Intro Link to heading

If you read my blog, you probably understand by now that I’m passionate about software. I’ve been trying to get to a point in my career where I’m able to audit source code and find issues in software projects not written by me. In fact, this is my “short” term goal for the next 5 years. Of course, you don’t need to read the source to be able to find bugs, there are other ways. These “other ways” are usually dependent on how well you understand a given system and how well you can spot misconfigurations in them.

I’m proud to say that I’ve successfully passed the PJPT and CPTS certification exams in the past year. These certifications, especially the CPTS, have given me confidence in my ability to find misconfigurations in a system and show how they can be exploited.

Now, I’d love to do the obvious and start studying for OSCP, but I’d like to remind you that the exam costs upwards of USD $1700. The cost of this one exam is equal to around 4-5 other normal certification exams. This, I feel, is a bit ridiculous. I want to earn money, not run out of it after one bad financial decision. Of course, this is one person’s opinion and the rest of the internet does not subscribe to this idea (at least for now).

Let complex things stay complex Link to heading

Being a penetration tester requires a special kind of mindset which needs to be cultivated over time. Just passing some tests is not enough. Although many will tell you that a certification is enough to prove competence, it seldom is. Understand that the real world is nowhere near as vulnerable as some of these exam environments. Windows Defender can actually stop several attacks that are taught as part of these courses. Similarly, tools like suricata and CrowdSec can detect suspicious activity on linux systems. Of course, evasion or obfuscation were never a core focus of these courses, but it is important to know that there are limitations to what you will learn if you follow the same path.

Real life environments are 10x more complex - with more tools to configure, more people to protect and more software to manage. That being said, complex things can always be broken down to simpler things. As long as your foundations stay strong, the complexities of the real world can be always dealt with.

The new foundations (and some advice) Link to heading

That brings me to the next part - Foundations. A person trying to protect computer systems from bad actors needs to understand what exactly they are protecting. Of course, there is a limit to how much you can understand. For example, no one can fully understand Linux even though it is so ubiquitous. No one has enough time to go through millions of lines of code and truly “understand” the consequences of each and every line. Thus, I believe it is important to learn the basics of the basics first.

In order to have solid foundations as an engineer or penetration tester, you need to learn programming. I have seen time and time again people saying that coding is not a requirement in cybersecurity. Unless you’re going the GRC route or some other non-technical route, I personally fail to see how this is feasible. Your expertise may be limited to “scripting” and not “engineering”, but this is something that will absolutely help you in your journey.

The next best step to improve your foundational knowledge is to find patterns that are being followed by best performers in the space. For example, in 2018, while studying for my undergrad degree, I noticed that many of the best engineers I followed started working with Docker and Kubernetes. This was an exciting time and I started to learn these technologies as well. Fast forward 2 years, and I got my first job thanks to my familiarity with these tools.

Containers have changed the game. Most new software that I’ve seen comes with a container image. Organizations have embraced the technology and kubernetes has basically become the new age hypervisor. Although there is some debate around this design pattern (some people prefer monoliths over microservices), it is safe to say that much of the new software will be deployed using containers.

In addition to containers, much of the infrastructure has been moved to the cloud. These technologies have become the new foundations of our world. Infrastructure as code, CI/CD and other design patterns are just complexities built on top of these foundations.

Securing kubernetes and cloud deployments Link to heading

Since I have a couple years of experience working with kubernetes, I know most things that need to be configured to run workloads there. However, my knowledge is lacking when it comes to securing these environments. In a perfect world, I’d be able to study for every cloud certification and every other tool that comes with it. However, since I’m severely limited by time, I’ll be working towards learning how to secure (and maybe find some issues in) some of the key pieces.

Thankfully, this endeavor seems to be comparatively lighter on my wallet. Since Linux Foundation has regular discounts throughout the year, I was able to grab this sweet 50% off deal.

Again, I fail to see why one of these exams vouchers can cost upwards of $400 (without discount) when the exam voucher for CPTS costs $210. In any case, I hope to pass these exams before I graduate with my masters degree (let the man dream), but we’ll see how it plays out. Thank you for reading this far and if you have any questions for me, please feel free to reach out on LinkedIn :)