Q&A With a Penetration Tester

Picking the brain of a seasoned penetration tester is always fun. Getting insights into what makes them tick, what keeps them up at night, their craziest find on a penetration test, and much more. Below is a Q&A with a senior engineer at Triaxiom Security.

Q: How did you get into penetration testing?
A: I started out as a web application developer when I graduated from college with a Software Engineering degree. As part of this job, I gradually started doing more and more with server management, application security, certification and accreditation, and even help desk stuff. During this time, I started to get bored with working on the same set of applications every day so I started collecting some security certifications like Security+, CISSP, and C|EH to start broadening my horizons, as security was beginning to come into vogue. Once I had had enough in that role, I applied to a junior penetration testing position for a consultancy, landed it, and never looked back.

Q: What is your favorite part of being a penetration tester?
A: Shells! But more seriously, I really enjoy having an impact on organizational security for so many different companies in different verticals. I feel like there are few security jobs out there where you can have such a wide-sweeping impact and make people’s data more secure. Shells give you that short term rush, but real security posture improvements are where it’s at.

Q: What is your least favorite part of being a penetration tester?
A: I like pretty much all of my job. The hard parts are balancing life with sometimes demanding work schedules/deadlines, strange hours for some tests, and/or travel (pre-COVID). Throw in the need to always be learning in this industry and my natural drive to learn new things, and you can take up a lot of your days without leaving time for other, more important things. So I’ve always got to be intentional about taking breaks and leaving time for other things.

Q: How did your background as a developer help you as a penetration tester?
A: I think the best penetration testers are the ones that have a background doing other things in technology, like help desk, or SOC, or developers. You understand people’s mindset and what mistakes they can make, you understand how things are supposed to work. Having a background as a developer helps me to be more effective in breaking web applications in a meaningful way.

Q: What is your favorite type of penetration test? Least favorite?
A: Web Application Penetration Testing is my bread and butter (obviously) but I really enjoy Internal Network Penetration Tests. I don’t get to do them as often, but there’s so much attack surface and so many novel attack vectors, it’s really interesting.

Q: What was your scariest moment as a pentester?
A: I overwrote some columns in a database once, because I didn’t slow down and think enough about what the function was supposed to be doing. It was vulnerable to SQL injection so my quick check for the presence of the vulnerability, ended up being successful and breaking the query at a really important spot. Luckily, a quick conversation with the customer resulted in their understanding of the weakness and they could restore the table really easily.

Q: What keeps you up at night while conducting a penetration test?
A: The idea that I could miss something that then gets exploited in the future. It makes me strive to always to the best job I can and to keep learning things that allow me to improve.

Q: What is your favorite conference and why?
A: Oh man this is a tough one. I loved DefCon last year as it was the first time I’d been and got to see so many people in the industry in one place. But DerbyCon is probably my favorite and it won’t ever be recreated!

Q: What certifications do you recommend a new comer get first and why?
A: If you’re new to security, I think you really need to understand the basics of networks, applications, and security concepts in general is really important. So as lame as they are, if you want a starting certification then maybe Security+ or C|EH? Otherwise, get the security fundamentals from coursework or self-study and then shoot for something pen testing specific, like eCPPT or OSCP.

Q: Best career advice for someone in cybersecurity?
A: It’s awesome to love what you do and the entire field of cybersecurity, but make sure you balance work/life and engage in some things non-cyber. It helps keep you healthy, sane, and motivated when you are in the security space so you can avoid nasty things like burnout, which feel all too common in our industry.

We hope you enjoyed this Q&A and we will be sure to continue this series with other Triaxiom penetration testers. Have a question you would like to ask? Hit us up on Twitter and we would be happy to answer!