Tuesday, September 23, 2008

Qualifications for the Ideal Pentester

From http://seclists.org/pen-test/2008/Sep/0153.html

What are the qualifications for the ideal "Penetration Tester"?

Your opinions and experiences are so much appreciated
This is likely going to differ from the normal tailored
answer you'll hear from the suit types so here goes. The
qualifications for pentesting if I were conducting the
interview would vary. I would prefer to find someone
with a thorough background in networking, systems
administration and programming.
The experience for me would have to be a few years in
an industry where the usage of those technologies
were heavy. For examply, I'd prefer to find someone
with hands on experience in say a NOC environment or
a SOC environment.
The candidate would HAVE to have hands on experience
first and foremost. I believe the at the bottom of
the line, experience outweighs any certifications
someone would have on their resume.
Secondly, I'd like to see them exposed professionally
in the security industry. In some capacity doing some
type of auditing, be it system level, network level.
For me, again, they'd have to have the technical know
how involved with systems administration as well as
with networking.
In the common tasks of a system administrator, there
are many learning curves for many systems (Windows,
Linux, BSD, etc.). There are many programs to be
learned and understood to effectively manage those
systems. There are duties including creating the
creation of accounts, group assigning, etc., this
exposes the candidate to the AAA concepts.
Networking is a must period. No network, no pentest.
I won't get into physical pentesting on this ramble.
Understanding networking is a tremendous advantage
since one needs to understand how things work from
the ground up. The candidate should be able to pick
apart layer by layer the OSI/DoD model to determine
a starting and exiting point when addressing their
penetration test.
Because I believe in a form of structured penetration
test, I feel the candidate should be a jack of all
trades on the protocols. They'd need to be well
versed to know when to perform networking related
security testing (MITM, packet injection, covert
channel testing) versus say application level
testing.
Next comes the core of understanding the protocol
itself. I'd want someone with a mixture of dealing
with security protocols. Perhaps someone having
experience configuring webservers with OpenSSL or
something along these lines. Someone whom I can
ask a quick question like say... What's are the
differences between aggressive and main modes of
VPN's? They'd need to understand what I'm talking
about and why I would ask something like this.
They'd need to be well versed on CVSS topics,
commonly used exploits, industry top 10's and 20's
as far as threats go, they'd need to understand a
few concepts related to doing paperwork as well.
This means understanding a broad but structured
view of topics such as BIA, DRM, ROI, etc., it's
a matter of preference, but the more experienced
in the subject matters even if its broadly based
I believe will get me a more professional pentest
expert on my team as opposed to someone who sat
around all day running tools.
I answered a question similar to this a week or
two ago; the need for those coming into the field
to understand the basics before solely focusing
solely on the usage of popular tools. My ideal
pentester would make his own tools a-la McGuyver
if they had to. There is no guarantee you will
always be able to use tools and many individuals
need to understand this concept. What happens
if you're at a client and they ask you right on
the spot to perform an assessment on their
machines without those fancy tools you'd swore
would find any hole. Would you know what to do
without them, would you know how to search for
open ports (lsof, netstat). Would you know the
system well enough for you to be able to perform
a pentest under those conditions.
Recap...
MUST
Networking, Systems, Applications, Security Concepts