fbpx

Shutterstock

Penetration testing is an unusual job. You break into companies through their technology and then show them where their weaknesses lie so they can fix them. It’s a job for good people with the ability to do bad things. I started penetration testing in the late 1990s and eventually founded a consulting company. Over the course of 15 years, we’ve tested thousands of critical applications for vulnerabilities and I’ve hired and trained many penetration testers.

Below are a few thoughts about what knowledge and skills you’ll need to excel as a penetration tester and what prospective employers ought to look for. My expertise is in web applications, but most of the following examples apply to other types of penetration testing. Don’t try to learn everything all at once. Focus on a single critical risk and everything about it. Then you can be an effective part of a team and expand your skills as you go.

• Web Applications and Application Programming Interfaces (APIs): You’ll definitely need a deep understanding of the technology you are testing. You don’t have to become an expert coder, but you should know enough to build simple applications using the technologies you want to test and comprehend the code for more complex apps. I suggest specializing in technologies that are widely used to build applications that people actually care about like Java, .NET and the major application frameworks.

• Security Defenses: Understanding security defenses like encryption, authentication, authorization, cross-site request forgery (CSRF) tokens, session IDs, HTTP headers, encoding/escaping and logging is critical. If you understand the expected behavior, you have a much better chance of identifying actual behavior that represents a risk. Remember that every application is a beautiful and unique snowflake, so you have to actually verify each defense.

• Security Vulnerabilities: A theoretical understanding of vulnerabilities isn’t worth very much. You’ll need practical experience finding and exploiting vulnerabilities with tools like Burp and ZAP. I strongly recommend creating an application with every vulnerability you hear about and then exploiting it. Download an old version of Struts 2 and send in a content-type header with an expression language attack. Did it work? Where did you fail? Successful pentesters are able to persevere in the face of constant rejection.

• Communication: You’ll need to be great at communicating what you’ve discovered in terms the business can understand. You’ve done nothing if you can’t make people understand your findings and change their behavior. You should practice explaining in plain language exactly how the application works, how it can be exploited, a realistic exploit scenario with likelihood and impact, and some options for fixing the problem — in that order.

• Security DNA: Some people have the ability to see how an application might be misused. Others will never see anything except how it is supposed to be used. This ability is sometimes called security DNA as it is hard to teach. If you’re the type of person who doesn’t believe anything without verification, finds strange uses for things, tries every knob and switch and digs under the covers, maybe you’re a good candidate for security testing.

• Experimental Discipline: Commercial penetration tests are fast-paced, high-pressure jobs. You can’t just wander around aimlessly. Good penetration testers get organized quickly and create a prioritized list of things to test. For each item, they design efficient experiments to definitively test whether they are a problem or not. You’ll need to become adept with a variety of security tools to create custom tests. How would you verify that the access controls in a representational state transfer (REST) API are correct? Can you quickly build an access control matrix and write a tool to test each combination of account and web resource?