One of the most common questions I get asked when people find out that I am a penetration tester is, “How did you get into this field?” More accurately, they are asking how they can get into penetration testing themselves. As a managing partner of a penetration testing firm and a penetration tester myself, this is a great question, and I would like to spend a little bit of time in this blog trying to help. This can help you if you are applying for a job in penetration testing or just dipping your toes in the water to see how to start. Here are the things I am looking for when I am interviewing a junior-level position in penetration testing.
A Solid Foundation in IT
One of the most important things I am looking for in someone who has little or no penetration testing experience is that they have a firm foundation in IT. Simply put, it is hard for me to teach you how to break things or take advantage of inherent weaknesses if you don’t understand how the underlying technology works. To be honest, this is one of the biggest problems with information security degrees that are being offered by a lot of colleges these days. They teach you the concepts of information security, but they fail to teach you how a network works or how to develop a web application. The problem with that is that I can teach you security, but if you don’t have the foundation in how the underlying technology works, we have to go all the way back to square one. Security should build off an understanding of IT, not the other way around. With an understanding of how the IT works, you know what the risk is of a particular exploit, how it is working, can better explain it to a client, etc.
This doesn’t need to be a 20 year career in IT by any stretch, and in some cases, your undergrad may give you enough to get you started. Also, this doesn’t necessarily need to be in a particular field. For example, my background is in the Air Force and I was part of special operations setting up tactical networks supporting 1,200 people in less than 12 hours. Because of that, I had a deep understanding of how to set-up and troubleshoot a network. One of my business partner’s background is in application development. He built web applications on a daily basis. Naturally, he is stronger at web application penetration tests than I am because that is his background. That’s great and helps round out our team. So with that being said, I will look for you to have some sort of underlying experience or knowledge to help our team. On a basic level, you should know what happens when you type google.com into your web-browser, e.g. how does DNS work, what is ARP, etc.
In this industry, certifications are king. They are more important than any degree you can get including a Masters, as much as I may disagree with that. Additionally, when I am assigning you to a test, the client will know what certifications you have. Because of that, it is important if you are trying to get into penetration testing to have some. Check out our latest blog on a review of information security certifications as a starting point, but if you are applying for a junior level position, I will be looking to see that you have at least one of the entry-level certifications. I can mentor you and help you get the more advanced ones as you gain experience, but if you don’t have any certifications, that means I can’t assign you to any projects initially.
A Passion for the Industry
One of the most important aspects I am looking for is a passion for security. If you aren’t interested in this field, you won’t last long. Information security, more than any other industry, requires you to constantly learn. Technology is constantly changing and what knowledge you have nowwill likely be dated in as little as a year. Because of this, I want to find people who are eager to learn and continue to develop themselves. The best way you can demonstrate this is by going to conferences, setting up a lab environment where you are trying new things, using the many labs and vulnerable VMs publicly available to try to develop your skills, etc. If I ask you about what you have been doing to learn about security and you don’t have at least three things you can readily say, then that is a signal to me that you aren’t passionate. Also, if you aren’t familiar with recent security news, that may be another red flag.
Yes, being a penetration tester is a lot of fun, and we spend a lot of time in a lab or on our computer trying to solve complex problems. However, at the end of the day, we are consultants. The reason we perform a penetration test is to better the security posture of our clients. To do that, we need to be able to go over the reports with our clients, answer any questions they have, understand their organization, and communicate complex topics to executives. Because of this, one of the key traits that is necessary for you to be a penetration tester is that you must be personable and good at public speaking. If this is not one of your strong suits, then you should work on developing this area as you would any other. You could join a toastmaster’s club near you or you could push yourself to speak at your local security meetup. If talking to people is something you do not enjoy, then you may need to be honest with yourself and look for a different specialty in information security.