RE: What is being a pen tester really like?



Rahul,

Sadly, I have to agree with a large portion of what Paul says. Aside from
some specialised areas or situations, security assessment and penetration
tools have advanced to a point where you could get by with simply taking
canned reports and output and presenting it to your clients. IMHO, this
narrowly qualifies as true pen-testing but even without those tools
pen-testing isn't exactly rocket science.

Now being a *good* pen-tester... That's the real distinction. It's one thing
to be comfortable and proficient with pen-test tools (nessus, Core IMPACT,
Metasploit, webinspect, password tools.. the list is long) so that you can
present reliable results and recommendations. It's another thing entirely to
take those tools and wring every last ounce of performance and use from
them. Paul's Mario Andretti metaphor is a good one. The good pen-testers not
only understand and can interpret the information they gather but also
understand in detail the underlying processes and implications of what they
see (or don't see). Being able to infer from a limited dataset what
weaknesses exist and how to fully take advantage of them is not an easy
thing to pick up. It requires time, patience, experience, and a healthy dose
of paranoia. While your coding background will be of help, especially if you
want to code or modify existing exploits or tool modules, it's not as
relevant as understanding the tcp/ip stack or other more basic technical
knowledge... And being able to see the big picture from the bits and pieces
you collect.

The really rare pen-tester not only has the technical chops but can
communicate them in ways that even a 3yr old (or executive heh) could
understand. I've met people with technical depth who can run rings around me
but with very few exceptions couldn't communicate their way out of a wet
paper bag. I've also met people who are effective communicators but wouldn't
know a SYN ACK if it bit them in the nether regions. The ability to take
complex data and present it in an easy to understand format is difficult.
The fun part of pen-testing is the actual pen-testing itself... The hard
part (and the most time consuming) is writing it all down and documenting
the findings.

In my experience the day-to-day of the pen-tester experience can be summed
up pretty easily: "10 minutes of thrills followed by 10 hours of utter
boredom."

Hope that helps.


--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"


-----Original Message-----
From: Paul Melson [mailto:pmelson@xxxxxxxxx]
Sent: Friday, July 28, 2006 12:28 PM
To: rahul.joshi2@xxxxxxxxxxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: What is being a pen tester really like?

-----Original Message-----
Subject: What is being a pen tester really like?

rahul.joshi2@xxxxxxxxxxxxxx wrote:

I am currently a Java developer but I'm seriously thinking
of changing
paths to
a career in security and pen testing.

What I would like to know is what is being a pen tester really like?

Despite what you may have heard, being a successful
pen-tester (meaning, you get hired and make a living at it)
is not very hard, nor does it require a lot of very deep
technical skill. What it really requires is good verbal and
written communication skills, the ability to work well with
clients, and the ability to explain security (even
inaccurately) in terms of business value. Do those things,
and you can be successful.

The dirty truth about pen testers is that most of them have a
handful of tools and scripts (like Nessus and Retina) and run
them with the same configs against every customer and have
the same canned recommendations based on the results that
their tools spit out. Hell, most vuln scanners spit out
their own remediation recommendations for the pen tester to
simply hand over to their customers. Additionally, for a pen
test to have the appearance of being successful, it only
needs to find some of the vulnerabilities present on a
network or in an application. Unlike being a network
engineer or an sysadmin where your work has to stand up to
the 24/7 scrutiny of a live environment, being a pen tester
means only needing to be right more often than you're wrong.

Not to take away from the skills or experience of any
individual pen testers out there. There are some Mario
Andretti's out there driving school busses, if I may.


PaulM



--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win
the Analyst's Choice Award from eWeek. As attacks through web
applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most
comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You
have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to
confirm your results from other product. Contact us at
request@xxxxxxxxxx for details.
--------------------------------------------------------------
----------------


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.5/403 - Release
Date: 7/28/2006



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.5/404 - Release Date: 7/31/2006



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------



Relevant Pages

  • Re: What is being a pen tester really like?
    ... network architecture, security awareness, etc. ... >> What I would like to know is what is being a pen tester really like? ... As attacks through web applications continue to rise, ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • RE: What is being a pen tester really like?
    ... If "It is not pen-testing if there is no penetration." ... What is being a pen tester really like? ... Concerned about Web Application Security? ... managed service or an enterprise software ...
    (Pen-Test)
  • Re: What is being a pen tester really like?
    ... What is being a pen tester really like? ... Being a real pen-tester is hard work, and it's much like having 2 ... security assessment and penetration ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • Re: What is being a pen tester really like?
    ... > Subject: RE: What is being a pen tester really like? ... >>> a career in security and pen testing. ... >> managed service or an enterprise software ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • RE: What is being a pen tester really like?
    ... What is being a pen tester really like? ... Concerned about Web Application Security? ... managed service or an enterprise software ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)