The Ethical Hacker Network. Appsec - How can you become a competent web application security expert without breaking the law? I thought I'd chime in and point out that the police analogy is a little flawed if what you are looking for is education, versus detection.
Granted my law enforcement experience is limited to an excessive love of Law & Order, but going with the cop show analogy - when police offers go under cover - it's generally the smart, experienced, stable guy who graduated with decent grades from the police academy. Not the summer intern. :) Same thing for a penetration test (as John Hopkins describes) - companies are hired for pen tests based on corporate experience, the credentials of the individual engineers on the team, the professional reputation of everyone involved, and the cost and schedule proposed by the team.
Just like you don't really want the crazy, unqualified cop to be the guy undercover, you don't hire a no-name, untrusted company to do your penetration testing. The way to get to the point of being an individual on a pen test team? OWASP Testing Guide v3 Table of Contents. Hacker Challenges. Phrack Magazine. 2600: The Hacker Quarterly.
The Best Hacking Tutorial Sites - Learn Legal Hacking. Web Application Exploits and Defenses. Please... I want to learn... Welcome to SecurityTube.net.