.

5 Questions you would ask to a future web pen tester!

<<

maumercado

Newbie
Newbie

Posts: 11

Joined: Tue Apr 08, 2008 10:28 pm

Post Mon May 19, 2008 8:43 am

5 Questions you would ask to a future web pen tester!

Hello all,

Im doing a 5 or more questions exam to evaluate incoming personal to the security staff in the company I work for, now I was thinking more like general questions, like what is xss, what can i gain from doing it?, but I think this kind of questions do not ensure that the guy does know how it is done...

Could you help me out, what would you ask?
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon May 19, 2008 1:24 pm

Re: 5 Questions you would ask to a future web pen tester!

It depends on what you want. You mentioned below the fact that a certain question may not let you know if the person knows what they're doing. That makes me think that you want experienced candidates. If so, how about:

"What is your favorite tool (one open source and one commercial)?"

Say... Wikto and WebInspect (now by HP) respectively. If they can't name at least one of each, you have your answer. This question alone can spark a lengthy conversation between you and the candidate to talk about more than just 2 tools, benefits and shortcomings of each, whether they like open source solutions, etc. If no conversation occurs, then that's just more of an answer.

If you want someone with the right 'tude and are willing to teach them what they need to know, then it should cover more things like their desired workplace environment, preferred culture, projects they've started just for fun, ways that they've taken an initiative to better themselves (not just advance their tech skills), etc.

I'll let others respond with some ideas in your quest for 5.

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Mon May 19, 2008 1:41 pm

Re: 5 Questions you would ask to a future web pen tester!

I would say one of the first few  would be

what is the difference between a Pen Tester and a Hacker ?

or

What is one of the first things required before you begin Pen test ?

Hope this helps

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

maumercado

Newbie
Newbie

Posts: 11

Joined: Tue Apr 08, 2008 10:28 pm

Post Mon May 19, 2008 2:57 pm

Re: 5 Questions you would ask to a future web pen tester!

Thank you both...

heck im actually running the interview...
<<

LSOChris

Post Mon May 19, 2008 8:36 pm

Re: 5 Questions you would ask to a future web pen tester!

looks too late but i like to ask about:

1. what's their home network, lab, and SSID for their wifi and if they are running security on it

2. how do they keep up to date with whats going on in the security community and if they are regular posters on any forums/newsgroups.

among other things.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue May 20, 2008 2:52 am

Re: 5 Questions you would ask to a future web pen tester!

ChrisG wrote:1. what's their home network, lab, and SSID for their wifi and if they are running security on it


Hadn't ever thought of that, better get my home network upto scratch before the next interview just in case ;)
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Tue May 20, 2008 4:12 pm

Re: 5 Questions you would ask to a future web pen tester!

Just lie about your home network and hope they don't wardrive you.  :D
CISSP, CEH, GPEN, GCIH, GCFA
<<

LSOChris

Post Wed May 21, 2008 11:36 am

Re: 5 Questions you would ask to a future web pen tester!

yup, its just a way to get into their head and ask follow on qeustions.

if they arent practing security at home how confident can i be they really care about it

if they arent keeping up with security or from only one source that is say outdated before it reaches them, i probably dont want them on my team.
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Wed May 21, 2008 12:42 pm

Re: 5 Questions you would ask to a future web pen tester!

ChrisG wrote:yup, its just a way to get into their head and ask follow on qeustions.

if they arent practing security at home how confident can i be they really care about it

if they arent keeping up with security or from only one source that is say outdated before it reaches them, i probably dont want them on my team.


That's a damn good point.  I would probably be caught off guard if I were asked that on an interview, but it makes complete sense on why it would be asked.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed May 21, 2008 1:23 pm

Re: 5 Questions you would ask to a future web pen tester!

ChrisG wrote:1. what's their home network, lab, and SSID for their wifi and if they are running security on it


Network? I have a Win95 box hooked up to the wireless cable modem from my ISP. Lab? Well, I have IE5 and a command prompt. SSID? 800CALLBILL, open for everyone

:)

On a more serious note....

maumercado wrote:I was thinking more like general questions, like what is xss, what can i gain from doing it?, but I think this kind of questions do not ensure that the guy does know how it is done...


If you want to find out whether they know how to do things, you'll probably want some deeper than 'general' questions. Perhaps you can ask for an example of how to perform XSS, or ask them to write down a simple 'alert' script. Same goes for SQL injection, ask them what they can put into the input field to test. Maybe ask what a web proxy can be used for.

Or to really test, you could setup a test web application (you could use one of the many available, but they may have already seen it) and let them have at it.

Bill
<<

LSOChris

Post Wed May 21, 2008 5:27 pm

Re: 5 Questions you would ask to a future web pen tester!

you could also ask them to explain what happens when you do a:

ping www.cnn.com

there is ALOT of room for depth of answers on that one.
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Wed May 21, 2008 6:48 pm

Re: 5 Questions you would ask to a future web pen tester!

I really like that question Chris!  You can tell how much they know simply by how deeply they could explain that simple command.  I am going to have to remember that one.
CISSP, CEH, GPEN, GCIH, GCFA
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Thu May 22, 2008 2:45 am

Re: 5 Questions you would ask to a future web pen tester!

I might also ask what percentage of the pentest is based on a Nessus scan.

I know a small company in town that offers a "security analysis", and all they do is a Nessus scan. Nothing else.
They really are not pentesters or security analysts, though. They mostly work with setting up Microsoft domains, Exchange servers, terminal services, etc., so they don't do it very often.

Still something worth considering; how much time is spent using automated tools compared to how much research and information gathering is done by a real person?
Put that in your pipe and grep it!
<<

dean

Post Thu May 22, 2008 7:57 am

Re: 5 Questions you would ask to a future web pen tester!

I would assume that if the individual is actually applying for a position as a pentester he would know the difference between a 'hacker' and pentester.

The idea is to test knowledge, both technical and presentation/speaking skills.

A couple of initial questions I always ask when interviewing a candidate are:

1. Present/explain vulnerability X in system Y to management level individuals.
I generally look for presentation skills, technical knowledge, the ability to explain the impact (qualitative & quantitative) to a person and the ability to explain that threat in terms managers can relate to. Their ability to move beyond the single vuln and to look at the environment as a whole and how that vuln impacts it.

2. What research/personal projects are you working on?
Here I look for their dedication and interest in the field. I expect, at the very least that they should be reading/testing/learning about something new. "I turn off my computer at home" is not the answer I would expect.

3. My personal favorite:

Host-A <---> Router-A <---> Router-B <---> Host-B

Explain how A communicates with B using FTP, TELNET, HTTP, ETC (pick one) and use the OSI model as a reference.
Here I look for their knowledge of protocols, tcp/ip, etc... If they cannot explain how ARP works I don't need them.

There have been some good discussions on the securityfocus mailing lists about this topic in the past.

dean

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software