From Tech Support to Penetration Tester: Tom's Story
When did you first find yourself interested in computer security? What inspired you to pursue penetration testing specifically?
The first time I tried to learn about cyber security was during university. I had a cyber security module in my third year, which was a great introduction to the field. This included learning about some common tools such as nmap.
I enjoyed this module and decided to continue learning about cyber security in my free time using TryHackMe.com. I was inspired to try penetration testing because the idea of getting paid to tinker and break into systems sounded fun. I was happy with my support role but thought pen testing would be a good challenge and more exciting.
Mobile application penetration testing is more niche than web or network penetration testing. What motivated you to choose this specialization?
I was working on a small team of testers (around 8 people). We only have one team member able to pentest Android and iOS applications, which wasn't an ideal situation to be in. What if they left the company? Realizing this issue, I volunteered to become the second mobile app tester for a couple of reasons:
- I could learn from the current mobile tester who was very experienced.
- Mobile apps are common and used by many people for critical purposes such as banking.
- It was something new - I think it is important to try many different areas to see which ones you enjoy and which you don’t!
You recently earned the GIAC Mobile Device Security Analyst (GMOB). Congratulations! What was that experience like?
The SANS course was fantastic! I took it live online. This really helped me with my iOS testing as this was my weakness before the course.
I created an index for the exam, which was a big help. Creating the index was very time-consuming, but necessary due to the vast amount of content covered over the 5 day course. The exam experience was okay and I fortunately passed with 86%.
Personally, I think a practical exam is better than multiple-choice. The SANS course did have a CTF that my team won (out of the online attendees).
Any plans for your next certification? What are your thoughts on the abundance of certifications in the cyber security realm?
As I am based in the UK, my next certification will likely be the Cyber Scheme Team Leader (CSTL). This is a must have over here as it allows you to lead work within the public sector. This will either be a web app or infra-focused.
I think there are a lot of certifications in the industry as there's a lot of money to be made off it. I think it's worth taking some of them as you will learn a lot and they might help you get your foot in the door. However, when I landed my first role I didn't have any certifications so they are not a must have.
I would recommend TryHackMe and Hack The Box Academy to people who are new to the industry as it is much more affordable than the expensive certs.
Who are your role models in the security community?
I look up to the directors at SecQuest. They have been in the pen testing industry for decades and understand what clients want and how to deliver. I also like that they are unafraid to invest in their employees and can see people's potential.
For example, when I started working at SecQuest, I had no certifications or industry experience and they offered me a job, put me through Cyber Scheme Team Member (CSTM), and the SANS SEC575 course and exam in two years.
What are your non-cyber-related hobbies?
My main hobby outside of cyber is bouldering! It's a good way to stay fit and have fun.
What advice would you give to someone interested in becoming a mobile penetration tester?
I would recommend starting with Android apps, as you can use an emulator to do your testing. I used the Hack The Box mobile challenges and Uncrackable CTFs.
If you enjoy that, you should check out Corellium to get into iOS testing or buy a secondhand iPhone that you can jailbreak.
