A short interview with Christoph Haas with some advise for career starters.
What brought you to IT security? How did you get into penetration testing?
I started with an apprenticeship as a developer. After that I made my Bachelor in Business Informatics. During this I worked three days a week in the security department of a bigger company in the technology sector. However, during this phase I found out that my part is more in the “offensive” field 😉 . So I met the company I started working as a penetration tester at a small German conference (Backtrack-Day).
You are the owner of Securai, a penetration testing company that is specialized in application security. Why did you specialize?
I believe that specialization is the key success factor. IT security is a complex topic, but if you really want to be good at it, you have to focus on one thing.
Do you also look for newbies in the field?
Sure, always 🙂 !
What do you expect from applicants? What do you think makes a good penetration tester?
They really have to want it. If someone is getting frustrated easily, I would recommend another career. They also should be happy about communicating with other people. Penetration testing is a consulting business, so you have to deal with people a lot. They should have fun learning new things, because this is what you have to do all the time, even after years in pentesting.
From a technical perspective we are looking for people with a development background, as I think they can communicate better with devs and as we focus on appsec, we mostly have those types of customers.
What has been the best or worst moment in your penetration testing career?
The best moment is, when after hours or days of struggling you finally get an application to fall. This is the fun part about pentesting 🙂 .
What is your thought about certifications?
I think they are necessary and sometimes even are fun to do. I personally like the OSCP and we basically use it as a test for new colleagues.
Christoph is Founder and Owner of Securai, a company focusing on application security.