Tips for Entering the Penetration Testing Field
It's an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.
In the courses I teach on penetration testing, I'm frequently asked about how someone can land their first job in the field after they've acquired the appropriate technical skills and gained a good understanding of methodologies. Also, over the past decade, I've counseled a lot of my friends and acquaintances as they've moved into various penetration testing jobs. Although there are many different paths to pen test nirvana, let's zoom into three of the most promising. It's worth noting that these three paths aren't mutually exclusive either. I know many people who started on the first path, jumped to the second mid-way, and later found themselves on path #3. Or, you can jumble them up in arbitrary order.
Path A: General Enterprise Security Practitioner Moving to Penetration Testing
First, you could parlay a job in the security group of an enterprise (whether a corporate, government, or educational position) into vulnerability assessment and then penetration testing. For example, today, you may be a security auditor, administrator, analyst, or a member of a Security Operations Center (SOC) team. Tell your management that you are keenly interested in vulnerability assessment and penetration testing, and offer your support in existing projects associated with those tasks. You might have to start by taking one for the team and putting in your own hours in helping out, without getting a break from your "regular" job. Consider this extra time an investment in yourself. At first, you could help with tasks such as project scoping, false positive reduction, and remediation verification. Later, offer help in preparing a high-quality penetration testing report. Over the space of several months or even a year, you'll demonstrate increasing skills and can ask management or other groups in your enterprise for a move more directly in the heart of penetration testing work.
Path B: Working for a Company or Division that Focuses on Penetration Testing
There are many companies that provide third-party penetration testing services to other companies, including organizations such as Verizon, Trustwave, and FishNet Security. Many of these organizations are looking to hire exceptional penetration testers, especially those who have experience. If you have no direct penetration testing experience, you may still want to try your hand by applying for a junior role in such organizations. A solid background in secure networking, development, or operations will prove helpful. But, if experience is absolutely required, consider moving through Paths A or C to hone your skills before jumping to Path B.
Path C: Going Out on Your Own
If you are more entrepreneurially minded, you may want to consider forming your own small company on the side to do vulnerability assessment for local small businesses, such as a local florist or auto mechanic. Start with just vulnerability assessment services, and build your skills there before going into full-blown penetration testing. There are a couple of huge caveats to take into account with this path, though. First off, make sure you get a good draft contract and statement of work template drawn up by a lawyer to limit your liability. Next, get some liability and errors & omissions insurance for penetration testing. Such protection could cost a few thousand dollars annually, but is vital in doing this kind of work. Once you've built your vulnerability assessment capabilities, you may want to gradually start looking at carefully exploiting discovered flaws (when explicitly allowed in your Statements of Work) to move from vulnerability assessment to penetration testing. After your small business is humming, you may decide to stick with this path, growing your business, or jump into Paths A or B.
Regardless of whether you go down paths A, B, C, or your own unique approach to entering the penetration testing industry, always keep in mind that your reputation and trustworthiness are paramount in the information security field. Your name is your personal brand, so work hard, be honest, and always maintain your integrity. Additionally, build yourself a lab of four or five virtual machines so you can practice your technical skills regularly, running scanners, exploitation tools, and sniffers so you can understand your craft at a fine-grained level. Learn a scripting language such as Python or Ruby so you can start automating various aspects of your tasks and even extend the capabilities of tools such as the Metasploit framework. And, most of all, give back to the community by writing a blog, sharing your ideas and techniques, and releasing scripts and tools you've created. You see, to excel in pen testing, you can't think of it as a job. It is a way of life. Building a sterling reputation and contributing to others is not only beneficial to the community, but it will provide many direct and indirect benefits to you as you move down your path from new penetration tester to seasoned professional.
Additional SANS Penetration Testing Resources
Watch: WEBCAST - So, You Wanna Be a Pen Tester?
SANS Pen Test Posters:
- Blueprint: Building a Better Pen Tester - PDF Download
- White Board of Command Line Kung-Fu - PDF Download
- Pivots & Payloads: Board Game - PDF Download
Build your Skills (Free):
- www.holidayhackchallenge.com - Available 24/7/365 to build your InfoSec skills. Holiday-themed challenges from the makers of SANS NetWars and our Penetration Testing Course.
- http://www.amanhardikar.com/mindmaps/Practice.html - A massive and up-to-date list of places to practice InfoSec skills online
SANS Penetration Testing Webcasts (YouTube):
- How Not to Suck at Pen Testing - presented by SANS Instructor, John Strand
- How to Give the Best Pen Test of Your Life - presented by SANS Fellow, Ed Skoudis
- Build your Own Home Lab - presented by SANS Instructor, Jeff McJunkin. Jeff walks through a step-by-step process for building your own home lab so that you can develop the skills you need to be a professional penetration tester.
- Blueprint: Building a Better Pen Tester - presented by SANS Fellow, Ed Skoudis. Listen as Ed teaches penetration testing by using the tips on the SANS Pen Test Poster - Blueprint (PDF).
- Physical Security - Everything Wrong With Your Typical Door - presented by Deviant Ollam. This is a great introduction to physical pen testing.
- SANS Penetration Testing YouTube Channel - filled with numerous SANS Webcasts and InfoSec Conference talks given by SANS Penetration Testing Instructors.
SANS Pen Test Training:
- SEC504: Hacker Tools, Techniques, Exploits and Incident Handling - foundational information security training
- SEC560: Network Penetration Testing and Ethical Hacking - our core penetration testing course
- SEC542: Web App Penetration Testing and Ethical Hacking - learn web application penetration testing