The opinions expressed herein are my own and do not represent my past, present and future employer’s views in any way. Nothing posted here should be considered official or sanctioned by my past, present or future employer or any other organization I’m affiliated with.

Pursuit of Penetration Testing

Written by Duarte Castelo Grande de Carvalho (dcgc)

PEN

Cybersecurity looks very enticing from the outside, as it is told (very much so). It’s due to all the buzzwords, all the flash, all the infographics, etc. Usually, media outlets, people who do not work in the industry, and popular culture fantasize about this field. When students or people interested in Information Security start to get their feet wet and want to move in, belong to it, one of the first things they do is watch presentations from some popular worldwide conferences or listen to some podcasts. The presenters work on research, small consulting firms or big companies, with a rare free position inside it.

For me, it was the same: you get wowed by the things they talk about, by the jargon and by the flair they seem to have. It happens because you are unaware or ignorant of the subject matter. When I was in the Networking Academy long time ago, I started learning about routing/switching protocols, networking products, and even security in the network domain. Once you have a few years of hands-on experience and start to understand how things work around you, you begin to see that a lot of it is beautified, and sometimes, to be quite frank, is overblown.

The primary profession, position or role that I got struck by awe was of a Penetration Tester. There were several things about it: the fantasy of “hacking” as your job, the coolness and swag of most speakers (Pentesters), the hands-on, the knowledge, etc. They are seen as Rockstars of some sort, mainly due to the leverage (knowledge) they hold and the attention they get (considered as specialists or “experts”).

After six years of wandering around the Information Security field, I see that there are professionals… and then there are “professionals”. There are Penetration Testers… and then there are “Penetration Testers”. I’m not talking about good and bad professionals. I am talking about the level of engagement, the level of interest, and the level of belonging/responsibility regarding to what they do. A good and/or bad professional can be considered as such due to totally different reasons and usually it comes down to how good of a job their superiors think they have done (rightfully so, or wrongfully so).

I passed THE Penetration Testing test not too long ago, like many others. I attended training thinking that Penetration Tester would be a good path, especially after witnessing very few other Penetration Testers in a work environment. But after seeing “other” Penetration Testers and understanding what organizations seek in their corporate environment… it becomes clear that what these Rockstars were doing is not exactly the norm or another day’s job for most professionals practising this trade. There are other reasons for this conclusion, so it is better to separate them into categories.

Corporations: what do they want in a Penetration Tester?

There are places… and then, there are “places”. A Penetration Tester position in one organization means one thing… and the exact position means a different thing somewhere else. There are two types of organization (maybe… three) that will look for a “Penetration Tester”:

The work: What will I do in a Penetration Tester role?

“Pentesting work” will be divided into few “domains” (type of targets) and will be divided by type of interaction (“ways of testing”). Usually, the main “domains” are Web Application (the main one), Mobile Application (the other type of application you might see, not as common) and Server (OS, Middleware (maybe), web services). Cloud and Containers are on the rise, but not as common, unfortunately. The “ways of testing” are all about the tools you use: dynamic (“automatic”) testing will typically involve scanning (network-based, application-based) and static (“manual”) testing will involve proxying, creating requests manually and trade-crafting (payloads), interacting with the targets.

The main problem while working with clients or internally has to do with what we are allowed to do, and a lot of times, it isn’t easy to answer because… the people requesting the Penetration Test also don’t know. It starts with the scope: what targets we want to “check”, what vulnerability families we want to focus on, what is the goal from this Penetration Test, why are we doing this in the first place? Then it continues with the tools: what tools are allowed, what tools to use, what type of access should we have (type of testing)? Then the doubts continue: should we define and state what should be done and how, because the client/stakeholder/internal team doesn’t know? Should I give my 2 cents? Should I spoon feed them on what they are seeking after? Instead of the pentester focusing on the job technically, the professional wastes time defining things that are not his priority or even responsibility. It uses a lot of their time on communication (which is part of the job, no doubt about it, but it is not supposed to be a long ironman activity). Frustration comes into play; shenanigans materialize, and then the shitshow commences.

It is what mostly happens in many places where Penetration Testing work is done: nothing substantial technically is done, and a lot of time is spent on doing the legwork for the customer (who should be educated when requesting the Penetration Testing service). Do I want to go for a position that was promised to me to be the ultimate seat for technical development in Information Security and end up doing Tenable.IO scans and Burp Suite proxying most of the time? Yep…

Pentester position: Why I was rejected

Before I did qualifications regarding Penetration Test, I tried to apply to the first aforementioned two types of companies: it didn’t end well, but it was fruitful to understand what these places, in particular, were looking after.

What position and chance does someone who has recreational activities regarding Penetration Testing, no “work experience” in Penetration Testing or in a “Red Team” position (whatever the hell that means) and with no “paper” or given proof in tradecraft or PoC (Proof of Concept) development? An unfavourable position and a slim chance. Penetration Tester is a position for seniority, for someone who has worked in different positions and has seen a bit of everything throughout their career, or for someone who is crazy enough to devote a lot of their time to the craft. In theory, this is what the position is. Still, it is possible (due to the opportunities that exist) to get to work as a Pentester.

So, what went wrong? First, you need a “paper”, the one where you put your hands on virtual machines, not the one where you practice nmap. It is enough proof that you have fundamental skills and understanding when it comes to this type of position, but it is not proof that you understand or have the mentality to be working in such a trade. Second, you need to be up-to-date with what is happening (news), meaning vulnerabilities, threats, products and projects. Some organizations and some projects will be given more spotlight due to popularity and history, but others might be highlighted depending on where you apply. Third, the technology you learn outside of security, you need to understand them, in ‘n out, and its applicability must be interchangeable between products, deployments, and use cases.

I didn’t have the paper; I didn’t completely follow the news and understand all of the concepts (all use cases). Do most companies recruiting for this position expect this? No, but the good ones will. I faced applying to a consulting company (and having an interview), which I didn’t face applying to a big-mid company (not having an interview). Why was I rejected to the second one? No paper.

Pentester position: Why I rejected it

After certifying (the paper), after devoting time to studying Penetration Testing and after understanding the status quo of the Penetration Testing job market for a newbie, I started applying to these positions again and hoping to see what the outcome would look like.

The results were not surprising: I got more interviews. But what was surprising was the interviewing posture of the interviewers on most interviews: because I got the paper, the interview was less demanding, less laborious, less detailed, and less technical. The interviewers thought that because the candidate had a piece of paper, he was in the “clear” to work for their organization. It is alarmingly serious and a red flag. It shows that some roles are dependent on a piece of paper, on pre-conceived notions of what Penetration Tester qualifications should ideally be, and not on the actual technical skills of someone, especially on the answers a candidate gives based on the inquiry. It also shows that some places are not mature enough to start offering Penetration Testing services and/or having an internal Penetration Testing team, don’t have the backbone to do so, and will not attract the right and correct people to be working on such a thing.

Now, it will depend on the individual: some people are ok with this and will accept. Good professionals and people who have passion for the field will discard such chances, go back to the drawing board and continue with self-development. It’s the outlook on what the talk about demand vs offer in “CyberSecurity” is about: you have a lot of positions being built and opened for different types of jobs inside Information Security, but most of them are goalless and unfocused, created by people with no “security vision” whatsoever. Then you have a lot of people wanting to jump onto the ship, but without any idea where they are going or with a lot of misconceptions on what is actually done. The previously mentioned Penetration Testing positions are created and filled, which is why the bar is set low.

Pentester position: Why I should reconsider it

CyberSecurity positions in corporations are overall entry-level and stale. The complexity of the work done and the effort put in, is most of the time minimal and not thought-provoking. So, if one tends to sought after Information Security work that is purely technical and requires hands-on in most of the business working hours, you end up looking for a position such as Penetration Tester. It is true that a lot of the activities done as a Penetration Tester require reporting (which consists of writing reports) and meeting (which consists of participating with meetings) with customers and/or internal teams, but it also requires to use tools, test systems and applications, and in the end, be exposed to new things. Unfortunately, not many roles in Information Security are like this, so even with all the faults described, you incline to look at the positive so as to see the big picture, which is to develop yourself through other means (e.g., Pentest-as-a-service companies, freelance, etc.). Should I stay or should I go?

What is the point?

Until higher technical scrutiny and screening isn’t done for Penetration Testing, and until there is no understanding of this position, we will have this situation. I rejected it. It didn’t feel right because it was not. A lot of it is because of what I detailed… Other things have to do with depositions from people such as s1m0n (it goes both ways; playing devil’s advocate). Penetration Testing work is uninteresting and non-rewarding because the audience you are talking to continue to poorly understand what they have and manage and over-complicate what is simple. Penetration Tester is continuously seen as a “fixer” and/or a “breaker” when it should be seen as an “enabler” (enables you to show what can be done differently, security-wise). We already know we are vulnerable (we can run the tools to check this ourselves), we already know the answer (configuration workaround, patching, etc.). We already know what we should’ve done (in the compliance we have to follow). Why is the Penetration Tester a messiah?

Maybe one day, I will have the possibility to enjoy being a Penetration Tester that I dreamed of and will be given the opportunity to explore the potential that someone can have, to work in Information Security solely as a technical person. But, until then, I will stay in my corner working as a “regular security professional”.

Blog posts about Information Technology, Information Security Industry and Life. Whatever comes to my mind.

Information Security Technical Articles/Notes

Pages containing reviews and notes about Information Technology and Information Security technologies. Whatever I am studying and working on.

Vendors

Pages containing reviews and notes about Information Technology Vendors products and services. Whatever Vendor I deal with in my professional career.

Videogames

Pages containing notes about Videogame development tools and technologies. Sometimes from studies, other times geared towards Game Jam and Cinema VFX.

Cinema

Pages containing reviews and notes about Cinema. Whatever I come across regarding my movie watching and involving my studies on cinema.