How to Get the Penetration Testing Job and What to Expect

How to Get the Penetration Testing Job and What to Expect

by Recreational Viking (@RecViking)


This article is a part of our open-issue "Most Wanted Penetration Testing Skills". If you would like to find out more, register on our website and get the whole issue for free.


It doesn’t matter whether you are changing careers entirely or just looking to make a jump to the next level of your current path, having realistic expectations is the only way you will prevent yourself from a big let down or wasting your time. Penetration testing is one of the coveted positions within the security community and it is often very difficult to break into. It is also forced to be heavily guarded due to the raw number of completely unqualified applications, interviewers are often forced to sift through. Salary requirements, experience, interpersonal skills and technical skills all play into your likelihood of landing a penetration testing job. The interview process for highly specialized jobs like this can be demanding both mentally and from a time perspective. However, from my point of view, it is worth it.

Salary is often a big sticking point and it warrants a discussion first to clear the air. Penetration testing jobs can be very lucrative, as they require both skills and experience, and the people who work in this field are often rewarded for the combination. If you don’t have both skills and experience, your salary and ranking will reflect this if you are offered a job.

From what I’ve seen, it is absolutely necessary to define experience in terms of what counts as experience and what does not when talking about penetration testing. Experience in penetration testing is hands on keyboard doing actual penetration testing work. When looking for higher level (and higher paying) penetration testing jobs, experience is key. The experience that reflects this kind of work includes:

  • Web application testing - by hand, not using vulnerability scanners or static analysis tools
  • Application testing - by hand, not using vulnerability scanners or automated sandboxing environments
  • Network service testing - by hand, not using vulnerability scanners
  • Communications hardware testing - by hand, not using vulnerability scanners
  • {insert type of testing here} - by hand, not using vulnerability scanners

Are you beginning to see the pattern? Using vulnerability scanners, source code scanners, and other automated tools does not count as penetration testing experience. Are these tools often utilized by experienced penetration testers? Absolutely, but they are only utilized to catch the low hanging fruit. The value of an experienced penetration tester comes from their ability to discover and *EXPLOIT* vulnerabilities beyond what automated tools can discover. A few years doing actual penetration testing goes a long way.

Your interpersonal skills also come into play when trying to land a penetration testing job. To pick up a job on a team with me, you must be humble, enthusiastic about the work, and be willing to ask for help. In the interview, arrogance will get you sent right back out the door with the same level of employment (or unemployment) you started with. Most penetration testing is done in small teams and if you are not able to work well with the folks around you, you will fail.

Gauging enthusiasm for penetration testing is often done through asking a candidate about their extracurricular activities related to penetration testing, such as education, independent research, publications, and conference participation. Showcasing your development work on github, running a blog, or even talking about your home lab are also good ways of showing you have enthusiasm about your work.

Being humble and having a willingness to ask for help go hand in hand. It is OK to admit defeat (within reason), and ask for help. Nobody is expected to know everything and rather than talking out of your backside when answering questions, simply say “I don’t know” or “I’m not sure on this one, but I’d imagine it is like…”. This shows you know your limitations. Knowing what you know is good, knowing what you don’t know is even better, because it helps to prevent errors and oversights.

The most desired technical skills of a penetration tester are always up for discussion, due to the number of technologies that may need testing. There are many different types of penetration testing and due to the wildly varying types of systems being tested, the skills required for individual positions will have significant variation as well. The thing I’m most interested in seeing on a resume is a varied background, even if it appears to include a hefty amount of job hopping. This shows that the candidate has been exposed to a broad variety of technologies and is not likely to get scared or slam on the brakes when presented with a new technology or unfamiliar system. In addition to a variety of exposure, programming experience is an absolute necessity. If you claim to be a penetration tester and you are not programming or scripting, you are doing it wrong. Do you have to be a kernel hacker as well as be capable of converting hex to instructions in your head? No, but only being capable of writing a “helloworld” application in Python won’t cut it either. If you are looking for a more web applicationcentric career, the more you know about the underlying back end technologies and front end scripting, the more useful you are. If you are looking for just about any other type of penetration testing position, just being proficient in a higher level scripting language or two is usually sufficient. When penetration testing is done right, every discovered vulnerability is exploited to its fullest and every new vantage point is recursively inspected for additional vulnerabilities and then exploited. Knowing only web technologies while doing web application testing will not take you to root very easily. On the other hand, nearly every network device and service comes with a fancy new web interface, so only having system level knowledge often won’t give you the necessary foothold to even begin evaluating a system. Broad, varied knowledge and skills in using a number of technologies are necessary for effective penetration testing.

The interview process itself is going to be different at every place you apply. In most cases, you’ll have some kind of HR/pre-screening interview to make sure your background meets requirements. There will be a technical Q&A “stump the chump” session, possibly multiple sessions, or even a panel interview. In addition to this, it is common for more technical positions to include some form of hands-on work and possibly even a ‘homework’ aspect. My interviews include a small capture the flag challenge where we stare over your keyboard while asking you questions about why you are doing everything you do. This helps us figure out your thought process when examining a new system. Some employers also incorporate a social session at lunch/dinner where the candidate may not even know they are being evaluated on how they interact with others on the team. This is something I also do during my interviews and it has both made and destroyed certain candidates’ chances with my team.

During the interview, neither the candidates themselves nor interviewers should expect a candidate to know all of the answers. As a candidate, if you think you do know all of the answers, you are likely getting a number of questions wrong or you probably won’t work for that employer unless you like the big fish -> little pond scenario. I have my interviews designed purposely to test the limits of all candidates. The “stump the chump” sessions are done with the most senior team member in each of these categories: web app, network, Windows, Linux/Unix, and development. These sessions are intended to find your limits and we’ll continue asking questions until you fail. Again, nobody is expected to know everything and this type of interview is simply designed to see how well your skillset will augment the team and at what level you’ll be placed.

Some of the above may seem harsh, but it is what is necessary to acquire talent for a highperformance team. The interview process will not be fun for most people, but if you make it through, the job is very rewarding and it will always challenge you. Remember to set your expectations realistically. If you don’t have years of experience in penetration testing, be ready to accept an entry level position and entry level compensation package. If your skills and experience in other related areas are good, they will push you along faster than someone fresh out of school and you’ll be able to reach a more senior position in short order. Always be open to learning new technologies (no matter how ridiculous ‘the cloud’ or ‘big data’ sounds), you never know when your organization will adopt them. Good luck in landing your penetration testing job.

Preparation tips

1. Know your tools. You don’t need to be a human man page for every tool, but if asked about a tool, you should know that a switch exists for something even if you don’t remember the exact word/letter or format.

2. Know the common methodologies. Study up on what is given by the penetration testing execution standard. Take a look at what Offensive Security has out there.

3. Be able to talk about recent vulnerabilities discovered. Ensure you can explain how these vulnerabilities are exploited on a technical level, familiarity alone will not get you there.

4. Don’t put anything on your resume you cannot speak about in depth. Most interviewers are interviewing you based on both their requirements and what you’ve got in your resume.

5. Some certifications are useful, others are not. Don’t put less respected certifications at the top of your resume. I won’t bash any particular certification publicly, but if you know penetration testing, you know what is embarrassing and what is not.


About the Author

Recreational Viking (@RecViking)

I’ve worked in state government, federal government, the education sector, as an instructor, and in the financial industry. I have 10 years of experience in security with three of those years focused on penetration testing and reverse engineering. I currently work as a penetration tester in the financial industry. I enjoy running CTF contests at conferences. I do Viking things.


This article is a part of our open-issue "Most Wanted Penetration Testing Skills". If you would like to find out more, register on our website and get the whole issue for free.


 

May 16, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013