|
As someone who works as a "white hat hacker", allow me to shine some light on the industry. There are many branches, distinctly divided into two categories: Red team/Attackers and Blue team/Defenders. Within the attacking side is what most people think of when they hear "hacker", key among them is penetration testing (pentesting). Pentesting breaks down into distinct categories that target different scopes: internal/external network, web application, mobile app, thick client, IoT, SCADA, Social Engineering, and physical. The list shifts over time, but that's the gist of it. Those that interact with software/hardware rarely have the benefit of white box testing, which includes having the source available, nor do the tests often go deep enough to require subtle CPU behavior or assembly-level reverse engineering. All of these pentests are dynamic, where as what you've described falls under the static analysis camp which involves a different set of skills and tools. There are some who work in reverse engineering, CPU interactions or static analysis but those are often more senior positions within a company, are more research focused or specifically marketed as such; my role as a pentester is focused on dynamic testing from a blackbox perspective. Sometimes we are lucky to have architecture diagrams, API docs, or source code but they only serve to benefit the test from an external perspective. I don't analyze the code and report vulnerabilities there, I report findings from a perspective of breaking the application in runtime; the code only makes that easier. Anyone here wishing to break into security to "be a hacker" might find web app pentesting to be the most familiar for developers (it's not far from skills used for UAT, QA and debugging) and provides a pathway down the OSI model. There are companies that will take strongly motivated and technical people to train into pentesters, as the field is vastly understaffed and it's easier to train someone on your methodology from day 1. However, this normally starts as Web App (it's where the money and clients are) and one can move into other areas over time. I'm more than happy to provide more details or resources to those interested. My knowledge is more in the attacker area, but its possible to start in either side and pivot into the other. Time, patience, and a willingness to learn. |