What Does a Penetration Tester Do?
The Short Version
A Penetration Tester (a.k.a. Ethical Hacker) probes for and exploits security vulnerabilities in web-based applications, networks and systems.
In other words, you get paid to legally hack. In this “cool kid” job, you will use a series of penetration tools – some predetermined, some that you design yourself – to simulate real-life cyber attacks. Your ultimate aim is to help an organization improve its security.
Penetration Tester Responsibilities
Ethical hacking is a mix of sexiness and boring bits. Unlike real-life hackers, you may only have days to compromise systems. What’s more, you will be expected to document and explain your methods and findings. Penetration testing has been called one of the most frustrating jobs in the infosec field.
Overall, you are likely to be required to:
- Perform formal penetration tests on web-based applications, networks and computer systems
- Conduct physical security assessments of servers, systems and network devices
- Design and create new penetration tools and tests
- Probe for vulnerabilities in web applications, fat/thin client applications and standard applications
- Pinpoint methods that attackers could use to exploit weaknesses and logic flaws
- Employ social engineering to uncover security holes (e.g. poor user security practices or password policies)
- Incorporate business considerations (e.g. loss of earnings due to downtime, cost of engagement, etc.) into security strategies
- Research, document and discuss security findings with management and IT teams
- Review and define requirements for information security solutions
- Work on improvements for security services, including the continuous enhancement of existing methodology material and supporting assets
- Provide feedback and verification as an organization fixes security issues
During the penetration test, you will typically focus on exploiting vulnerabilities (e.g. making it a goal to break part of a system). But as Daniel Miessler points out in The Difference Between a Vulnerability Assessment and a Penetration Test, you don’t have to go all the way to prove your point:
“A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could.”
Penetration Tester vs. Vulnerability Assessor
There’s a lot of confusion about the difference between Penetration Testers and Vulnerability Assessors. We like Miessler’s explanation:
“Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.”
“Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.”
In simple terms, Vulnerability Assessors are list-orientated and Pen Testers are goal-orientated.
Penetration Tester Career Paths
Pen testers come at the field from all angles. Some take up hacking in university; others use their CS degree to focus on cyber security.
Regardless of your path, employers are unlikely to hire you straight out of school. You can always consider gaining experience in IT jobs such as:
- Security Administrator
- Network Administrator
- System Administrator
- Network Engineer
After you have proven your worth as a Penetration Tester, you may find better pay as a:
Penetration Testers are also known as:
- Ethical Hacker
- Assurance Validator
Penetration Tester Salaries
According to Payscale, the median salary for a Penetration Tester is $71,929 (2014 figures). Overall, you can expect to take home a total pay of $44,220 – $117,398. This includes your base annual salary, bonuses, profit sharing, tips, commissions, overtime pay and other forms of cash earnings, as applicable.
Penetration Tester Job Requirements
Most Pen Testers don’t hold a specialized degree. Since ethical hacking is more about skills than course credits, a bachelor or master’s degree in cyber security is unnecessary if you have appropriate job experience.
Hone your street skills any which way you can. Go to hacking conferences, research potential certifications (see below), look into SANS courses, set up a pen testing lab, learn from other pen testers, read and read more.
Overall, employers appear to be looking for 2-4 years of security-related experience with practice in penetration testing and vulnerability assessments. The range for Senior Penetration Testers is more variable. It may be as low as 3 and as high as 7-10 years of experience.
Pen testers conduct security audits, develop code, automate processes, reverse engineer binaries – the list goes on. So try and learn as much as you can about operating systems, software, communications and network protocols.
Here are technical skills we have seen employers favoring:
- Windows, UNIX and Linux operating systems
- C, C++, C#, Java, ASM, PHP, PERL
- Network servers and networking tools (e.g. Nessus, nmap, Burp, etc.)
- Computer hardware and software systems
- Web-based applications
- Security frameworks (e.g. ISO 27001/27002, NIST, HIPPA, SOX, etc.)
- Security tools and products (Fortify, AppScan, etc.)
- Vulnerability analysis and reverse engineering
- Metasploit framework
- Forensics tools
- Cryptography principles
Writing your résumé? Start with the standard list of soft skills: creativity, problem-solving and analytical thinking. Show them proof of your ethical high standards. Demonstrate your “out-of-the-box” approach. Note your scrupulous attention to detail.
Oral and communication skills are two other biggies. In addition to the amount of paperwork (writing reports and assessments), you might be surprised at how often you will have to talk to people. Part of your day will involve explaining your methods to technical and non-technical audiences. You could also be coordinating social engineering initiatives.
Certifications for Penetration Testers
There is no master list of preferred certifications for pen testing. Although it’s popular within the IT industry, CEH is fairly loose. We recommend you ask colleagues about the pluses and minuses of accreditations like CPT/CEPT, GPEN and – especially – OSCP.
- CEH: Certified Ethical Hacker
- CPT: Certified Penetration Tester
- CEPT: Certified Expert Penetration Tester
- GPEN: GIAC Certified Penetration Tester
- OSCP: Offensive Security Certified Professional
- CISSP: Certified Information Systems Security Professional
- GCIH: GIAC Certified Incident Handler
- GCFE: GIAC Certified Forensic Examiner
- GCFA: GIAC Certified Forensic Analyst
- CCFE: Certified Computer Forensics Examiner
- CREA: Certified Reverse Engineering Analyst