Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/9/2013
12:06 PM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

So You Wanna Be A Pen Tester?

Like anything you set out to do, it's best to start with the fundamentals

If you're looking to advance your career in the world of security, then you probably have a lot of questions about what you should do – what books to read, what groups to join, what training or certifications to get.

Ten years ago, I would have shared a short list of books and courses. These days, the number of options has multiplied to the point where it's almost a precondition to know what specialization you want to pursue – from being a "penetration tester" to a "forensics expert" to a "SOC analyst" or "compliance analyst." There are many paths to go down, and each calls for a different set of skills. In this article, we'll assume you want to become a penetration tester.

Let's also say you have the drive to become a good pen tester, maybe even a great pen tester. You're not reading this because you think there's a decent paycheck at the end of it.

Like anything you set out to do, it's best to start with the fundamentals. I've been teaching, training, and leading penetration testers for a long time, and the ones who always wind up the best have a thorough understanding of what's going on under the hood. Are you already a great sys admin who understands the nuances of many operating systems, or a professional developer who has a deep background in one or more languages? Perfect. You have a big advantage, over the long term, compared to the people getting into security without understanding how things work, including those with lots of letters after their names. Most of the pen-testing-related certifications test you on a thin level of knowledge across a broad domain, which belies the true complexity of pen testing. Or they gauge your ability to run tools, which just validates that you're a script kiddie. To be more than a tool jockey, here's what you should consider:

Learn to program. It doesn't matter what language, although C is a good language that forces you to understand many key concepts. Too hard? Try PHP, Python, or Ruby. Eventually, you'll want to progress to lower-level languages. Keep in mind you don't have to be the best programmer in the world; you don't even have to be decent. But you must have a strong understanding of how applications work and how they interact with one another (e.g., the OS, services, other applications).

In order to break an application, you must be able to think like a developer. In order to think like a developer, you must understand how they build applications and the programming models and paradigms. So it's important to learn the common design patterns and algorithms used by programmers. This way when you're breaking an application, you have a reasonable idea to answer questions like, "How did they implement this functionality?" and, "What didn't they think of when writing this code?" Then, finally, "How can I leverage that gap to break their application?" Building an attack based on an assumption that's based on another assumption should be considered de rigueur. Layered assumptions, sometimes almost a leap of faith, underscores many of the more sophisticated and elegant exploits.

Many other subjects are worth studying as well. Learn the basics of networks by setting up and running your own home network. That way, you'll gain an understating of how network administrators view the world. Learn operating system nuances by building your own home servers so that you better understand how system administrators view things. Read Security Engineering, and learn how to think like a security engineer. You may even take a look at the concepts in the CISSP domains. A solid foundation in security concepts is essential to understanding how security should work and how it shouldn't.

At the risk of trotting out the too-oft quoted Sun Tzu, "If you know your enemy and know yourself, you can fight a hundred battles without disaster." You learn programming, networks, and system administration because if you know how to think like a programmer, sysadmin, and network administrator, then you'll be much more effective at breaking in.

This is why security is harder and more dynamic than other IT areas. You not only have to be able to learn and understand multiple domains (i.e., programming, networking, administration, architecture) and be able to adopt their perspectives, but you also have to figure out how to break them using knowledge often drawn from multiple domains.

The early years of my professional career (and a great deal of my free time) were spent reading as much as I could put my hands on, learning on my own, and studying all tof he available texts that were out there. When I started, there was only one book that had anything to do with security on shelves. Now there are so many options you could spend all of your time just reading the security books. But don't make that mistake. Start with the fundamentals. Once you have the base knowledge, security topics become dramatically easier to comprehend. Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Snyper82
50%
50%
Snyper82,
User Rank: Apprentice
9/26/2013 | 2:53:45 PM
re: So You Wanna Be A Pen Tester?
"Start with the fundamentals." Programming, SysAdmin, NetAdmin? If programming is the lack, that is where one should start.

You mentioned C, for someone just starting their programming path, even a little later in life, what is a good gateway language?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13890
PUBLISHED: 2020-06-06
The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
CVE-2020-13889
PUBLISHED: 2020-06-06
showAlert() in the administration panel in Bludit 3.12.0 allows XSS.
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.