How to break into Penetration Testing – an expert’s guide
March 14, 2019
In his role leading penetration testing services at Trustwave, Lawrence Munro, VP SpiderLabs, has pulled together the attributes, experience and qualifications he considers necessary to crack a career in this challenging space.
What makes a good tester?
There are quite a few attributes beyond raw technical knowledge that make a good tester. It’s key to remember that penetration testing is not the same as ‘hacking’ (although a lot of the skills intersect):
Attitude – You simply can’t be a good Penetration Tester if you’re not passionate about IT Security and moreover, technology. You need to be autodidactic (into self-learning) to a certain extent, as even in 2019 the few good, core texts on the subject are becoming rapidly outdated. This means that individuals will need to conduct their own research and read around the subject area where they can, as well as interacting with professionals and their peers to share ideas and practices.
Good fundamentals– Despite some resistance to academic learning within the industry, a Computer Science-related degree provides a great grounding. Similarly, experienced sysadmins, network architects and developers should have a good foundation on the inner workings of an enterprise infrastructure and the associated challenges, from which they can build upon this knowledge further to progress.
Technical prowess– At its core, penetration testing is an extremely technical discipline. The ability to code or script is always an advantage, even if you’re limited to simple bash scripting.
Soft and written skills– Often overlooked, these skills are what separates penetration testers from hackers and script kiddies. Penetration testing companies require consultants who can read, write and speak English well. Unless you’re a total genius who’s finding exploits nobody else can, companies are unlikely to overlook ineptitude in this area.
It’s almost impossible to get into a penetration testing job if you lack any exposure to Computer Science or hacking. There are four common starting points that lead people to the penetration testing path:
A school or college leaver who hacks as a hobby
In penetration testing, having a lack of higher/further education isn’t necessarily a hindrance if you have skill. However, you will need to prove this to a greater extent than a graduate would. Bug bounties are a great way to prove your prowess, with sites such as Bugcrowd and HackerOne paying sizeable bounties to the best bug hunters. If this is beyond your current skill level, it’s worth playing with some of the teaching frameworks such as Metasploit Unleashed or DVWA to hone your skills.
An existing IT professional (e.g. Sysadmin, Developer, Network Engineer)
Existing IT professionals already have quite a bit of skill (potentially) in a useful area. Avoid expensive courses but focus on moving into a role as quickly as possible. There are plenty of inexpensive or free resources online to move up to a level where you can hold a decent conversation in an interview or demonstrate working knowledge of Metasploit or Burpsuite on a rig.
Great resources can be found on sites like Security Tube, Udemy, OWASP (or just YouTube) and courses like Metasploit Unleashed and Mutilidae will help you reach initial goals. Make sure to include these efforts in your cover letter and CV.
A recent graduate of Computer Science, Cyber Security or Ethical Hacking
As a recent graduate, you have likely been exposed to a wide breadth of IT. However, when interviewing for a Pentesting role you must display passion for security and some evidence of learning outside of University.
If you’re lacking this, it will likely seem as though you don’t know what you want to do and saw a couple of jobs being advertised for senior Penetration Testers for up to £100k/$160k. For the people who’ve done a security-related degree (or Masters) you’re likely to get to the interview stage based on the specificity of your experience (as long as you achieved a reasonable grade).
A graduate or experienced professional in another field
If you’ve no experience or qualifications in the field, then it’s likely to be a struggle to get an interview on the strength of your CV alone. I would advise the same approach as a school or college leaver, get ethically hacking and learning!
An impassioned cover letter and interest in being an unpaid intern will often turn the heads of a hiring manager. No organisation will take you from nothing to expert - it requires too much time and investment. The industry wants self-starters, so get learning and make sure you can demonstrate what you know.
The CHECK scheme was initially set-up in response to the increased demand for skilled penetration testing to be performed against Her Majesty’s Government and CNI (Critical National Infrastructure). The accreditation is quite complex but essentially to achieve accreditation the individual must pass an exam, hold SC clearance and work for a CHECK green light company.
CHECK is not the only course, in fact there are loads out there – some of better quality than others. Those that have earned a good industry reputation include CREST - (full disclosure, I'm on the CREST executive board and work for a CREST company), used by governments and some private sector industries (notable Financial Services) to accredit individuals.
OSCP / PWK by Offensive Security is an online, technical course which runs you through a challenging series of labs exploring scripting in bash and python, the basics of exploit development and loads more. In order to gain the OSCP qualification, you are required to submit coursework from the labs and complete a challenging exam over the course of 24 hours.
Most interviews follow a formulaic approach, with a two or three stage process with a mix of the following aspects.
Phone-based – Some simple technical questions (Nmap flags, Port numbers, What’s an XSS? etc.), to check you speak good English and have basic common sense.
Face-to-face (technical) – This is normally a series of technical questions and a technical assessment on a rig of some kind, often with you explaining as you go or the interviewer(s) watching what you do on another screen.. Normally this will be basic like popping a box with MSF (using MS08-067/17-010) or basic XSS. This is often performed remotely.
Face-to-face (presenting / meet-the-director) – You may be asked to present a penetration test report or prepare something to assess your interpersonal skills. Depending on the company, you may need to meet a higher-level business representative such as a Director, VP or Partner.
Face-to-face (general) – A general interview will have a mix of discovery questions, often using HR methodologies such as the STAR model.
Ensuring you are operating on the right side of the law is important when it comes to pen testing. One situation where an ethical hacker may find themselves in a grey area is notification of security issues/full disclosure. I have seen instances where independent researchers have held organisations to ransom with bugs they have discovered in their system and only offer to share the information with the company in return for payment. This has most likely come about from the popularity of Bug Bounty programs.
However, if you move away from these programs you may find yourself in a dicey area ethically and lawfully. As a rule, I would say that if you don’t own the system or don’t have explicit permission to assess the security of the site (which can be classified by using it in any way other than what is intended use), do not test it.
In short, the key to a successful career in pentesting is a mix of proactive, continuous learning and genuine passion. This is a role that will become increasingly more competitive to break into, but this shouldn’t put anyone off pursuing it as a career. The opportunities for self-learning and upskilling mean that formal education or qualification isn’t the only path one needs to take. In that sense it can provide remarkably open opportunities, suitable for a diverse range of candidates.