Saturday, 14 July 2012

How to get your first pentester job...

Often, people ask me: "how to get a first pentester job". As for most jobs, companies want people who can bring something quickly (ie: being billable) and you need a first experience to get the job, but you need a first job to get the experience... Classic chicken or the egg dilemma.

First, you don't need experience as a pentester to become a pentester, you just need security exposure and to be passionated.

I think the best way to get in is to focus on Web application testing. It's where most of the work is these days and the entry cost (being able to find your first bug) is probably the lowest.

Learn, try to understand how computers work. How your browser sends requests. Use a proxy to intercept requests and responses. Read about DNS and understand how it works. Learn SSL.  Write simple web applications in PHP, .Net, Ruby on Rails to get a feeling of what a developer feels and what mistakes he can do. There are plenty of security tutorial and vulnerable application to learn from... And I heard PentesterLab's exercises are pretty good ;). Read the security news, what's happening and try to dig deeper for some subject you find interesting... I think one of the thing interviewers like (or at least I like) is people who dig deeper some subjects and get a better understanding of the problems. Pentesting is about getting further that the average persone. You can also learn from our pntstr bot, that asks you a security question every week. 

Play CTFs, it's a really good way to learn something new and play with/against others. Furthermore, you may meet people that are already working as pentester... and they will be more than happy to bring you in if they like your skills: the "finder's fee" effect (as a side note, I never understood why companies give more money to recruiters than to their employees for this even if recruiters success rate are way lower...)

Find vulnerabilities, and be smart about it. If you find a bug, there are 4 ways to handle it:

  • "OMG, vulnerabilities burn my hands, I need to release it now before someone else finds it". Basically, you found a bug and directly email mailing-list like full-disclosure. If it's a lame bug (likely), it's probably unlikely to get you a pentester job and will be in Internet archives for ever :/
  • "Let's email the project", pretty good, you may be linked in the advisory and get some street creds out of it.
  • "Let's write a patch to fix the vulnerability and email the project", awesome for publicity, you are really likely to be listed in the advisory and/or changelog. And future employers can see that you can find bugs and patch them correctly.
  • "Seat on it"... It's a pretty good way to handle bugs, but you currently need people to see your skills,  it's probably not the best move right now.
Most resumes employers will see are people with a lot of certifications, not much skills and shitty advisories (sometimes). If you can find some bugs and help the project to fix them, you are really likely to get past the interview:
  • You will be able to show that you can find bugs ("ICANFINDBUGS").
  • You will be able to show that you can fix each bugs ("ICANFIXBUGS") and how you dealt with developers. This is basically what pentesting is about: finding bugs, explain them to non-security people and help them patching them. You already understand the job ;)
  • You will be able to show that you're passionated, since you're already looking for bugs without working in the field.
Now, what projects to start with... to be honest, you don't want to go with Wordpress/phpmyadmin or big projects already reviewed (in theory) by a lot of people. Go for smaller and active projects (with a version number greater than 0.9) and start reviewing them. I will be surprised if you can't find any bugs. 

Keep it simple, don't put too many keywords in your resume. Avoid old security softwares. Don't put that you're an expert in X. If I see a resume with "expert in X", I will ask questions that I expect an expert can answer; if I read that you're "confident in X", the questions will probably be easier and my expectation lower... Don't lie in your resume... just put the truth, guess what... Interviewers have rather being positively surprised. You can read my previous post on what to avoid in a pentester resume.

Ask questions, you didn't get the job after an interview. Ask questions (not at the end of the interview... when you get the answer). Ask what you can improve? what did the interviewer expected? do they have anything/links/resources you can learn from? If they see that you want to improve your skills, they are likely to accept another interview in few months and you can impress them with what you learnt in the meantime.


Anonymous said...

Is it possible for a person to manually search for SQLi vectors more efficiently than a program in a large site or are people only more effective at exploiting such vulnerabilities?
(in your opinion)


Louis Nyffenegger said...

A person will be slower than an automatic program however he/she is likely to find more bugs than an automatic tool.

Anonymous said...

But why?
What, aside from your awesome exercises, would you say is the best way to become proficient at SQLi? Do I need to become a DBA and web-dev for 10 years first? I have reasonable understanding of them currently however I'd very much like to expand on that knowledge in the near future...

Louis Nyffenegger said...

Practicing i think: writing a bit of code and trying to exploit it and see if it works. Inspecting what requests are done by SQLmap, Reading the source code of SQLMap, Reading the documentation of different databases...

No need to spend 10 years on this ;)

gladdy ford said...

I read from headhunter melbourne that being a pentester and excelling through its field like fine attention to details and exquisite reporting can land you on a QA role.