My name is Trevon Greenwood, and I am a Junior Security Analyst at Redpoint Security. This post outlines my experience as a beginner in the field and what a day at work looks like for me. I have been with Redpoint for just over a year now, so I think I’ve accrued enough experience as a beginner to teach others how to be the best beginner they can. Whether in the Application Security field or other career paths, I hope you can learn something from me.
My background in web applications began with front-end web development and UX/UI design. I took a few boot camps/certification courses in that field before knowing much about offensive security. Around this time, Justin, a security consultant at Redpoint, suggested I consider penetration testing. He pointed me toward two helpful and beginner-friendly options for learning about offensive security. The two sources that are very important and relevant to me are OffSec and Burp Suite Certification courses. If you’re unfamiliar with OffSec, it is a massive learning library for many facets of offensive security. Offering hundreds of learning modules and classes, OffSec covers all kinds of training at any experience level.
Burp Suite’s certification course is another source of learning that has been an enormous help. If you aren’t familiar with it, Burp Suite is an intercepting proxy. An intercepting proxy is an application that works as a middleman between the client and the web server, allowing you to view and modify requests made to the server. There are several other popular intercepting proxies, such as OWASP Zap or Fiddler, but Burp is just the one I prefer. Burp Suite’s course teaches you to find all vulnerabilities while familiarizing yourself with Burp’s interface and workflow.
After gaining familiarity with these courses through lots and lots of practice, I was allowed to do some contract work for Redpoint Security. This contract work was an “interview” process to gauge my abilities in a real-world setting. After a couple of months, they decided to bring me on as a full-time employee!
That was just over a year ago. Since then, my work days have been filled with nonstop learning. Learning the testing process, from gaining new clientele to delivering complete reports, has been enjoyable. There is most often at least one project to work on every day. My primary role for return clients is to confirm whether or not they have made fixes to vulnerabilities found in previous tests done by Redpoint.
On top of that, a lot of the fun comes when we deal with new clients, as their apps haven’t been tested by us previously. This means I get to test my skills and find as many vulnerabilities as possible before the senior consultants get their hands on the app. This also can serve as a good benchmark for my performance to see if I am improving.
The last thing I want to cover is challenges and remediations for said challenges. My biggest challenge is one that I’m sure you are familiar with. Impostor Syndrome. It gets just about everyone in a workplace like this, which can seem overwhelming. Being the least experienced in the workplace is a recipe for impostor syndrome. So many complex systems vary from client to client, and it can be easy to feel like I know absolutely nothing. But that’s precisely the point here. As a beginner, it’s expected that you know significantly less than your seniors. Acknowledging that I know very little compared to the experts in your field is a great way to ground yourself in reality and realize that you are simply at one step in a long learning journey. In a field that changes as much as this, you are not the only one who feels like they might be behind. Asking questions will also help you build relationships in the workplace, giving you a consistent support system you can trust.
So that is my experience as a beginner pentester! I still have much to learn, but I already know so much more than last year because I have strived to learn as much as possible while I have time to do so. As with any other growth you may seek, it takes time and patience, both with yourself and the process. With that in mind, if you are a beginner, I hope this has helped boost your confidence in your experience. Or, at the very least, it helped give you insight into what a beginner is going through in this field.