SANS Penetration Testing

So You Wanna Be a Pen Tester? 3 Paths To Consider (Updated)

Tips for Entering the Penetration Testing Field

By Ed Skoudis

It's an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.

In the courses I teach on penetration testing, I'm frequently asked about how someone can land their first job in the field after they've acquired the appropriate technical skills and gained a good understanding of methodologies. Also, over the past decade, I've counseled a lot of my friends and acquaintances as they've moved into various penetration testing jobs. Although there are many different paths to pen test nirvana, let's zoom into three of the most promising. It's worth noting that these three paths aren't mutually exclusive either. I know many people who started on the first path, jumped to the second mid-way, and later found themselves on path #3. Or, you can jumble them up in arbitrary order.

Path A: General Enterprise Security Practitioner Moving to Penetration Testing

First, you could parlay a job in the security group of an enterprise (whether a corporate, government, or educational position) into vulnerability assessment and then penetration testing. For example, today, you may be a security auditor, administrator, analyst, or a member of a Security Operations Center (SOC) team. Tell your management that you are keenly interested in vulnerability assessment and penetration testing, and offer your support in existing projects associated with those tasks. You might have to start by taking one for the team and putting in your own hours in helping out, without getting a break from your "regular" job. Consider this extra time an investment in yourself. At first, you could help with tasks such as project scoping, false positive reduction, and remediation verification. Later, offer help in preparing a high-quality penetration testing report. Over the space of several months or even a year, you'll demonstrate increasing skills and can ask management or other groups in your enterprise for a move more directly in the heart of penetration testing work.

Path B: Working for a Company or Division that Focuses on Penetration Testing

There are many companies that provide third-party penetration testing services to other companies, including organizations such as Verizon, Trustwave, and FishNet Security. Many of these organizations are looking to hire exceptional penetration testers, especially those who have experience. If you have no direct penetration testing experience, you may still want to try your hand by applying for a junior role in such organizations. A solid background in secure networking, development, or operations will prove helpful. But, if experience is absolutely required, consider moving through Paths A or C to hone your skills before jumping to Path B.

Path C: Going Out on Your Own

If you are more entrepreneurially minded, you may want to consider forming your own small company on the side to do vulnerability assessment for local small businesses, such as a local florist or auto mechanic. Start with just vulnerability assessment services, and build your skills there before going into full-blown penetration testing. There are a couple of huge caveats to take into account with this path, though. First off, make sure you get a good draft contract and statement of work template drawn up by a lawyer to limit your liability. Next, get some liability and errors & omissions insurance for penetration testing. Such protection could cost a few thousand dollars annually, but is vital in doing this kind of work. Once you've built your vulnerability assessment capabilities, you may want to gradually start looking at carefully exploiting discovered flaws (when explicitly allowed in your Statements of Work) to move from vulnerability assessment to penetration testing. After your small business is humming, you may decide to stick with this path, growing your business, or jump into Paths A or B.

Regardless of whether you go down paths A, B, C, or your own unique approach to entering the penetration testing industry, always keep in mind that your reputation and trustworthiness are paramount in the information security field. Your name is your personal brand, so work hard, be honest, and always maintain your integrity. Additionally, build yourself a lab of four or five virtual machines so you can practice your technical skills regularly, running scanners, exploitation tools, and sniffers so you can understand your craft at a fine-grained level. Learn a scripting language such as Python or Ruby so you can start automating various aspects of your tasks and even extend the capabilities of tools such as the Metasploit framework. And, most of all, give back to the community by writing a blog, sharing your ideas and techniques, and releasing scripts and tools you've created. You see, to excel in pen testing, you can't think of it as a job. It is a way of life. Building a sterling reputation and contributing to others is not only beneficial to the community, but it will provide many direct and indirect benefits to you as you move down your path from new penetration tester to seasoned professional.

Additional SANS Penetration Testing Resources

Watch: WEBCAST - So, You Wanna Be a Pen Tester?

EdSkoudis_SoYouWannaBeAPenTester_06192018

Available Now!
Recorded: 6/19/2108
https://www.sans.org/webcasts/so-wanna-pen-tester-3-paths-106920

 

Upcoming SANS Pen Test Webcasts:

 

Pen Test Cheat Sheets:

 

SANS Pen Test Posters:

 

Build your Skills (Free):

 

SANS Penetration Testing Webcasts:

 

SANS Pen Test Training:

 

 

-Ed.

https://twitter.com/edskoudis

Upcoming SANS Special Event - Pen Test HackFest 2018

HackFest_9x6_NOV2018

SANS Pen Test HackFest 2018 - Summit & Training
November 12-19, 2018 | Bethesda, MD (Washington DC Area)

  • (2) Day Summit Event with 20+ Amazing Speakers on Pen Test & Red Team Topics
  • Evening Networking Sessions
  • (3) Nights of SANS Core NetWars, with Coin-A-Palooza
  • (1) Night of CyberCity Missions
  • Choose from (8) SANS Pen Test Training Courses
  • Learn more: www.sans.org/hackfest

"If you haven't attended a SANS Summit, it's hard to understand the immense value. This is even more true for Pen Test HackFest" - Jason Nickola, DTS

Post a Comment






Captcha


* Indicates a required field.