12 Questions with eLearnSecurity Founder, Armando Romeo
Every pentester starts somewhere. Those who are interested to start a career in IT Security, it’s good to learn from professionals who have been in the industry for a considerable amount of time. We had an opportunity to chat with Armando Romeo, CEO and Founder of eLearnSecurity, where he shared his thoughts and opinions about penetration testing, hacking, and cyber security.
Before founding eLearnSecurity, Armando has spent 5 years in web application security research and have released hundreds of vulnerability advisories. He currently leads the R&D team and inspires new projects and new training activities. Check out the interview below!
Interview with Armando Romeo
1. How does one become a Penetration Tester?
IT Security is the most difficult job you can get in IT . Networking, Programming, System Administration and so on, all follow certain rules and skills that you learn and apply. IT Security is completely different: you not only have to master all other IT areas but you also have to demonstrate you have gut, intelligence and perseverance.
Becoming a penetration tester is the natural evolution of one’s interest in IT Security. Penetration testing (or hacking in its purest form and meaning) is (or I’d rather say should be) the foundation of every IT Security career.
So when you are truly passionate about cyber security, you better master penetration testing topics before you move on in other IT Security roles.
2. What can you say to students who want to enter the world of penetration testing because they are fascinated by the idea of becoming a “hacker”?
I’d say that they should read the Hacker’s Manifesto and understand what “hacker” and “hacking” really means. Understand that hacking is nothing but curiosity, breaking things up to understand and maybe make them better. Hacking has nothing to do with illegal activities, cyber vandalism, denial of services, bug bounties and other “find-bugs-for-money” activities.
Becoming a hacker, in the original meaning of the word, is a beautiful thing: it means living a life of curiosity, creativity and ends up with being well rounded professionals building skills every single day.
3. What are basic tools or skills a person should know/have prior to studying penetration testing?
Penetration testing has a lot of pre-requisite skills to have: networking and programming are the two most important.
That is why our Penetration Testing Student, which is a course for complete beginners, is 50% on fundamental skills and 50% on penetration testing.
4. Who do you think should pursue penetration testing as a career?
This is a very hands-on role that requires continuous study, practice and research. Someone finding research activities fun and interesting is surely a good candidate for this role.
5. What’s so good about penetration testing? What do you like most about the job?
The best part of this job is that it hardly gets boring. Every pentest is different and provides you different challenges to overcome.
Moreover you need to keep yourself up to date with the latest techniques, tools and researches. You need to practice and research continuously.
Also there are so many areas that one can specialize in (web applications, mobile, networking, scada, telecommunications…) that a career is not enough to cover them all.
6. What’s not-so-good about penetration testing? What do you like least about the job?
Sometimes you find yourself to be the only one in the room believing that an XSS is dangerous and should be fixed asap. So you have a hard time explaining the value of your findings and the value of your job.
“Penetration testing involves methodology and reporting, risk assessment and presentation of findings. Penetration testing is not just about getting root.”
7. What do you think are common misconceptions that students think about becoming a pentester?
The first misconception is that it’s all about tools and distributions. Nothing more wrong. It’s about techniques, methodology and brain.
Another misconception is that hacking is equal to penetration testing. It’s not. Penetration testing involves methodology and reporting, risk assessment and presentation of findings. Penetration testing is not just about getting root.
8. How do you define a good IT Security training course?
A training course should be, first of all, clear on the training objectives and value delivered: you simply don’t become a penetration tester by reading thousands of slides.
IT Security is a very hands-on field and so should be the training courses that claim to build the next generation IT Security professionals.
9. What is the career path of a Penetration Tester? How far can a person go with penetration testing as a starting point?
Once you have built strong foundation skills on pentesting, you will be able to understand the most intimate details of an attack, you will be able to defend from or prevent an attack, you will be able to better assess risk, understand compliance, determine your company IT Security policies and recognize the best IT Security vendors. There really is no limit. For sure, moving up the hierarchy you will not just need hands-on skills but also communication, presentation or management skills. This is often the gap between a technical position and a managerial position.
10. Who do you look up to within the field of Information Security? Why?
It is really difficult to understand who really deserves your trust and your esteem in this field. I tend to look up to people who spend more time researching than on Twitter for once.
I also look up to researchers with valuable works and I tend not to judge on the number of appearances in conferences which is another, unfortunately, misleading metric often used. I definitely don’t look up to a person who sits all day long trying to find “bugs for bucks”.
11. Do you have any recommended resources where people can start learning about pentesting for FREE? Specific ones.
Why not our eLearnSecurity Penetration Testing Student which comes for free (invite only) in its Barebone version. Or our Hack.me project which is the only web application security virtual lab free for all with hundreds of different fun and challenging scenarios.
eLearnSecurity, as well as, a few of the leading companies in this industry also deliver free educational webinars where audience has the chance to ask questions and grab valuable advices for free.
12. What’s your tip/advice to people who want to start a career in Penetration Testing?
Arm yourself with perseverance and try to diligently follow a proven learning path. There’s nothing more counterproductive than jumping from one topic to another just because it looks interesting. Having a guided path to follow and the chance to practice what you learn, makes the difference between giving up in frustration and having a successful career.
I’ve built eLearnSecurity to address the two above challenges that everyone, not just beginners, faces in this field: we provide a proven path and the best IT Security hands-on labs on the market in order to drastically increase the chances that our students succeed in their career objectives.
As Confucius said, find a job you love and you’ll never work a day in your life.
How to become a Penetration Tester – FREE Whitepaper
Want to learn how to start a career in IT Security? Download this FREE whitepaper from eLearnSecurity which gives you an overview of the state of the information security industry, understand the difference between a black hat hacker, a white hat hacker and a penetration tester; and know what your options are if you wish to forge a career in penetration testing.
Download the Whitepaper here – How to Become a Penetration Tester
Armando Romeo is the founder and CEO of eLearnSecurity. Prior to founding eLearnSecurity he has spent 5 years in web application security research with hundreds of vulnerability advisories released. Armando currently leads the R&D team and inspires new projects and new training activities.