So You Wanna Be A Pen Tester?
If you’re looking to advance your career in the world of security, then you probably have a lot of questions about what you should do – what books to read, what groups to join, what training or certifications to get.
Ten years ago, I would have shared a short list of books and courses. These days, the number of options has multiplied to the point where it’s almost a precondition to know what specialization you want to pursue – from being a “penetration tester” to a “forensics expert” to a “SOC analyst” or “compliance analyst.” There are many paths to go down, and each calls for a different set of skills. In this article, we’ll assume you want to become a penetration tester.
Let’s also say you have the drive to become a good pen tester, maybe even a great pen tester. You’re not reading this because you think there’s a decent paycheck at the end of it.
Like anything you set out to do, it’s best to start with the fundamentals. I’ve been teaching, training, and leading penetration testers for a long time, and the ones who always wind up the best have a thorough understanding of what’s going on under the hood. Are you already a great sys admin who understands the nuances of many operating systems, or a professional developer who has a deep background in one or more languages? Perfect. You have a big advantage, over the long term, compared to the people getting into security without understanding how things work, including those with lots of letters after their names. Most of the pen-testing-related certifications test you on a thin level of knowledge across a broad domain, which belies the true complexity of pen testing. Or they gauge your ability to run tools, which just validates that you’re a script kiddie. To be more than a tool jockey, here’s what you should consider:
Learn to program. It doesn’t matter what language, although C is a good language that forces you to understand many key concepts. Too hard? Try PHP, Python, or Ruby. Eventually, you’ll want to progress to lower-level languages. Keep in mind you don’t have to be the best programmer in the world; you don’t even have to be decent. But you must have a strong understanding of how applications work and how they interact with one another (e.g., the OS, services, other applications).
In order to break an application, you must be able to think like a developer. In order to think like a developer, you must understand how they build applications and the programming models and paradigms. So it’s important to learn the common design patterns and algorithms used by programmers. This way when you’re breaking an application, you have a reasonable idea to answer questions like, “How did they implement this functionality?” and, “What didn’t they think of when writing this code?” Then, finally, “How can I leverage that gap to break their application?” Building an attack based on an assumption that’s based on another assumption should be considered de rigueur. Layered assumptions, sometimes almost a leap of faith, underscores many of the more sophisticated and elegant exploits.
Many other subjects are worth studying as well. Learn the basics of networks by setting up and running your own home network. That way, you’ll gain an understating of how network administrators view the world. Learn operating system nuances by building your own home servers so that you better understand how system administrators view things. Read Security Engineering, and learn how to think like a security engineer. You may even take a look at the concepts in the CISSP domains. A solid foundation in security concepts is essential to understanding how security should work and how it shouldn’t.
At the risk of trotting out the too-oft quoted Sun Tzu, “If you know your enemy and know yourself, you can fight a hundred battles without disaster.” You learn programming, networks, and system administration because if you know how to think like a programmer, sysadmin, and network administrator, then you’ll be much more effective at breaking in.
This is why security is harder and more dynamic than other IT areas. You not only have to be able to learn and understand multiple domains (i.e., programming, networking, administration, architecture) and be able to adopt their perspectives, but you also have to figure out how to break them using knowledge often drawn from multiple domains.
The early years of my professional career (and a great deal of my free time) were spent reading as much as I could put my hands on, learning on my own, and studying all tof he available texts that were out there. When I started, there was only one book that had anything to do with security on shelves. Now there are so many options you could spend all of your time just reading the security books. But don’t make that mistake. Start with the fundamentals. Once you have the base knowledge, security topics become dramatically easier to comprehend.