Attacks/Breaches
9/9/2013
12:06 PM
Vincent Liu
Vincent Liu
Commentary
50%
50%

So You Wanna Be A Pen Tester?

Like anything you set out to do, it's best to start with the fundamentals

If you're looking to advance your career in the world of security, then you probably have a lot of questions about what you should do – what books to read, what groups to join, what training or certifications to get.

Ten years ago, I would have shared a short list of books and courses. These days, the number of options has multiplied to the point where it's almost a precondition to know what specialization you want to pursue – from being a "penetration tester" to a "forensics expert" to a "SOC analyst" or "compliance analyst." There are many paths to go down, and each calls for a different set of skills. In this article, we'll assume you want to become a penetration tester.

Let's also say you have the drive to become a good pen tester, maybe even a great pen tester. You're not reading this because you think there's a decent paycheck at the end of it.

Like anything you set out to do, it's best to start with the fundamentals. I've been teaching, training, and leading penetration testers for a long time, and the ones who always wind up the best have a thorough understanding of what's going on under the hood. Are you already a great sys admin who understands the nuances of many operating systems, or a professional developer who has a deep background in one or more languages? Perfect. You have a big advantage, over the long term, compared to the people getting into security without understanding how things work, including those with lots of letters after their names. Most of the pen-testing-related certifications test you on a thin level of knowledge across a broad domain, which belies the true complexity of pen testing. Or they gauge your ability to run tools, which just validates that you're a script kiddie. To be more than a tool jockey, here's what you should consider:

Learn to program. It doesn't matter what language, although C is a good language that forces you to understand many key concepts. Too hard? Try PHP, Python, or Ruby. Eventually, you'll want to progress to lower-level languages. Keep in mind you don't have to be the best programmer in the world; you don't even have to be decent. But you must have a strong understanding of how applications work and how they interact with one another (e.g., the OS, services, other applications).

In order to break an application, you must be able to think like a developer. In order to think like a developer, you must understand how they build applications and the programming models and paradigms. So it's important to learn the common design patterns and algorithms used by programmers. This way when you're breaking an application, you have a reasonable idea to answer questions like, "How did they implement this functionality?" and, "What didn't they think of when writing this code?" Then, finally, "How can I leverage that gap to break their application?" Building an attack based on an assumption that's based on another assumption should be considered de rigueur. Layered assumptions, sometimes almost a leap of faith, underscores many of the more sophisticated and elegant exploits.

Many other subjects are worth studying as well. Learn the basics of networks by setting up and running your own home network. That way, you'll gain an understating of how network administrators view the world. Learn operating system nuances by building your own home servers so that you better understand how system administrators view things. Read Security Engineering, and learn how to think like a security engineer. You may even take a look at the concepts in the CISSP domains. A solid foundation in security concepts is essential to understanding how security should work and how it shouldn't.

At the risk of trotting out the too-oft quoted Sun Tzu, "If you know your enemy and know yourself, you can fight a hundred battles without disaster." You learn programming, networks, and system administration because if you know how to think like a programmer, sysadmin, and network administrator, then you'll be much more effective at breaking in.

This is why security is harder and more dynamic than other IT areas. You not only have to be able to learn and understand multiple domains (i.e., programming, networking, administration, architecture) and be able to adopt their perspectives, but you also have to figure out how to break them using knowledge often drawn from multiple domains.

The early years of my professional career (and a great deal of my free time) were spent reading as much as I could put my hands on, learning on my own, and studying all tof he available texts that were out there. When I started, there was only one book that had anything to do with security on shelves. Now there are so many options you could spend all of your time just reading the security books. But don't make that mistake. Start with the fundamentals. Once you have the base knowledge, security topics become dramatically easier to comprehend. Vincent Liu (CISSP) is a Managing Partner at Stach & Liu, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm strategy, practice development, and client matters. Vincent is ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Snyper82
50%
50%
Snyper82,
User Rank: Apprentice
9/26/2013 | 2:53:45 PM
re: So You Wanna Be A Pen Tester?
"Start with the fundamentals." Programming, SysAdmin, NetAdmin? If programming is the lack, that is where one should start.

You mentioned C, for someone just starting their programming path, even a little later in life, what is a good gateway language?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.