Security, Programming, Pentesting



Linked In


Cheat Sheets


17 August 2016

I was a Junior

by {"name"=>"Stephen Haywood", "url"=>"https://twitter.com/averagesecguy"}

In the beginning

I went to college to study Computer Science. Unfortunately, the college I attended only offered a Math major with a Computer Science concentration, so that’s what I did. I learned programming from an excellent man named Dan Fetters. He taught me two very important programming lessons: first, never trust user input and second, always document your code. I left college and started working as a developer, which lasted about a year. I took a teaching job, High School Math, for another year. That did not go well but it prepared me for teaching at New Horizons, where I learned a lot of new skills and became and MCSE. The MCSE lead to a Sysadmin job, which included some information security. That lasted almost three years and then I moved on to work for an systems integrator who asked me to get my CISSP. This company was a sinking ship so I got out as soon as I could thanks to a man named Bill Karwisch, who decided to take a chance on a junior infosec guy with a newly minted CISSP.

I am the Junior

Bill Karwisch had the most profound impact on my infosec career. He took a chance on me when I didn’t think I was worth taking a chance on. He taught me how to write reports, I’m pretty sure my first few reports had more revisions than actual text but Bill was patient and I eventually learned. I’ve moved on to work with two pentesting companies since then and I’ve never received bad remarks about my report writing skills. Bill is also the reason I learned Ruby; we had a system that would automate a lot of our report writing and it was written in Ruby. It was at this time that I started my Twitter account and met people like Carlos Perez and started contributing to Metasploit with his help and encouragement. Working with Bill I was primarily doing auditing not pentesting and I wanted to be a pentester. The company paid for me to get my OSCP which allowed me to get my next job as a real penetration tester.

Still the Junior

I moved on to work with Sword & Shield, a penetration testing firm in Knoxville, it was there that I met Adrian (@sawaba), Adam (@tatanus), and Matt (@realconehead). These three men took me under their wings and taught me so many new skills, I can’t count the number of times I would go to one of them and say, “I’m on a box with this level of access, what can I do from here?” They would get up from their desks, take time out of their busy schedule and walk me through some new technique or give me ideas of attacks to try. With their support I became a better tester and I was able to then teach other folks.

Finally the Senior

I moved on from Sword & Shield and worked a stint at Tenable doing API development but I had to get back into penetration testing. Even with my 2.5 year lapse, AppSec Consulting took a chance on me an hired me as a Senior Penetration Tester. It wasn’t a complete lapse as I was doing contract pentests while I worked for Tenable, but still I was a chance none the less. Now that I am a Senior, I try to help out whoever I can however I can. I get questions by email and Twitter about how to use tools I’ve written, talks I’ve given, or my free Intro to Penetration Testing book. I am also encouraging AppSec to hire Junior penetration testers and train them up. I know they see the value in it and I hope we start hiring some soon. In the mean time, if you are a Junior penetration tester and want help moving up, email me. I’ll help you in any way I can, resume review, career advice, conference talk reviews, whatever. If you are a Senior penetration tester, I would encourage you to do the same for any Juniors you know.