August 9, 2013 at 4:48 am #8538
What are the challenges you guys face in your Penetration Testing career?
Right from diving into Pentesting, to becoming a Pro?
Please share your thoughts regarding finding the right training, Appropriate skill sets, Cost of training etc
Then, getting a scope of pentest with clients/business, Reporting test results.
August 9, 2013 at 8:44 am #53320UKSecurityGuyParticipant
I could write a book on your question……
A couple of things that jump out off the top of my head (from both sides of the fence, Penetration Tester and Client) is:
Good training is cheap and easy to find (SecurityTube) but offical certificates cost a lot of money
Too many people study for one disapline (Infrastrure/wireless/web) but once certified declare themselves Penetration Testers and apply their trade in other disaplines they’re not any good at. The result is sloppy Pen Tests for the client, which brings down the reputation of the professionals
Too many clients just want a ‘tick box’ security audit, at the cheapest rate they can get. The result is either a half-done Penetration Test (which makes testers look bad) or a lot of late nights attempting to cram everything into the available time scales (which upsets the testers). Testers don’t really get the chance to complain because their management wants repeat business from that company.
Not enough time is ever allocated to report writing. The result is that ‘canned’ recommendations are inserted into a report which aren’t nesssassarily accurate, which then bares the testers name on it. The result is that security guys within the client’s organisation get upset and the testers get a bad name.
August 9, 2013 at 5:06 pm #53321azmattParticipant
Thank you very much for the honest thoughts UK. As someone outside of, but obviously interested in this industry I always learn a lot from those of you who do this stuff on a daily basis.
August 12, 2013 at 3:21 am #53322
Thanks for the replies.
I think the biggest issue is ya, having to define the scope.
Sometimes the clients just want a tick in the box and would only ask to test a small portion of the environment.
August 12, 2013 at 8:20 am #53323UKSecurityGuyParticipant
Defining a small scope isn’t nessassarily a bad thing.
Like all I.T, there is only a limited budget for Security and Penetration Testing, and you have to work out where your money is best placed.
For example – is it better to perform vulnerability testing on a subset of the network that is deamed (through analysis) the most likely to be targeted by the threat actors against your company once every six months, or is it better to have a complete inside-and-out Penetration test every two years?
The issue with scopes for most security professionals at the moment is that the analysis piece is rarely ever done, some random paper-based security manager who doesn’t really understand the techology, network or threat actors defines the scope, which is then just repeated ad-hoc every single year, making the entire testing next to useless.
August 12, 2013 at 12:18 pm #53324El33tsamuraiParticipant
The issue with scopes for most security professionals at the moment is that the analysis piece is rarely ever done,
some random paper-based security manager
who doesn’t really understand the techology, network or threat actors defines the scope, which is then just repeated ad-hoc every single year, making the entire testing next to useless.
Above is the biggest issue underlined and in bold.
We have 3 ways the security manager can go:
1. Understands current information security needs, he/she keeps up with info sec on a day to day basis. Pretty much an all around info sec manager that you want.
2. A person that has been working info sec since the 80 to 90’s, no don’t me wrong these people can fall under option 1 but some of them do not. All they try to do is what they learn in the early parts of their info sec career, which they try to apply in today’s world ??? . Which causes issues like “who doesn’t really understand the technology”, their biggest problem is they think they know everything about info sec (we all know, you can never know everything about info sec and when you do think so, you are in the wrong career!), they are in charge, and last but most often to happen they don’t want to listen to anyone under them, or when they do they take the credit for the idea.
3. The big company wants a “manager” in charge of the department. time and time again I have seen people that know nothing about info sec but become info sec managers because they have the management experience.
By no am I saying this is what happens 100 percent of the time, and not trying to upset anyone but this is what I have noticed.
August 16, 2013 at 7:31 am #53325
Another issue I see usually is company running same template for Vulnerability assessment and Penetration testing every month for internal testing.
I mean at least every two months should not change the template depending on what the infrastructure or application have changed?
August 1, 2016 at 12:09 pm #53326Henry864Participant
It really has been a long time since I last posted. This post is more of an essay, so it may be a TL;DR for some, but hopefully a there is some good information for those who wish to break into Penetration testing or at the very least something I can point people to next time I’m, asked.
As I’m sure is the experience of other Penetration Testers, I’m often asked (or see slapped across LinkedIn Forums) by a whole range of people “How do I break into Penetration testing?” or the like. The prospect of becoming a ‘professional hacker’ is all too enticing for graduates, IT professionals and even Information Security bods in other functional areas alike. Having answered this question and posed many a question in rebuttal, I decided to formalise my experiences, musings and advice into a single blog post. I hope it helps.
You must be logged in to reply to this topic.