Last year I switched from developing web applications to hacking them. In this post I describe why I made the switch and how that turned out for me.
Growing tired with software development
I am currently a pentester, or ethical hacker, where I try to hack software for our customers in order to make it more secure. I started with this about a year ago. Before that, I was a software developer.
Developing software is hard. On top of that, as a perfectionist I had high demands on the quality of the software I was building. As part of a team within a company, I did not always have full control over the quality or the development process. This caused a perpetual frustration, where I was discontent with the product we created but also not in a position to do anything about this.
I switched jobs a couple of times, thinking that the company I worked for was a rotten apple and that another company would surely do things better. This turned out not to be the case. On my last job, I got burned out. I got coaching from someone from HR who helped me to look at my work situation. This made me realize that me and programming are not the match I used to think we were.
I am pretty good at programming. I like creating things out of nothing and learning all the intricacies and patterns of a programming language. It is just that making your own little program is a lot different from developing large software in a company.
So, I decided to no longer do programming, but for some time I didn’t know what to do instead. I thought of becoming a researcher, or designing robots or assembly lines. However, I found something that matches both my history as developer of web applications and my skills of being precise, innovative and keen to learn. I became a pentester.
Differences between developing and pentesting
Pentesting is pretty different from development. First of all, the projects are a lot shorter. I now have projects of a couple of days up to several weeks. I test the application, write a report, sometimes have a findings meeting, and then the project is finished. This is different from software engineering, where projects can be months or even years. This makes the work a lot more diverse, and if you are frustrated with something in the current project, you can just wait it out. Projects are also often time-boxed, so there are less issues with planning overrun.
There is also a different load on your brain. With programming, you need to stay focused and keep a big part of the program state in your short term memory. With hacking, not so much. Hacking also takes concentrated effort, but this takes less energy from me than when developing. The taxation on the mind is different, if that makes sense.
With hacking, there is also the occasional joy of getting remote code execution or SQL injection. With hacking I have this euphoria much more than when I programmed something that worked as it should. Being a cyberpirate is more exciting than being an online construction worker.
Starting high on the learning curve
The experience with web applications that I gained when developing them really helped when learning how to hack them. My experience “on the other side” often helps me to quickly recognize how an application is constructed, and where the weak points are.
However, when I started I was pretty new to the security specialization, and this made it hard for my employer to rate my experience. I was a security novice, but a web application expert. How is my employer going to rate my total experience on web application security? This continues to be an issue with some of the more meritocratic coworkers. It was also an issue when negotiating my starting salary. Initially, I took quite the pay cut, but this quickly rose to a level comparable to what I earned before.
There is very much to learn about hacking web applications, and even more about information security in general. I really like learning new things, and this switch gave me new opportunity to do so. I strive to be very good at what I do, and this is a possibility in my current position. The value of the end product in security is greatly determined by the most talented pentester. In software it is greatly influenced by the worst developer.
One reason I started this blog was to help me learn, because if you describe something you have to really internalize the knowledge. This blog also makes me feel more part of the security community. I have more of a voice for when somebody is wrong on the Internet.
Some of my pentesting coworkers are even more narcissistic and hostile than my software engineering peers have been at my previous jobs. When hacking your very job is to point out mistakes others made, and that occasionally has a bad influence on communication between colleagues. Winning an argument and being right are very important things in my current environment.
When developing I sometimes worked closely together with other developers, to the point that we were working together on the same computer. This rarely happens when hacking at my current job. If there are multiple people on a project, that project is split up and everybody works separately. I don’t really work close together with others, which means I am missing out both on fun and learning experiences.
One other thing I miss is creating things. A developer creates new software or functionality, but a hacker only breaks things. This art of making something out of nothing used to be a part of my job that I liked, and I miss it a little bit. However, I still program occasionally, and I started woodworking.
All in all I really like this switch. It had a bit of a risk, in that I started on the bottom again in the security world. But the different method of working makes up for that. I can learn a ton of new things and have some energy left after a day’s work. I started working less and now I have both the time and the energy to do things outside of work.