What Makes a Professional Penetration Tester?

January 2, 2019 | by Marine D. | Blog posts 0 Comments

Penetration testers, often called “ethical hackers,” are highly skilled professionals that test computer networks, systems, applications, etc. for vulnerabilities before malicious (or unethical) hackers do. Find out what it takes to be an invaluable pentester below.

The Role At A Glance

On a daily basis, penetration testers are in charge of protecting their organization’s networks, systems, and/or applications. To do that, they’ll perform “ethical hacks” or “penetration tests” of networks to identify potential vulnerabilities or report them to higher authorities with professional recommendations. Their responsibilities are continously expanding with the number of new threats each year.

There are 3 main career options for professional penetration testers, either in-house, as part of a consulting firm (or their own consulting business), or also as freelancers.

According to the Bureau of Labor Statistics (BLS), information security analysts, including penetration testers, make an annual median salary of $95,510. Additionally, their employment is expected to grow 28% by 2026, much faster than the average for all occupations.

Day-2-Day Responsibilities

On a daily basis, penetration testers are responsible for testing a company’s network, infrastructure, application, etc. for vulnerabilities, ensuring that all assets are secure. In greater details, pentesters will:

- Conduct Tests on Networks and Applications: In an attempt to find potential vulnerabilities that companies may have on their systems, web, or mobile applications, penetration testers will test them for vulnerabilities.

- Physical Security Assessments: Because vulnerabilities can be present on physical servers and networks, pentesters will test there too.

- Conduct Security Audits: By conducting audits, penetration testers can establish the overall security risks of a company and recommend best practices to follow.

- Analyze Security Policies: Companies often think they have strong security policies… until breached. Testing them with real-life scenarios will only confirm (or deny) such statements and policies.

Write Security Assessment Reports: Because no job is really done without a final report, penetration testers will regroup their findings and recommendations on a penetration test report destined to either their employer or client.’

Of course, responsibilities might vary depending on the seniority of professional pentesters, and the size and/or needs of the company they work for.

Necessary Skills

Professional penetration testers know that practical skills are crucial, but so are personal skills… Here are some of the most important skills to have to be a successful penetration tester:

TECHNICAL SKILLS:

System Security— The processes involved with keeping information confidential and assuring its integrity.
Network Security— The security testing methodology, techniques, and tools for networked PC and devices.
Web Applications— The testing methodology, techniques, and tools for web applications.
Mobile Applications— The testing methodology, techniques, and tools for mobile applications.
WiFi Security— All the attack techniques and tools used against Wi-Fi networks, and how to detect them.
Social Engineering— Deep knowledge of the most modern social engineering attacking techniques.
Advanced Reconnaissance & Enumeration— How to retrieve the most important pieces of information out of Active Directory, while remaining undetected.
Reverse Engineering— The techniques and tools to deconstruct software, malware, and all ranges of attacks.

PERSONAL SKILLS:

- Organizational Skills— An important part of any penetration test is the reporting phase. To do that, pentesters need to stay organized through the pentest, note down all kinds of important information that they will be required to include in their final report. Clients often judge the work of pentesters by the quality of their report — hence the importance of being organized.

Writing Skills— While being organized is a great skill to have, pentesters should also have good writing skills. Most of the people that will read the pentest report will be executives from the C-Suite level or non-security related fields. For them to understand your report and recommendations to fix the found vulnerabilities, you need to be able to write in a normal way, so stay clear of the infosec jargon.

Penetration testing can be a rewarding career. Indeed, professionals in this field not only like their job for obvious financial reasons, but also find this job to be highly satisfying in terms of accomplishments.