There is an increased industry demand for penetration testers (pen testers) as enterprises shift from reactive to proactive security. With that demand shift, I’m often asked by prospective cybersecurity candidates, “How do I break into penetration testing?” Before answering, I always want to make sure the person that asks understands what a pen tester actually is and does. I also like to make sure that this individual understands some of the key attributes of the great ones in the industry. Being a pen tester is not the same as being a hacker.
What is Pen Testing?
A penetration test is loosely defined as “an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.” This proactive test is performed to identify vulnerabilities, including the potential for unauthorized parties to gain access to the system's features and data. Penetration test results are ‘reported by exception’— meaning penetration testers only report on the ‘weakness’ from a security standpoint (not strengths), but nonetheless a full account of exploitable vulnerabilities.
The importance of pen testing might seem obvious to veterans of the industry, but we’ve found for the second straight year that 100 percent of web applications we’ve tested possessed at least one vulnerability. Given the prevalence of vulnerabilities and the fact that cybercriminals are increasingly taking a more focused approach against targets by using better more advanced tactics, techniques and procedures, and better tooling, the need for skilled pen testing is at an all-time high.
More simply put, pen testing:
• helps you determine your weaknesses before the hackers do.
• helps shape your security spending (where are your holes, what solutions can you purchase to bridge the gaps).
• saves you time, money and reputation (a pen tester will hopefully breach you before a real hacker does).
• gives you a different perspective on your security posture (you may think you’re secure, but when an outsider looks at your infrastructure, it’s flawed).
Before You Become a Penetration Tester, Read This
There are a few nuances to the role of being a penetration tester that most looking to get into the profession don’t consider. First, as a pen tester, you get a very limited amount of time (days) to compromise systems that hackers would typically have months to work on. You may need to travel regularly to do your job (often to data centers in unglamorous locations) – while hackers do most of their work from the comfort of their homes.
Pen testers also must consider the client while they execute their assessments. Clients typically aren’t looking for a single route to domain admin, for example. They’re interested in the broader attack surface and coverage across their whole estate. In most roles, pen testers will need to provide consultative advice. And most importantly, pen testers will always have to document their findings in a written report at the end of the test. Often, pen testers will be asked to explain in detail some or all the findings to technical and non-technical audiences. This part of the role requires strong people and customer service skills.
Before an organization commences a test, internal leaders typically zero-in on business considerations, such as loss of revenue due to system downtime as a result of testing and cost of the engagement – so be prepared to justify your work and the amount of time you’ll need.
So, What Makes a Valuable Pen Tester?
I believe that there are a handful of skills that make up a valuable pen tester. Again, it’s key to remember that penetration testing is not the same as ‘hacking’ (although a lot of the skills intersect). Here are four key attributes top pen testers typically possess:
- A Good Attitude – This is much more important than someone who’s done a course (OSCP or the like). The truth is, you can’t be a good penetration tester if you’re not passionate about IT security. It needs to be more than a job, as the up-skilling and constant personal development is not possible to maintain if your heart isn’t in it. Also, you need to be autodidactic (into self-learning). There are good core texts on most topics, but they become outdated quickly. Most experienced testers that would be your peers will have gained a good chunk of their knowledge via self-learning and will be resentful if you expect knowledge spoon fed to you.
2. Solid Fundamentals – The best testers know a lot about a few things, but ‘something’ about everything else. Holding a computer science related degree provides a solid fundamental knowledge base and will put you in good stead (although recently specialized degrees have become popular). Similarly, experienced sysadmins, network architects and developers should have strong specialized foundations on which to build. It’s common to find even experienced testers with big knowledge gaps but it’s important to understand all areas of enterprise infrastructure to some degree in order to progress through the ranks.
3. Technical Prowess – At its core, penetration testing is an extremely technical discipline. Not only do you need to understand how things work at a low level, you need to subvert controls in a repeatable way and learn constantly as new versions of software/hardware are released. The ability to code or script is always an advantage, even if you’re limited to simple bash scripting. However, some of the best testers I know can’t write code but can read and manipulate it very well. That said, ultimately, it will limit your vision and scope if you can’t code.
4. Soft and Written Skills – Often overlooked, these skills are what separates penetration testers from hackers and script kiddies. Ask yourself, would you (as a client) accept the work of someone who cannot write a coherent sentence, and cannot express simple issues in plain English? The key deliverable for the client is the written report. Penetration testing companies require consultants who can read, write and speak their language well. Unless you’re a total genius who’s finding exploits nobody else can, they’re unlikely to overlook total ineptitude in this area.
We (The Industry) Need More Pen Testers
All in all, pen testing is an essential cybersecurity activity for every organization that values security and wants to protect their critical data. The pen testing field needs more passionate and eager to learn professionals. The more quality pen testers that enter the field, the more vulnerabilities organizations can take away from hackers before it’s too late. In a constant cat and mouse game between the attackers and organizations, pen testers have one of the more critical roles in cybersecurity and the industry values them. I’m looking forward to seeing the next generation of pen testers come through the ranks – we need them now more than ever.