HUNTING THE PENTESTER
Pentesting – demonstrating and documenting a company’s security flaws – sounds like a fairly routine gig. In reality, it’s a fascinating position that has been cast into the limelight of the fast growing, multi-billion dollar Cyber Security industry. Like surfing or Mixed Martial Arts, pentesting started as a hobby that a small group of people loved with enough passion to do for free. Then it started to take on additional interest and became a skill that could make money. The position has begun to evolve and the skill set it takes to do the job well is rare. A great pentester is one of the most difficult, and thus rewarding people to find. Here’s why:
- There is no set path. Good pentesters come from a very diverse background – I’ve seen everything from from Art History to Engineering degrees. Computer languages are obviously important (Java, PHP, JavaScript, etc) as well as scripting languages like Python. Understanding Networks, Systems, and Web Applications is critical, and, if you like certifications, I’d recommend the OSCP. The fly in the ointment of pentesting is that you can have all of the above in spades and be a terrible hacker. If I had to put a number on it, I’d say that good pentesting is 30-40% technical. Numbers 2 and 3 below are what separates average and great pentesters.
- The mindset is the key. The top traits I see in great pentesters are self-learning and consistent curiosity. Many pentesters became interested in the craft in their teens. They didn’t know it was a job – they just loved it. Good pentesters are usually involved in their security community in CTFs (capture the flag events), meetups, ongoing education, and Twitter. Second, good pentesters are highly methodical. Hacking involves hundreds of paths and rabbit trails. Figuring out the weaknesses is a very thorough process and good pentesters relish it. Third, good pentesters are highly ethical and have a strong sense of mission. The skills acquired by pentesters can easily be used for malicious purposes – good ones know the lines and stay away from playing with fire.
- They understand the 10,000 ft view. There are two types of pentesting gigs, 1. The basics client requirements and checklist work, and 2. The more exciting threat-led testing of technical plus social engineering and red teaming. A good pentest is always informed by a solid Threat and Risk Analysis first. Great pentesters can assimilate the high-level information so that it shapes their work on a particular project. They understand the kill chain and assets unique to each company, and consider the possible threat actors and the methodologies they might deploy. Great pentesters are able to silo their findings into what is possible, plausible and probable.
A great pentester has a unique combination of creativity, organization and dogged determination. If you find a great one, do what it takes to make the hire. And, if you have a great one, DON’T let ’em walk out the door!