Penetration Testing mailing list archives
RE: Pen Tester Qualification
From: "Alex Eden" <Alex.Eden () senet-int com>
Date: Tue, 23 Sep 2008 17:29:38 -0400
Agree completely. The only thing I'd add: Consider entering broader security field, first, and then move into pen testing niche, if you will still be interested at that point. I think there are very few if any pure-pen-test-only firms. Most do whatever security-related comes by their way, and so, you will have to wear many hats. Also, there are very few gurus that are good in all aspects of security assessments. We try to hire people that are VERY proficient in at least one area: windows, unix, networking, databases, web programming, C/asm. I agree with J. Oquendo that experience, aptitude, and ability to learn is more important that certifications... However, more recently certifications became important too simply because I think there was a new mandate or something and Fed. Gov. now requires certain number of CISSPs on each contract as a condition for award. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of J. Oquendo Sent: Tuesday, September 23, 2008 3:23 PM To: Haymi Rock Cc: pen-test () securityfocus com Subject: Re: Pen Tester Qualification On Tue, 23 Sep 2008, Haymi Rock wrote:
Guys, I need your experience. What are the qualifications for the ideal "Penetration Tester"? Your opinions and experiences are so much appreciated
This is likely going to differ from the normal tailored answer you'll hear from the suit types so here goes. The qualifications for pentesting if I were conducting the interview would vary. I would prefer to find someone with a thorough background in networking, systems administration and programming. The experience for me would have to be a few years in an industry where the usage of those technologies were heavy. For examply, I'd prefer to find someone with hands on experience in say a NOC environment or a SOC environment. The candidate would HAVE to have hands on experience first and foremost. I believe the at the bottom of the line, experience outweighs any certifications someone would have on their resume. Secondly, I'd like to see them exposed professionally in the security industry. In some capacity doing some type of auditing, be it system level, network level. For me, again, they'd have to have the technical know how involved with systems administration as well as with networking. In the common tasks of a system administrator, there are many learning curves for many systems (Windows, Linux, BSD, etc.). There are many programs to be learned and understood to effectively manage those systems. There are duties including creating the creation of accounts, group assigning, etc., this exposes the candidate to the AAA concepts. Networking is a must period. No network, no pentest. I won't get into physical pentesting on this ramble. Understanding networking is a tremendous advantage since one needs to understand how things work from the ground up. The candidate should be able to pick apart layer by layer the OSI/DoD model to determine a starting and exiting point when addressing their penetration test. Because I believe in a form of structured penetration test, I feel the candidate should be a jack of all trades on the protocols. They'd need to be well versed to know when to perform networking related security testing (MITM, packet injection, covert channel testing) versus say application level testing. Next comes the core of understanding the protocol itself. I'd want someone with a mixture of dealing with security protocols. Perhaps someone having experience configuring webservers with OpenSSL or something along these lines. Someone whom I can ask a quick question like say... What's are the differences between aggressive and main modes of VPN's? They'd need to understand what I'm talking about and why I would ask something like this. They'd need to be well versed on CVSS topics, commonly used exploits, industry top 10's and 20's as far as threats go, they'd need to understand a few concepts related to doing paperwork as well. This means understanding a broad but structured view of topics such as BIA, DRM, ROI, etc., it's a matter of preference, but the more experienced in the subject matters even if its broadly based I believe will get me a more professional pentest expert on my team as opposed to someone who sat around all day running tools. I answered a question similar to this a week or two ago; the need for those coming into the field to understand the basics before solely focusing solely on the usage of popular tools. My ideal pentester would make his own tools a-la McGuyver if they had to. There is no guarantee you will always be able to use tools and many individuals need to understand this concept. What happens if you're at a client and they ask you right on the spot to perform an assessment on their machines without those fancy tools you'd swore would find any hole. Would you know what to do without them, would you know how to search for open ports (lsof, netstat). Would you know the system well enough for you to be able to perform a pentest under those conditions. Recap... MUST Networking, Systems, Applications, Security Concepts SHOULD Business concepts, Information Security Concepts (not to be confused with IT Security... I mean audit based, CISA/CISM style concepts). Good knowledge of regulations (HIPAA, SOX, etc). It all boils down to where you intend on working to be honest. Some companies solely hire what I call toolmonkeys. "OMFG YOU'VE USED CENZIC HAILSTORM!" Means little if you don't understand how things work under the hood. Anyone can go around pointing and clicking a tool. It's the individual who can use the common underlying information on what the tool does, how it does it who I'd want on my time. "Can you do the same using say curl?", "Can you go through the motions of performing say SQL injections w/o the use of INSERT_FAVORITE_INDUSTRY_TOOL_HERE" Anything else, comes after the fact. Certifications, what uberly massive list of tools you want to place on your resume. If a candidate cannot offer me something outside of "experience using NMAP..." I wouldn't bother interviewing them. If I asked the potential candidate something like, "can you gather the same output that NMAP would give you with netcat. And the understood what I mean w/o questioning why I would choose to use NC, then I'd get into deeper discussion with them. Its all about versatility for me. // end of rambling -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "A good district attorney can indict a ham sandwich if he wants to ... The accusations harm as much as the convictions ... they're obviously harmful or it wouldn't be news.." - John Carter wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Pen Tester Qualification Haymi Rock (Sep 23)
- Re: Pen Tester Qualification J. Oquendo (Sep 23)
- RE: Pen Tester Qualification Alex Eden (Sep 23)
- Re: Pen Tester Qualification Jamie Riden (Sep 23)
- Re: Pen Tester Qualification J. Oquendo (Sep 23)