Network v Web app pen testing

scasc · October 2016

Hi guys,

Am getting more into pen testing and wanted to ask which area is more in demand or easier to do? Also, what type of programming skills is required for either?

thanks in advance

Kalabaster · October 2016

I've seen more ads lately for web app, but that may be because I am one so recruiters looking for that might be specifically searching me out. I'd say that Net might be the better fit for someone coming in, unless you have previous experience as a web dev or a database admin. Web App is a specialty, and as such you might need to be better versed in the specifics of things. Also, automated scanners aren't as useful in web app vs net. Finally, net pen testing is more broadly supported in regards to learning and training yourself, and could therefore afford you more opportunities and a better picture.

BlackBeret · October 2016

From what I see the more specialized, the better. Web app and database pen testers are extremely hard to find (good ones at least).

On the network side I'd say that bash and powershell are mandatory, as well as a solid foundation in a programming language of your choice. Being able to write custom script and interact with remote systems is a lot of what you're doing. Being able to understand a handful of the more common languages such as python, perl, and C will help you know what's going on in exploits you find online and being able to modify them to your needs is a must.

Keep in mind that pentesting is a specialized skill, even on the network side. You need to understand whatever it is you're interacting with more than you need to know the cool pentesting skills you used to break in to it. You popped a shell on a Windows Server box, now what? Win Desktop, Linux, AIX, IOS?

Roles where I work have become so specialized that even once you're in vulnerability assessing you're still grouped in to a speciality. Windows, *nix, Applications, DB, Web App, or Network Infrastructure. OS and Apps people have a Sysadmin background in that OS, DB assessors were previously DB admins, Web App assessor was previously a web app developer, Infrastructure guys were previously network engineers, etc.

636-555-3226 · October 2016

Good pentesters for ANYTHING are hard to find. Most pentesters generically tackle the network side of things. Web app specialists aren't as numerous. If you really want to get in on a good niche that is just starting out but will make you a millionaire in a few years when it explodes, get in to ICS/SCADA. That's a very small niche with only half a dozen **good** people across the US worth paying for. Make yourself one of those elite and you're set for life.

scasc · October 2016

Thanks for the response guys, really appreciate it.

@Scada - that focusses heavily on networking elements around industrial control systems? Any web app work here?

Best wishes

Ertaz · October 2016

636-555-3226 wrote: »

Good pentesters for ANYTHING are hard to find. Most pentesters generically tackle the network side of things. Web app specialists aren't as numerous. If you really want to get in on a good niche that is just starting out but will make you a millionaire in a few years when it explodes, get in to ICS/SCADA. That's a very small niche with only half a dozen **good** people across the US worth paying for. Make yourself one of those elite and you're set for life.

I have to laugh at this a little, because its such a painful realization. ICS/SCADA security in every manufacturing org I've ever been in is %99 at the network layer. No host controls allowed, no device hardening. A moderately well versed pentester could do some permanent damage to ICS systems at older manufacturers. Some of those systems are 30+ years old and are running everything from HP-UX, NT4, unpatched out of support appliances.

At newer, "profitable", manufacturers or utilities I can see the strong need for advanced knowledge in the pentesting arena. The cia triad in manufacturing be like:

c-i-A

Kalabaster · October 2016

Ertaz wrote: »

I have to laugh at this a little, because its such a painful realization. ICS/SCADA security in every manufacturing org I've ever been in is %99 at the network layer. No host controls allowed, no device hardening. A moderately well versed pentester could do some permanent damage to ICS systems at older manufacturers. Some of those systems are 30+ years old and are running everything from HP-UX, NT4, unpatched out of support appliances.

At newer, "profitable", manufacturers or utilities I can see the strong need for advanced knowledge in the pentesting arena. The cia triad in manufacturing be like:

c-i-A

I disagree. The "A" should be much bigger.

Ertaz · October 2016

Kalabaster wrote: »

I disagree. The "A" should be much bigger.

LOL. It's all the font would give me...

636-555-3226 · October 2016

Ertaz wrote: »

I have to laugh at this a little, because its such a painful realization. ICS/SCADA security in every manufacturing org I've ever been in is %99 at the network layer. No host controls allowed, no device hardening. A moderately well versed pentester could do some permanent damage to ICS systems at older manufacturers. Some of those systems are 30+ years old and are running everything from HP-UX, NT4, unpatched out of support appliances.

At newer, "profitable", manufacturers or utilities I can see the strong need for advanced knowledge in the pentesting arena. The cia triad in manufacturing be like:

c-i-A

True, true, but pentesting ICS/SCADA isn't just about finding win 3.1 & linux from the mid-90s. It's about understanding how the systems integrate as a cohesive whole. Coming in and pointing out my win 3.1 system needs upgraded doesn't even require a pentest, but being able to understand that my city's water/sewer system are reliant on win3.1 and we don't have the $20M to upgrade requires more than just a pentest FAIL stamp. no smart company in the world pays for just a pentest - they pay for someone to 1) find the holes, 2) prove the holes are exploitable, and 3) provide useful takeaways for action items that can be accomplished. simply giving me a red critical 10/10 rating for end of support systems and telling me i need to upgrade (which accomplishes 1 & 2, above) doesn't work. you need to tell me how to keep the water flowing in a safe manner. how many network pentesters do you know who understand how a water treatment system works that provides water for 2M people? RE: ICS - that's the guy who is going to be making the big bucks, not the guy with an OSCP who can run nessus and veil.

Ertaz · October 2016

636-555-3226 wrote: »

True, true, but pentesting ICS/SCADA isn't just about finding win 3.1 & linux from the mid-90s. It's about understanding how the systems integrate as a cohesive whole. Coming in and pointing out my win 3.1 system needs upgraded doesn't even require a pentest, but being able to understand that my city's water/sewer system are reliant on win3.1 and we don't have the $20M to upgrade requires more than just a pentest FAIL stamp. no smart company in the world pays for just a pentest - they pay for someone to 1) find the holes, 2) prove the holes are exploitable, and 3) provide useful takeaways for action items that can be accomplished. simply giving me a red critical 10/10 rating for end of support systems and telling me i need to upgrade (which accomplishes 1 & 2, above) doesn't work. you need to tell me how to keep the water flowing in a safe manner. how many network pentesters do you know who understand how a water treatment system works that provides water for 2M people? RE: ICS - that's the guy who is going to be making the big bucks, not the guy with an OSCP who can run nessus and veil.

So, a guy like me with DeltaV and Yokogawa DCS experience, Matrikon OPC certification, and OSI PI admin experience would do well to get his OSCP?

OmegaNuller · October 2016

For web app i'd recommend taking eWPT.

Network v Web app pen testing

Comments