Pentesting – demonstrating and documenting a company’s security flaws – sounds like a fairly routine gig. In reality, it’s a fascinating position that has been cast into the limelight of the fast growing, multi-billion dollar Cyber Security industry. Like surfing or Mixed Martial Arts, pentesting started as a hobby that a small group of people loved with enough passion to do for free. Then it started to take on additional interest and became a skill that could make money. The position has begun to evolve and the skill set it takes to do the job well is rare. A great pentester is one of the most difficult, and thus rewarding people to find. Here’s why:
- The mindset is the key. The top traits I see in great pentesters are self-learning and consistent curiosity. Many pentesters became interested in the craft in their teens. They didn’t know it was a job – they just loved it. Good pentesters are usually involved in their security community in CTFs (capture the flag events), meetups, ongoing education, and Twitter. Second, good pentesters are highly methodical. Hacking involves hundreds of paths and rabbit trails. Figuring out the weaknesses is a very thorough process and good pentesters relish it. Third, good pentesters are highly ethical and have a strong sense of mission. The skills acquired by pentesters can easily be used for malicious purposes – good ones know the lines and stay away from playing with fire.
- They understand the 10,000 ft view. There are two types of pentesting gigs, 1. The basics client requirements and checklist work, and 2. The more exciting threat-led testing of technical plus social engineering and red teaming. A good pentest is always informed by a solid Threat and Risk Analysis first. Great pentesters can assimilate the high-level information so that it shapes their work on a particular project. They understand the kill chain and assets unique to each company, and consider the possible threat actors and the methodologies they might deploy. Great pentesters are able to silo their findings into what is possible, plausible and probable.
A great pentester has a unique combination of creativity, organization and dogged determination. If you find a great one, do what it takes to make the hire. And, if you have a great one, DON’T let ’em walk out the door!