different thread. I only point this out here to admit my own bias.

I also cringe at the thought of learning assembly language without having some general programming experience first. The problem in both cases is that both C & assembly language are very rich in the manner that expressions can be chained together, & without maintaining some discipline which comes from experience, the resulting program structure can be an unintelligible mess.

If your goal is to become a pen tester, I see three aspects you need to focus upon to reach your goal or modify your expectations to be more realistic:
  • Pen testing is not a common gig within the industry. Conduct research to find out what jobs in your area resemble what you want. My experience has been that these jobs can only be found within companies peddling security products (& there are a lot of bad ones...), or these will be found in large companies (eg. Cisco, Juniper, IBM, etc.) either focusing on network or hardware products. There are some tiny shops who are eager to get their name in the press for finding some exploit, but they live on finding exploits such that someone else with either hire them or buy them out. Many of these companies come & go with the blink of an eye.

    Collateral to finding out what jobs are available is finding out what skill sets employers are looking for in potential employees. This is important because this will show you how you stack up to your competition.
  • Recognize that the OpenBSD project's view on security is only one among many. Although I don't advocate that certifications offer much additional credibility, having a cert on a resume is better than having a blank resume. More important is the knowledge & perspective which comes from studying general security issues. You might want to look at what is required by the CISSP to see where you stand in comparison.
  • As opposed to asking for book titles, you will gain from going to a local college/university library and/or bookstore to see what C books they have available, & perhaps looking through whatever textbook is currently being used in their fall/winter C programming courses. Night classes offered by the local public school system will also likely have an introductory C class. This may be an avenue to accelerate where you are on the learning curve.
I can only guess that pen testing would be a significant career change. At this point, you are looking to fill in your deficiencies. Most people I know who ended up in these positions were either very experienced sysadmins, or software or networking developers. This may give you an idea of the background expectations.
Reply With Quote