[EdLUG] How do I become a security researcher/pen tester?

[William Waites]

> What sort of qualifications/level of knowledge would I be expected to have
> to start working for a pen testing company, or in security research?

This is a little peripheral to my field, but my impression is that there are
several possible routes.

The traditional route was to develop a track record of doing clever and 
interesting things, and giving talks about and/or publishing them. No formal
qualifications required. Publication is often and a much more informal level
than, e.g. academic articles. Maybe it's web pages describing how to exploit
some weakness, or howto documents about securing your systems against some
class of attack. At a higher level it's about how to sensibly evaluate risk
and make tradeoffs with usability. I call this the "traditional" route
because it was what we did before computer security was a distinct field 
that you could study in school and get qualifications in.

The corporate route is to get a good undergraduate degree (as it sounds like
you are doing) and then get some certifications with acronyms that recruiters
and human resources people will recognise. Things like CITP which you can
get from the BCS. Very useful are networking qualifications, particularly
the Cisco ones like CCIE because understanding the networking context of 
modern communications is crucial and many people don't. This is the 
straightforward route and will lead to competence in established practices
and a lot of paperwork but will be unlikely to lead to breaking new ground.

The academic route is to start hanging around the computer science department
and get to know the people working in that area. Attend seminars and 
colloquia. Do this in addition to your undergraduate work. Find out what
interests you and sketch out a proposal to spend some time with a specific
problem or question, and shop it around to potential supervisors. Learn the
specific craft of academic writing because your currency is publications in
peer-reviewed journals. There's plenty of scope for theoretical work -- my
impression of quantum computing / security from colleagues is that it's 
done mostly on the blackboard still (like real computer science!). This way
goes well with the traditional route because you can really start at any
time.

Finally, find some interesting free software projects and contribute. The
best way to learn how to write secure, robust code is to do this. Develop
a track record of contributions. This is evidence of understanding the
underlying principles and is verified through peer-review. As you start 
out, begin by trying to work with mature projects that have established
practices and learn them. It's easy to find things to do, they'll all have
lists of bugs and todo items that you can pick off.

None of these are mutually exclusive, within limits of time and reason,
you can mix them in whatever proportion suits you.

Best wishes,
-w