Wednesday, 18 January 2012

Hiring pentesters... (1/?)

Hiring the right people is becoming harder and harder. I decided to share some tips and feedback based on few years of reading resumes and interviewing people.

I don't think you can really have an equation to rate the right person, I think it's more like a list of things I like or dislike in a resume.

In my opinion, the best hiring process follows the following steps (for the technical side of it):
  • Review resume.
  • Technical interview.
  • Hands-on interview.
  • Drinks.
In this first post, I'm going to provide more details on how I review a resume and what affect my decision.

  • Resume looks ugly: -1
  • Obvious spelling mistakes in the resume: -3 (native speakers), -1 (others)
  • Resume sent by a recruiter: +/- 5, some recruiters can take a resume and make it looks terrible or can make it look better...
  • Buzzwords in the resume: -3
  • Hotmail address: -3 ("Excuse me, are you from the past?")
  • Own domain name: +2, with own SMTP server: +3
  • Number of occurrence of the word "hack" in the resume: -1 per occurrence
  • No internet presence: +/-10, can indicate the best and the worst

  • Developer formation: +2 someone who can write code will often be more useful than someone who can't
  • Learn different things at school: +3, with special points for Maths, Cryptography, Data Mining, Signal processing, Electronic, ...
  • Didn't go to high school: +/-0, some really really smart people didn't spend much time at school.

Job experiences:
  • Job hopper: -5, training people takes time (especially if you're not using our exercises), you cannot afford to hire someone who is going to leave after a year (with your company's knowledge).
  • More than 7 years working for one big company/big 4 and bragging about it: -2, if someone is not happy, he should move on, and not stay at the same place for that long
  • Worked as a developer: +2, someone who can write code will often be more useful than someone that can't.
  • Web site developer: +3, a big part of our job is web-based, knowing how to develop for the web gives people a lot of knowledge needed for penetration testing (common mistakes, ability to review code, ...).

  • CEH: -2, too often I have been disappointed during technical interview by CEH. Most of them just want to hack stuff and don't learn properly how things work.
  • CISSP: -3, CISSP is in my opinion a good certification for people who want to show general knowledge in security... not really the kind of people a pentest company is after in my opinion.
  • ISO-2700*: -4, same as CISSP with even less technical knowledge
  • PCI-DSS: -2, not really technical but some really good people are certified.
  • All of these certifications together: -3
  • Special points for "Firstname Lastname CISSP": -4

IT knowledge:
  • List tool instead of Technic: -3, sqlmap" instead of "sql injection"
  • List really old security tools: -3
  • Obvious lack of security knowledge: -10, Non-sense in the resume for example
  • github profile: +5
  • github profile with projects: +5, +3 if really good code, +4 if code in different languages
  • github profile with patches for opensource projects: +5 (-3 if advisory published for silly vulnerabilities)

  • published a vulnerability in some project in version 0.1: -3, +3 if it's a full code review and they found "all" the bugs and report them prior to the disclosure.
  • published a stack-overflow in some Russian mp3 player: -3 (typical CEH profile)

  • References from someone: +10
  • Twitter account: +1, -1 if only chitchat, -3 if security circus, +2 if real information on vulnerabilities
  • Blog with interesting articles: +5
  • Play CTF: +5
  • Available on IRC: +2
  • Talk during conferences: +5, unless talk on SCADA: -3
  • Read Phrack: +5
  • Wrote in Phrack: +20 (Phrack is the *BIG* deal, writing in phrack shows both a lot of skills and the good attitude)
  • Any achievement: +3, black belt in some martial arts, won something, ...
  • Did/do some team sports: +/- 0. to be honest I don't think most good pentesters are team players, they are more like traders, sharing information/tools with people they know/like/respect or people who share with them.

I know a lot of people won't agree with this rating, mostly because it's really subjective (and part of it is a bit trollish I guess). However, most of the time it provides a good overview of a resume... Obviously, if I get a resume that matches all these points, I will be really suspicious now :p


Anonymous said...

Found a CVE in a product +5, in his own software +1 :-)

karzisonline said...

can u send sample resume for pen tester and vulnerability assessment....

-- said...
This comment has been removed by the author.
-- said...

Unfortunately, I can't share the resumes I received :/

Anonymous said...

Published a stack-overflow in some Russian mp3 player: -3. This is definitely not typical of CEH. It still beats well commented perl by a million.
It should get a -2/+2 based on if it actually works or not reliably. Its not the product, but the process.

Anonymous said...

"Talk during conferences: +5, unless talk on SCADA: -3"

Um not quite. Often, lame talks still get presented at conferences all over the world... the best research can often come from the people that don't like presenting.

Anonymous said...

I remember interviewing someone who said that ICMP and TCP were the same things..
He works at stratsec now.

Anonymous said...

@anonymous ^^ ask the wrong questions, get the wrong answers.

EHN Reporter said...

My resume matches 90% with your points.

Evan Plaice said...

I'm just starting to research pentesting but have some experience in dev.

What about publishing code on other OSS public repo sites (ex Google Code) and/or experience implemented low level networking protocol parsers (ex icmp, tcp, etc...)?

Would you value a dev who could implement networking protocol hacks (ex MItM) or do you look more for devs who put more emphasis on reverse engineering and discovering security vulnerabilities?

Louis Nyffenegger said...

I think any ability to dev is good. Being able to implement some protocol (client or/and server) is a big plus in my book for sure.

Any public repo is good, github was just an example :)

Nadeem said...

LOL @ CEH -2 -> This was the first cert that I took and it is such a bullshit course and exam. My employer asked me to take it as it would look good in proposals/resumes but I have taken it off mine. What about + points for OSCP and OSCE certs from offensive security ?. I've got them both and I feel they are great courses - good bang for buck as well.

AK said...

This comment to cherish your hate for certs .. I do hate them too. I think they were made for commercial use only