how to turn a hobby into a job

Dmitry Serebryannikov is the director of security analysis at Positive Technologies. Specializes in searching for vulnerabilities in the program code of web applications, analyzing the security of network infrastructure and systems on different platforms. Adobe, Apple, Google, and Red Hat have repeatedly thanked Dmitry for identifying vulnerabilities. He has Microsoft Certified IT Professional (Enterprise Administrator on Windows Server 2008) and OSCP (Offensive Security Certified Professional) certificates.

Who is a white hat hacker

In simple words, a white hacker is a computer security specialist who examines IT systems and looks for vulnerabilities in them, but, unlike black hackers, acts ethically – he helps companies discover and eliminate security gaps in order to prevent real attacks in the future. .

The field of activity of white hat hackers is impressive: applications, networks, hardware, Wi-Fi… Let's look at the example of web applications. Let's say we receive a task to analyze the security of an application. They can only give us a website and, if there is an authorization form, accounts with rights (user, administrator) – then we test different scenarios, but we look mostly at random: something is found, and something may go unnoticed. It’s another matter if they provide source codes: we see how the application is written, we can study specific bypass mechanisms – the analysis is deeper, and the results are more reliable. After the inspection, we prepare a detailed report, where we describe step by step what we did, what methods we used, what we found and how it can be eliminated.

What does “hacker approach” mean?

For myself, I formulated three components of the hacker approach:

• The first is critical thinking, the ability to look at any IT system from the perspective of its weak points. It is not enough to know how the system works; you need to be able to formulate hypotheses (for example, how to cause atypical program behavior that the developers may not have foreseen).

• The second component is the willingness to develop. New conditions will always arise in a hacker's work; it will not be possible to act according to a template every time. Let's say you learned how to hammer nails and do it well. But the task arises of hammering a nail into zero gravity – and now you need to apply your skills in a new environment, and most importantly, figure out how to do it.

• Finally, the third is passion. White hat hacker is a rare profession. As a rule, these are people who have turned their hobby into a job. Strictly speaking, there is no classic linear path to the profession. The scheme “I want to be a lawyer – I’ll go to law school, they’ll teach me there” does not work in our field. Everything comes from interest. You start studying, become more and more interested, devote a lot of free time to hacking… and then realize that you can do it all the time, make it your job.

I came into hacking this way – through interest. I was 15, I dreamed of becoming an archaeologist, but I got a computer… and away we go! First I came across a thematic article and began to study deeper – and this was 2004, the materials had to be collected bit by bit. So I sat for a year on different forums, figured it out, and realized where I wanted to go.

Now the situation with sources of information has changed dramatically: the flow of information is vast, reviews and messages on social networks can be found in any direction – as soon as someone publishes an interesting article about an attack, it is quickly distributed. It is important for us to be aware of everything that is happening, and especially what is “under the radar” but does not receive wide publicity. For example, there have been a lot of good materials in the Chinese segment lately, but they are little known.

How to develop as a white hat hacker

We have a very honest profession. People work together on projects, and you can immediately see who is doing what, what vulnerabilities they find, how deep they dig. Here you won’t be able to pretend to be super cool; your real level will be visible already in your first projects. In general, our field is very creative. Often at the start, only the image of the result is clear – what needs to be achieved. Let’s say that during external penetration testing, a client sets the task of “piercing” the company’s perimeter, but it is unknown how to do this. If there is a “boxed” product in the perimeter, you can explore it. If authorization forms are provided, you can try to guess the password. If the code is self-written and is not identified as a vendor solution, creativity is activated. In any case, the goal is the same – to gain access to the internal network, and everyone acts as best they can. We, as artists, search, try, combine approaches, methodologies and styles to ultimately create a work of art. At the same time, we act as a team.

How to achieve success in the profession? Firstly, it is important not to stop. New techniques, technologies, languages… In just a couple of months, a lot of changes happen in the industry, and if you don’t study them, you’ll have a long time to catch up. Secondly, of course, there must be practice on real problems. You can’t just go through training and hone your skills on a bench—you need to encounter living systems many times and learn how to break them in real projects. Thirdly, and this is key, observation is important. The more different cases you encounter and can defeat on your own, the easier it will be to solve new problems.

The race between those who attack and those who defend has always been and will always be. Its complexity, technological equipment, and response speed, in the end, are increasing. The level of security that was, for example, 10 years ago cannot be compared with the current one. Accordingly, the threshold for entry into the profession becomes higher. However, the fundamental principle – that same hacker's view of the system from the perspective of the possibility of bypassing it – remains unchanged.

Bonus! How to become a white hat hacker: step-by-step instructions

1. First of all, decide on the direction. White hat hacker is a general name for a profession, and there are many specializations. Choose what interests you and what you want to develop in.

2. Read articles on your chosen topic. Find people who regularly write about attacks and vulnerabilities, subscribe, and join the community. Hackers usually communicate on Twitter: information spreads there very quickly. As soon as a new vulnerability appears, someone will post about it, and many will retweet it. For example, check out our blog PT SWARM and look who we read.

3. It takes practice. If you want to learn web application security, start with the PortSwigger Academy: it's free and offers a lot of training materials, including labs. The main thing is to try to do something on your own: even the deepest theoretical knowledge will not be able to provide a full upgrade in the profession. There are no theoretical hackers.

4. Do you feel ready for real challenges? Test your strength by taking part in the bug bounty program, where white hat hackers look for vulnerabilities and make money from it. At the same time, you will be able to assess your real level.

In addition, I recommend studying specific systems and technologies. This will help you understand how they work. For example, at one time I took Cisco courses, but not with the goal of learning how to build networks, but to be able to hack them. Where could there be configuration errors? Under what conditions will the protection work and when will it fail? The deeper the knowledge of a technology, the easier it is to find a weak spot in it.

It is useful to understand the code – to understand where it is bad from a security point of view. Learn programming languages. The more you know, the better. This expands the boundaries of thinking, and for a white hat hacker, like no other, it is important to constantly develop.

What challenges do white hat hackers face?

The main challenge for us today is personnel shortage. Take my team, for example: the workload on projects is so high that in December we have the first half of next year fully scheduled. We physically do not have time to process the entire flow of requests.

As I wrote earlier, white hacker is a rare profession, specialists need to be raised and developed. And we are ready to do this. This year we plan to launch training for the development of white hat hackers – lectures, educational materials, and skills training at stands. At the same time, the threshold for entering the program will be minimal: our task is to take a person from the initial “I know what an IP address is and I can install Windows” to the level of an advanced specialist. And invite the best to join your team.

PS By the way, very soon, on May 25, as part of the Positive Hack Days 2 cyber festival, a Youth Day will be held, where the Positive Education team will talk about in-demand specialties in the field of information security and will conduct a thematic quest, where those who wish can “try on” the profession of an information security specialist, in including trying yourself as a white hat hacker. The event will take place simultaneously in Moscow, St. Petersburg, Kazan and Nizhny Novgorod. You can view the detailed program and register for Youth Day link. The entrance is free.