Penetration testing or pentest, also known as ethical hacking, is a vital tool for organizations to identify and mitigate potential vulnerabilities in their networks and systems. It simulates an attack on a company’s infrastructure to identify weaknesses before malicious actors can exploit them.
But what does it take to be a successful penetration tester and how do you become one? In this article, we speak with a seasoned professional in the field to gain insight into the skills, strategies, and mindset needed for a career in penetration testing. From planning and execution to staying up to date on the latest threats and complying with industry regulations, our expert shares their experience and advice for those interested in pursuing a career in this important and rapidly evolving field.
1. Can you explain in layman’s terms what a penetration test is and why it’s important for companies to conduct them?
“A penetration test, also known as a pentest, is a simulation of a cyber attack on a company’s infrastructure in order to identify potential vulnerabilities and weaknesses. It’s important for companies to conduct penetration tests because it allows them to detect and fix vulnerabilities before malicious actors can exploit them, thus helping to protect their data, software, and infrastructure.”
2. Can you walk us through your background and how you became a penetration tester?
“Sure! I studied IT in school and had the opportunity to take a cybersecurity class with a well-known professional in the field. I found the class interesting and frustrating because I didn’t have a strong development or network background, but I still enjoyed it. I did my last 6-months internship in a company doing pentest and other cybersecurity-related missions. I’ve been doing this job since 2015.”
3. Are there any specific qualifications or backgrounds that are more beneficial for someone looking to become a penetration tester?
“No, there are many paths to becoming a penetration tester. People with experience in IT-related fields such as system administration, development, and network administration can bring valuable skills to the table:
- Developers will be quite comfortable with source code reviews, and they will be quickly able to understand and adapt to their needs any script found on the Internet (and there is a lot);
- System and network administrators can be really good in infrastructure penetration tests because they’re familiar with the tools and techniques that are used in pentest. For example, nmap is a well-known port scanner used by network administrators to monitor their devices, and pentesters use it to discover their targets;
- Individuals with experience in helpdesk roles may have had to deal with cybersecurity issues;
- Cloud engineers may have an advantage in attacking targets on platforms like AWS and Azure;
- Individuals with knowledge of hardware may be well-suited for the expanding field of IoT (Internet of Things).”
4. What would you say to people without an IT background?
“There is still hope! It’s important to note that there are other roles within the field of cybersecurity that do not require specific technical skills. For instance, physical intrusion (yes, being mandated to break into some company’s offices!) or social engineering, where social skills are much more important, is another way to get into cyber security.”
5. Are there any specific industries or areas of focus that you recommend for someone looking to get into penetration testing?
“Web application penetration testing provides a straightforward entry into the world of penetration testing, with numerous platforms available for training, as well as numerous languages, frameworks, and libraries that strive for effectiveness while sometimes compromising on application security.”
6. Can you talk about any major challenges or obstacles you’ve faced in your career as a penetration tester and how you overcame them?
“In this job, you will go from a client to another, they have different needs, use different technologies, you have to understand both of them and sometimes tell to the customer what their needs are. Another recurrent problem in my missions is the availability of the target or the client himself, even with the best possible preparation it is quite frequent that I lose the first day waiting for a new patch pushed at the last minute on the target or missing access/credentials.”
7. What advice would you give to someone who is interested in pursuing a career in penetration testing?
“My advice would be to start by exploring the world of vulnerabilities through training platforms such as root-me.org and hackthebox.com which will allow you to explore the world of vulnerabilities. Once you’re sure that this is something you’re interested in and enjoy, look into different training and certifications available to gain specific skills (CEH, OSCP, SANS, VHL, and many more). But it’s important to remember that there are many paths to a career in cyber security and it’s not just about having a specific qualification or background.”
8. How do you stay up to date with the latest security threats and vulnerabilities?
“The technological watch is an important part of our work. There are many channels that can help you in staying informed such as Twitter, Reddit, or TheHackerNews. These networks have a large user base who frequently share new vulnerabilities and tools. Most of these platforms offer RSS feeds that you can filter to your needs. This is how to stay up-to-date without constantly being on social media. Your coworkers can also be a valuable source of technological watch! Even if you have a preferred method, never hesitate to ask them how they stay informed on IT security news.”
More on penetration testing
- Penetration testing certification: Some tips to ace it
- Performing an API and web application penetration test on a tool connecting intermediaries and taxpayers
- Preventing e-reputation by using OSINT Investigation
