HACKER Q&A
📣 john_the_writer

As a security expert, do you still build?


I've been a dev for around 20 years. I love the idea of security work, both for the challenge , and the ability to learn about how to protect myself more..

I've been looking at the industry for a while now, and the only thing holding me back is I think I would miss building things. I've avoid management for the same reason.

As a JS/Rails/Elixir/C++/Java dev I build something my users user. (even if those users are other devs)

Do InfoSec people still build things? What sort of things do you build? Who are your users?

  👤 howlett Accepted Answer ✓
You can gear yourself write security related tooling as /u/uaas mentioned, but you'd effectively still be a developer and not a pentester. If that's what you're after, you'll get exposure to InfoSec but you will never do actual pentesting to find vulnerabilities etc. I mean you might, but the companies that offer you both are very few.

I made that exact jump from development to pentesting 6 years ago, after about 10 years of development. Will you miss development? Absolutely. Are there opportunities to scratch that itch? Yes there are - but it's with scripting. The things that can be scripted to make you more efficient are insane. Your ability to understand not only what is broken but also why it's broken will help you advance yourself. You have probably even coded that exact bug in the past so you know where else to look, and you know how to do code reviews. In general, the need for pentesters with a dev background is very very high, especially since now companies worry about supply chain attacks, SDLC, etc.

My solution was to keep coding in my spare time, when I have an MVP I show it at work and then ask for time to work on it. I've significantly improved internall processes, and I've released a few offensive security tools, two of them I even presented at security conferences - as in full blown applications rather than "here's a script that does X". This way I get to pentest and provide solutions to industry-related problems. One thing to note is that most of the security tooling out there (the open sourced ones) is very python/C#/Go centric. I've seen applications written in Rails/Java that didn't get the love they deserved just because it's a pain to install them. I had to learn both python and C#, but it was totally worth it.

If you do make the jump, get ready to take a salary hit as you'd be hired as a mid-level consultant at best - and that's only if you've proven that you know a lot about cyber security, OWASP vulnerabilities, etc. But don't let that stop you, I've seen people join the industry as juniors and in 6 years making over 6 digits (UK). YMMV, but if you put in the time and effort, it's worth it.

👤 uaas
How about building security related tooling?