As cyber-attacks become more and more frequent against entities of all sizes, penetration testing is becoming more important to identify vulnerabilities and make sure that security teams are able to prevent attacks. This means that pen testers are becoming more important, too. But how can interested individuals break into the field and really make a difference for their organization when it comes to security? We sat down with our own penetration testers, Aaron Herndon, senior security consultant, and Whitney Maxwell, security consultant, to answer some of your questions about the field.
How to get started in penetration testing
One question both Aaron and Whitney hear from people all the time is how to get started in penetration testing. Both penetration testers recommend joining learning programs and becoming a student, regardless of your age or background. There are as many vulnerabilities to investigate as there are types of technology, so anyone who has experience with any part of IT can easily pivot to pen testing.
The SANS Institute offers a number of bootcamps to teach new skills to security professionals of all levels. Other organizations such as Hack the Box and Google Gruyere provide places for individuals to learn and test new skills in penetration testing. You can also earn certifications such as the Offensive Series Certified Professional (OSCP) certificate, which is offered at many universities and private institutions.
There is an increasing number of programs for students in high school and college that can help individuals learn more about cybersecurity and penetration testing from an early age. More and more programs open up every year, but Whitney recommends the CyberPatriot Program for high schoolers who have an interest in cybersecurity. The program works like a club and includes high school-level competitions. Microsoft hosts a program aimed at young women and girls called DigiGirlz that is another great way for younger people to get interested in infosec in general.
At the university level, there’s the National Collegiate Cyber Defense Competition (NCCDC), which is run individually by each state. Whitney competed in the NCCDC when she was in college, and said she found it to be extremely helpful in giving her hands-on experience in a live environment.
Both of our pen testers agreed that you’re never too old or too young to get into penetration testing. The field needs as many perspectives as possible to keep growing and finding new methods to test vulnerabilities.
Ways to continue developing skills
Once you’ve broken into the field of pen testing, there are multiple ways to keep yourself valuable by developing new skills. For instance, learning new programming languages is always a good idea. While there’s not a single programming language that is more important than others, Aaron and Whitney both recommend scripting languages like Python and Ruby because knowing those languages make it easier to write tools on the fly for pen testing. Aaron noted that cross-platform languages like Golang, C#, and .net are all popular as well. Knowing as many programming languages as possible is never a bad idea, because you’ll be looking at other people’s programs and building your own. Whitney even recommended HTML, because it’s so common and offers a lot of opportunities for further learning.
Getting into DEFCON Capture the Flag competitions is another way to keep your skills sharp and continue practicing. Again, Hack the Box and Google Gruyere are great places to play around while honing new skills. But there are other, less official ways to practice pen testing. For instance, trying to crack a friend’s WiFi is one way to practice (with permission, of course). You can also build your own virtual systems to see if you can find new ways to attack yourself. These are all safe ways to practice skills without breaking the law or putting bigger environments at risk.
Most of the pen testing community is very collaborative and tends to use open source tools, so it’s easy to find new technology along with good documentation to improve your own skills all the time. The INFOSEC community is a constantly regenerating resource to find new tools and perspectives to perform pen testing. Good research skills are extremely important for a pen tester who wants to continuously improve; the information is out there, you just have to be willing to find it.
Technical skills aren’t the only indicators of success for someone who wants to be a pen tester. Whitney and Aaron both agreed that soft skills or personal skills are important, as well. The most important of these is determination and a willingness to keep going in the face of adversity, but the ability to ask for help when you need it is also important. Adaptability and the ability to learn on the fly are great skills to have for pen testing. These are all skills that can be learned and improved on the job, of course.