Journey to Web App Sec Testing Employment — July 2023 Update
This is a little article about the proactive journey I am on in order to enhance my skills, gain experience, and improve qualifications in preparation for employment opportunities as a Web Application Security Tester.
It seems that with a certain abstract analytical competence anyone can start Bug Bounty Hunting on the same day they learn to use a computer for this task. I mean that in the sense of being an apprentice to someone who is doing this everyday. Yes, I could show someone what I am doing as a desktop Web Application Bug Bounty Hunter and how I am doing it, and an intelligent person could grasp the general idea in one day. However, in one year of searching I have not seen a single post for an entry-level penetration tester anywhere because I don’t think any company wants to do that. I wonder why.
I went into this rabbit hole a little deeper to see if my current specialization of Stealth Recon could be made into a business. Considering that there exist businesses which offer B2B Penetration Testing as a service (PTaaS), I wondered if I could offer myself as a B2B Reconnaissance as a Service (RECONaaS). This is actually the first phase which is often undertaken in Vulnerability Assessments and Penetration Tests, so it would seem like a good idea.
Apparently not so. I found out this is how criminals think! RECONaaS is called RaaS on the Dark Web and is sold there as such — in order to provide intelligence to criminals who may want to do something specific with it. Organized crime is all about minimal effort for most pay and Stealth Recon is quite Dark in potential. Not my natural direction of thought, as all the information is public and open-source, so to me it’s like pretending that the doors to society are locked while they remain unlocked.
People ask how it is possible that I consider myself to know what an IT college grad would know to get the same job. If you map out the field of knowledge of Cyber Security you can see and understand how things work and continue connecting the dots in any direction that is needed. It is all open-source, just like the Internet was originally designed.
Eventually you get to electricity itself.
How do I learn continuously? Perhaps mostly through online courses. But book contents are the secret sauce. Digital and physical. Yes, the chatting internet is great but the books are still better. It is possible to recognize this by a table of contents in a Kali Linux Penetration Testing book as opposed to disconnected information at every question mark. Then add generative A.I. and you’re set.
In another professional line of work I have done — it is possible to arrive in the morning without any previous experience and begin making $300-$600USD per day. On North American union film sets for example, I have seen this happen for years. It seems to take place when mature adults collaborate and help each other out in times of need (the need has to be deeply appreciated on both sides) — and then the work flourishes!
Me:
1988 — programmed TRS-80 in BASIC.
1994 — replaced index.htm up FTP directories.
2007 — assembled open-sourced programmable cellular jammer as part of university thesis in collaboration with MIT grads.
2016 — sole proprietoship of Crowdfunding platform with bitcoin transactions.
2023 — expecting first employment in IT.
Below is a list of steps I have taken in my commitment to self-improvement and a showcase of efforts made to stay competitive in the Web Application Security Testing job market.
I have been working in the direction of Cyber Security employment opportunities at an exponentially increasing pace since my first general online Ethical Hacker courses on the Udemy platform in 2018. As an entrepreneur and self-learner I started focusing on Cyber Security and Ethical Hacking in 2020, then more specifically Network Security, then even more specifically Web Application Security, and within that — Offensive Testing, and within that — Stealth Recon for Penetration Testing.
For six months of 2022 I worked on the general foundations of Information Technology (IT), Internet technologies, Information Security, and Web Application Security Testing using my savings without any other line of income.
I have not received pay for any of the following. This is a list of accomplishments between winter and early summer of 2023, all while living like a digital nomad. I know it’s not much but combine it with daily chores and a life of relationships!
This is also not a list of my Tech Stack or actual Ethical Hacking skills — it is only about presenting myself as available for work and being creative about it.
And a warning - this has not led to employment, so I do not recommend the same path, it’s simply a documentation of my process. I certainly need help if determination and persistance do not pay off in time!
Actual Work
— Completed several Vulnerability Assessments and Bug Bounty Reports
— Inspired to share and write articles documenting my journey as part of portfolio
— Created an Aspie business outline to collaborate with others like myself — published article with meetup and discord server — re-published on social media with hashtags.
Coworking Office Rental
— space for focused work, keeping cool, social and network
Purchased Resources
— physical books
— digital book series
— AI ChatGPT membership
— yearly membership in top global App Sec foundation
Completed Certificate
— Offensive Web Application Security Testing
— with distinction and professional report
Specific Computer Skills
— learned multi-screen, multi-monitor, VR modes
— learned special skill of 4, 3, 2, 1 finger swipe modes for complex tasks
— Use of 5 to 10 programs simultaneously on desktop
— learned a dozen Linux command line tools
— learned specialized operating system to intermediate level
— followed entire methodology for top Web App Sec testing — read and mapped it all
— mapped language of the field of Web Development
Research
— listened and summarized audio and video podcasts for entry-level Cyber Security assistance
— queried local businesses for direct career roadmap positions
— completed survery and assessments about workplace and personality
— read many online articles about employment in IT and Cyber Security in general and specifically
Note-taking and Knowledge Management
— daily use of complex task management accounting methods — physically and virtually
— maintenance of a spreadsheet with all employment seeking actions
— extensive large and small mindmaps of ALL distinct topics and their interrelations
— converted written texts to markup on Obsidian
— map of documents on Obsidian
— have notes and maps of maps themselves
— daily use of Todoist, Slack, Obsidian, Sublime, texts and documents
— deep mapping of my line of work down to the most minute detail in various contexts
Organization
— since the work is Internet based, my bookmark organization is in the thousands
— organization of cloud-based research categories in my line of work
— computer desktop contents
— social media accounts
— thousands of significant bookmarks in a hundred folders
Virtual Reality
— converted from physical drawn maps to digital with Gravity Sketch
— exported to enhance in Blender then exported to present on Spatial.io
— developed special collaborative space for working on Bug Bounty ideas in VR
Created profiles
— 3 freelancer portals
— security company portals
— government portals such as jobbank
— major workplace portals suchas Indeed
— profile for local filmset technicians
— neurodiverse assistance portals
— new LinkedIn page and group
Re-created Website
— research easiest single page methods
— drafted, uploaded, copy-edited, designed
Published Articles
— research, organization, editing, image setting, hash-tagging
— topics include all main foundational knowledge and observations
Portfolio Design
— private Github for code repository
— Screenshotting, organizing categories and folders
AI Assistance
— researched and summarized recent news in AI
— Learned advanced ChatGPT — AutoGPT and applied it to work
— researched and learned prompts for Cyber Security in my field
— daily use of ChatGPT as assistant
CV/resume and Cover Letter and Playbook
— organized and prioritized helpful documents then read and applied information to my own CV
— created direct communication strategy with email encryption for CV application and security
— recreated CV with assistance
CV Applications
— researched global Cyber Security industry and my focused specialization
— researched and compared Canadian Cyber Security jurisdiction with several other countries
— Researched local companies online and in person by driving around
— Organized and selected most relevant companies
— Selected companies I align with and those with possible employment for my skills
— Thoroghly read these company websites and applied my CV and corresponding cover letter
— Applied to two other industry directions: film and bitcoin because I am familiar with these
— Searched LinkedIn for web app sec pentester jobs and bookmarked
Networking
— Contacted family friends in local industry and academia
— attended meetups and events online and in person
— participated in online discussions: twitter, discord, mastadon, facebook, linkedin
— maintaining assistance connection with employment resource centre professional
— started three meetups: local AI Safety, local Ethical Hackers, local Dancing in VR
— maintain connection with therapist about work search
Passive Income setups
— sole proprietorship, DAO and POC registered business
— Shopify storefront with artistic clothing line
— artist NFT channels
— referrals on website
Apparently, all this is worth very little without a CEH certificate an OSCP certificate, tons of free Github scripts that automate the work for others, proof of success on CTF platforms and mad meetup presentation skills. For an entry level job. Really?
In my opinion, anyone who can do what senior Penetration Testers are expected on certain dreamy job descriptions… should be payed $1M+ (one million dollars per year) based on the calculations of my film set union work experiences in which mature adults use their minds and bodies to do professional work for a primary industry that has the effect of influencing millions of people per TV show or movie for profit.
Why wouldn’t those helping secure civilization be payed more?
I think the expectation of a human entry-level Cyber Security specialization is too high, and clearly A.I. will be having an increasing influence in the field to establish the much needed civilizational security.
I also think there should be private specialist “IT Security Operations HR” personel acting as intermediaries between passionate enthusiasts of Cyber Security looking for employment and Cyber Security companies including individual entities looking for Cyber Security solutions.
From my latest contemplations in the previous articles covering Weakness/Risk/Mitigation and Multi-Dimensional Mapping for Web Application Security, I can see that there is not enough multi-dimensional threat modelling being done to unravel the proper severity levels of many seemingly low-level vulnerabilities. Businesses don’t seem to care about securing things that are seeminlgy low risk because, for one, they do not understand their needs stemming from outdated and inappropriate threat models, much like the general difficulties present in trying to appreciate abstract concepts such as exponents, malicious people who code, and the power of generative A.I. exploitation chains.
Noteworthy here is that I had no time to develop scripts for my Github portfolio and no time to actually find bugs. So the whole thing has been about persistence and determination. I enjoy it but time continues to run out.
The only sensible thing about not finding employment yet is that it is Cyber Security — and it’s not actually reasonable in most cases to hire a junior anywhere. For security reasons.
On a general positive note — this is leading to more stealth hackers for the people! Accordine to a recent Yassine Aboukir interview on Bug Bounty Reports Explained — it is possible to work up one’s skills on HackerOne and join their private teams to penetrate private programs.
Extrapolating from this, I think the standalone grassroots Ethical Hacker community driven by care and need is stronger than the public and private sector globally now more than ever. Open Source is a way of life for many. Combine that with a decentralized Web3 and there you have fertile grounds for the coordination of at least an improved system.
Meanwhile everyone also has the need to live a healthy balanced life through taking holistic care of their mind and body as well as their relationship with their loved ones and with the universe. I know there are people out there who would go crazy if they were without a job for merely one week.
Also, I would wear the glowcape seen in the image — if it existed as outerspace glowy fabric, not cheap LED lights sown into a bat costume. If you spot one kindly let me know.
