.

Challenges towards Pentesting career

<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Thu Aug 08, 2013 11:48 pm

Challenges towards Pentesting career

What are the challenges you guys face in your Penetration Testing career?
Right from diving into Pentesting, to becoming a Pro?

Please share your thoughts regarding finding the right training, Appropriate skill sets, Cost of training etc
Then, getting a scope of pentest with clients/business, Reporting test results.
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Fri Aug 09, 2013 3:44 am

Re: Challenges towards Pentesting career

I could write a book on your question......

A couple of things that jump out off the top of my head (from both sides of the fence, Penetration Tester and Client) is:

Good training is cheap and easy to find (SecurityTube) but offical certificates cost a lot of money

Too many people study for one disapline (Infrastrure/wireless/web) but once certified declare themselves Penetration Testers and apply their trade in other disaplines they're not any good at. The result is sloppy Pen Tests for the client, which brings down the reputation of the professionals

Too many clients just want a 'tick box' security audit, at the cheapest rate they can get. The result is either a half-done Penetration Test (which makes testers look bad) or a lot of late nights attempting to cram everything into the available time scales (which upsets the testers). Testers don't really get the chance to complain because their management wants repeat business from that company.

Not enough time is ever allocated to report writing. The result is that 'canned' recommendations are inserted into a report which aren't nesssassarily accurate, which then bares the testers name on it. The result is that security guys within the client's organisation get upset and the testers get a bad name.
<<

azmatt

User avatar

Full Member
Full Member

Posts: 103

Joined: Sun Jul 29, 2012 2:11 pm

Post Fri Aug 09, 2013 12:06 pm

Re: Challenges towards Pentesting career

Thank you very much for the honest thoughts UK. As someone outside of, but obviously interested in this industry I always learn a lot from those of you who do this stuff on a daily basis.
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Sun Aug 11, 2013 10:21 pm

Re: Challenges towards Pentesting career

Thanks for the replies.

I think the biggest issue is ya, having to define the scope.

Sometimes the clients just want a tick in the box and would only ask to test a small portion of the environment.
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Mon Aug 12, 2013 3:20 am

Re: Challenges towards Pentesting career

Defining a small scope isn't nessassarily a bad thing.

Like all I.T, there is only a limited budget for Security and Penetration Testing, and you have to work out where your money is best placed.

For example - is it better to perform vulnerability testing on a subset of the network that is deamed (through analysis) the most likely to be targeted by the threat actors against your company once every six months, or is it better to have a complete inside-and-out Penetration test every two years?

The issue with scopes for most security professionals at the moment is that the analysis piece is rarely ever done, some random paper-based security manager who doesn't really understand the techology, network or threat actors defines the scope, which is then just repeated ad-hoc every single year, making the entire testing next to useless.
<<

El33tsamurai

User avatar

Full Member
Full Member

Posts: 219

Joined: Sat Feb 03, 2007 4:01 pm

Post Mon Aug 12, 2013 7:18 am

Re: Challenges towards Pentesting career

UKSecurityGuy wrote:The issue with scopes for most security professionals at the moment is that the analysis piece is rarely ever done,

some random paper-based security manager

who doesn't really understand the techology, network or threat actors defines the scope, which is then just repeated ad-hoc every single year, making the entire testing next to useless.


Above is the biggest issue underlined and in bold.

We have 3 ways the security manager can go:

1. Understands current information security needs, he/she keeps up with info sec on a day to day basis. Pretty much an all around info sec manager that you want.

2. A person that has been working info sec since the 80 to 90's, no don't me wrong these people can fall under option 1 but some of them do not. All they try to do is what they learn in the early parts of their info sec career, which they try to apply in today's world ??? . Which causes issues like "who doesn't really understand the technology", their biggest problem is they think they know everything about info sec (we all know, you can never know everything about info sec and when you do think so, you are in the wrong career!), they are in charge, and last but most often to happen they don't want to listen to anyone under them, or when they do they take the credit for the idea.

3. The big company wants a "manager" in charge of the department. time and time again I have seen people that know nothing about info sec but become info sec managers because they have the management experience.

By no am I saying this is what happens 100 percent of the time, and not trying to upset anyone but this is what I have noticed.
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Fri Aug 16, 2013 2:31 am

Re: Challenges towards Pentesting career

@UKSecurityGuy

Another issue I see usually is company running same template for Vulnerability assessment and Penetration testing every month for internal testing.

I mean at least every two months should not change the template depending on what the infrastructure or application have changed?

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software