Any time I’m asked to speak about my experience in the cyber security field, whether I’m at a trade show or speaking to candidates interested in breaking into the industry, I invariably get the question about what it takes to be a pen tester. In this blog, I’ll touch on some of the most important qualities our pen testers have and some of the skills we look for in applicants for our pen testing positions.
1. Knowledge of Vulnerabilities and Exploits Outside of Tool Suites
Interview questions vary depending on the size and needs of an organization, but they generally have one thing in common – there’s almost always a question to determine whether the candidate knows more about a vulnerability than what automated tools describe. Basically, pen testers need to know if a client has a security product that detects a particular tool (cough – Metasploit – cough) they’ll still have the ability to be successful.
What we don’t want is for testers to be helpless the minute they can’t use tool XYZ. We also don’t want our testers to blindly copy what vulnerability scanners say. It’s not uncommon for vulnerabilities to be reported that don’t have any known exploit code available. Does a vulnerability exist? Quite possibly, but without exploit code, the vulnerability cannot be leveraged.
We’re not necessarily looking for exploit writers, but successful pen testers need to know how to modify existing exploits to get them to work in specific networks for testing purposes.
2. Willingness to Continually Learn
No single tester can possibly be an expert across all domains, but they need to be active learners and develop real-world experiences. Instead of reading a write-up from a security firm on the latest and greatest exploit, why not fire up a virtual machine, build the vulnerable machine, obtain the code, and test it yourself?
What we learn from hands-on experience helps us build muscle memory. While the “muscle” aspect may not apply in penetration testing, it certainly involves the ability to recall information and combine our understanding in new ways. If you want to become a penetration tester, one of the best ways you can demonstrate continuous learning is by posting videos of what you’ve learned. Everybody enjoys videos and they can be a great way to demonstrate expertise.
3. Understanding of Secure Web Communications and Technologies
I considered breaking this section into two separate elements, but there are a couple of reasons reasons it makes sense to combine them. First, we have secure web communications. Testers need to understand everything from how to register a web domain name to applying the domain name to a cloud-IP address to generating secure certificates for the domain, and finally, using those certifications to secure web communication.
Second, you need an understanding of web technologies. Web applications are a well-accepted portion of just about every assessment we do these days, and everybody needs to understand them. Our assessors need to know how web applications are built, how to identify input fields, and how to gather information that can lead to exploiting the functionality of the web application.
4. Ability to Script or Write Code
Your code doesn’t have to be production quality, but a tester who knows how to code will save hours on an assessment. At the time of this writing, the main languages you need to maintain a basic proficiency in are Python, Perl, PowerShell, and Bash. Along with knowing these languages, you need to be a master of keyboard-fu so you can manipulate data in whatever format is required for you to form that operational picture. If you don’t know where to get started, check out free training through Code Academy.
5. Soft Skills (Public Speaking, Report Writing, Team Player)
Life happens, and that means the role of report writing falls on whoever has the most experience. That’s why it’s important every member can communicate complex ideas in ways even non-technical people can understand.
If speaking and writing are not your strong skills, find ways to practice them. What we tend to shy away from are those superbly-skilled technical wizards who everybody wants on their team, but nobody wants in front of a client. On our engagements we are a team, and that means everyone needs to know how to set up and tear down our equipment. The tasks of packing up the equipment is not beneath even our most senior members. Everything operates more smoothly when we know we have each other’s best interests at heart.
6. Certifications
You shouldn’t pour all your time and energy into certifications with the expectation they’re going to automatically lead to a job in the penetration testing field. Certifications are a differentiator, not a reason to hire. However, there are certain certifications that we value more than others.
The certifications that stand out the most to us are the Offensive Security certifications (OSCP/OSCE) but SANS certifications are a close second. Next, since penetration testers are hired to help organizations, it’s helpful to have testers who understand the managerial side of business. For this we value the CISSP, CISA, and CISM certifications.
Finally, we never know when we’re going to run into unique networks, so an understanding of both Microsoft domain architecture and network engineering are valuable on a team. We look at certifications from Microsoft and Cisco here.
Summary
Now you have a better idea of the skills we look for when screening candidates. If penetration testing is something you want to do, always remember it’s the well-rounded skillsets that go the furthest. If you’re interested in learning more about penetration testing, reach out to us.
For a behind the scenes look at what our pen testers uncover during their assessments, check out our e-Guide, “Hacker Secrets Revealed: Five Lessons Learned From Security Assessments.”
Noah Powers is managing consultant at Delta Risk LLC, a Chertoff Group Company. Read more Delta Risk blogs here.