There is an increased industry demand for penetration
testers (pen testers) as enterprises shift from reactive to proactive security.
With that demand shift, I’m often asked by prospective cybersecurity
candidates, “How do I break into penetration testing?” Before answering, I
always want to make sure the person that asks understands what a pen tester
actually is and does. I also like to make sure that this individual understands
some of the key attributes of the great ones in the industry. Being a pen
tester is not the same as being a hacker.What is Pen Testing?A penetration test is loosely defined as “an authorized
simulated cyberattack on a computer system, performed to evaluate the security
of the system.” This proactive test is performed to identify vulnerabilities,
including the potential for unauthorized parties to gain access to the system's
features and data. Penetration test results are ‘reported by exception’—
meaning penetration testers only report on the ‘weakness’ from a security
standpoint (not strengths), but nonetheless a full account of exploitable
vulnerabilities.
The importance of pen testing might seem obvious to veterans
of the industry, but we’ve found for the second straight year that 100 percent
of web applications we’ve tested possessed at least one vulnerability. Given
the prevalence of vulnerabilities and the fact that cybercriminals are
increasingly taking a more focused approach against targets by using better
more advanced tactics, techniques and procedures, and better tooling, the need
for skilled pen testing is at an all-time high. More simply put, pen testing:• helps you determine your weaknesses before the hackers do. • helps shape your security spending (where are your holes, what solutions can you purchase to bridge the gaps). • saves you time, money and reputation (a pen tester will hopefully breach you before a real hacker does). • gives you a different perspective on your security posture (you may think you’re secure, but when an outsider looks at your infrastructure, it’s flawed).Before You Become a Penetration Tester, Read ThisThere are a few nuances to the role of being a penetration
tester that most looking to get into the profession don’t consider. First, as a
pen tester, you get a very limited amount of time (days) to compromise systems
that hackers would typically have months to work on. You may need to travel
regularly to do your job (often to data centers in unglamorous locations) –
while hackers do most of their work from the comfort of their homes.Pen testers also must consider the client while they execute
their assessments. Clients typically aren’t looking for a single route to
domain admin, for example. They’re interested in the broader attack surface and
coverage across their whole estate. In most roles, pen testers will need to
provide consultative advice. And most importantly, pen testers will always have
to document their findings in a written report at the end of the test. Often,
pen testers will be asked to explain in detail some or all the findings to
technical and non-technical audiences. This part of the role requires strong
people and customer service skills.Before an organization commences a test, internal leaders
typically zero-in on business considerations, such as loss of revenue due to
system downtime as a result of testing and cost of the engagement – so be
prepared to justify your work and the amount of time you’ll need.So, What Makes a Valuable Pen Tester? I believe that there are a handful of skills that make up a
valuable pen tester. Again, it’s key to remember that penetration testing is
not the same as ‘hacking’ (although a lot of the skills intersect). Here are
four key attributes top pen testers typically possess:
A Good Attitude – This is much more important than someone who’s done a course (OSCP or the like). The truth is, you can’t be a good penetration tester if you’re not passionate about IT security. It needs to be more than a job, as the up-skilling and constant personal development is not possible to maintain if your heart isn’t in it. Also, you need to be autodidactic (into self-learning). There are good core texts on most topics, but they become outdated quickly. Most experienced testers that would be your peers will have gained a good chunk of their knowledge via self-learning and will be resentful if you expect knowledge spoon fed to you.
2. Solid Fundamentals – The best testers know a lot about a few things, but ‘something’ about everything else. Holding a computer science related degree provides a solid fundamental knowledge base and will put you in good stead (although recently specialized degrees have become popular). Similarly, experienced sysadmins, network architects and developers should have strong specialized foundations on which to build. It’s common to find even experienced testers with big knowledge gaps but it’s important to understand all areas of enterprise infrastructure to some degree in order to progress through the ranks.3. Technical Prowess – At its core, penetration testing is an extremely technical discipline. Not only do you need to understand how things work at a low level, you need to subvert controls in a repeatable way and learn constantly as new versions of software/hardware are released. The ability to code or script is always an advantage, even if you’re limited to simple bash scripting. However, some of the best testers I know can’t write code but can read and manipulate it very well. That said, ultimately, it will limit your vision and scope if you can’t code.4. Soft and Written Skills – Often overlooked, these skills are what separates penetration testers from hackers and script kiddies. Ask yourself, would you (as a client) accept the work of someone who cannot write a coherent sentence, and cannot express simple issues in plain English? The key deliverable for the client is the written report. Penetration testing companies require consultants who can read, write and speak their language well. Unless you’re a total genius who’s finding exploits nobody else can, they’re unlikely to overlook total ineptitude in this area.We (The Industry) Need More Pen TestersAll in all, pen testing is an essential cybersecurity
activity for every organization that values security and wants to protect their
critical data. The pen testing field needs more passionate and eager to learn
professionals. The more quality pen testers that enter the field, the more
vulnerabilities organizations can take away from hackers before it’s too late.
In a constant cat and mouse game between the attackers and organizations, pen
testers have one of the more critical roles in cybersecurity and the industry
values them. I’m looking forward to seeing the next generation of pen testers
come through the ranks – we need them now more than ever.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news