17 things I've learned in my first month as a security engineer

Remember how I write a blog about drivers and Windows and stuff? SURPRISE! Your drivers girl is now a security engineer. As a kid, I actually went through a phase where I wanted to be a hacker when I grew up - guess I’m livin’ the dream now. A lot of people are curious about what it’s like to be a penetration tester (which is a person who is paid by the good guys to hack into things before the bad guys can. That way, the good guys can fix it).

Here are 17 things I’ve learned in the past month on the job as a pen tester.

  1. I am painfully, acutely aware that my website doesn’t use HTTPS. I’ve been stuck waiting to get the cert for the past several months… I should revisit that. edit: it’s fixed! Praise Turing.
  2. For the most part, I can’t really disclose what I do all day at work other than “I try to break stuff in interesting ways”.
  3. The room we sit in is well-lit and there aren’t as many black hoodies as stock photos would have you believe.
  4. There is, however, some evil laughter when vulnerabilities are discovered.
  5. Hacking is only part of the job - a large portion of it is communicating results to the people you want to fix your bugs.
  6. Engineers secretly don’t like it when you want them to fix security bugs, even if they know it’s the right thing to do (can confirm, was previously engineer told to fix security bugs).
  7. All software is terrible (every software engineer already knows this, so this was just a reaffirmation).
  8. A LOT of acronyms. CSRF! APT! ATP! MSRC!
  9. How to find and exploit some classes of vulnerabilities. Muahaha.
  10. It’s okay to not have a security background to become a pen tester! Having a regular software engineering background plus the ability to learn fast has been super useful in starting the new job. Then, after a while, I figure I will have a security background.
  11. People will almost always present their systems in a way that makes it look 100% secure (because they’ve already addressed any vulnerabilities they’ve already thought of). You need to try to figure out what they didn’t tell you about - that’s where the vulnerabilities probably are.
  12. I need a background check every year or so to make sure I haven’t been using all my vacation time in jail or something.
  13. It is hard to make a plan to keep up my knowledge of hardware/kernel mode/device drivers while working on security for a user mode product. Help.
  14. Brains cannot absorb infinite information in one day (but that won’t stop me from trying, dammit).
  15. What a penetration tester is - I’d never heard that term before a few months ago. Had to Google it really fast when the hiring manager of my current team reached out to ask if I’d ever consider working there.
  16. A lot of my coworkers in the drivers space didn’t know what a pen tester was either when I announced I was leaving to go do it. Some suspected it involved testing writing utensils, so that makes me feel better.
  17. Doing my first red team exercise was the most fun I’ve ever had at work ever. I think I’m in the right place, guys.
Written on August 8, 2018