Right now my biggest challenge is that I know only a fraction of penetration testing. I’m comfortable doing Nmap scans, and getting better at Burp Suite, not very much. The hardest part for me is understanding what is vulnerable and what is secure in a Web application. The answer I get from people is that it is more important to learn exploits for common vulnerabilities and then learn how to look for them, instead of the other way around. If you don’t know what vulnerabilities look like then you end up getting lost in all code. You don’t know what tool to use also if you don’t know what they do and so I’m going to start working backwards following this advice and see if it’s easier to figure out.