It’s an exciting time to be a professional penetration tester. As malicious computer attackers amp up the number and magnitude of their breaches, the information security industry needs an enormous amount of help in proactively finding and resolving vulnerabilities. Penetration testers who are able to identify flaws, understand them, and demonstrate their business impact through careful exploitation are an important piece of the defensive puzzle.
Path A: General Enterprise Security Practitioner Moving to Penetration Testing
First, you could parlay a job in the security group of an enterprise (whether a corporate, government, or educational position) into vulnerability assessment and then penetration testing. For example, today, you may be a security auditor, administrator, analyst, or a member of a Security Operations Center (SOC) team. Tell your management that you are keenly interested in vulnerability assessment and penetration testing, and offer your support in existing projects associated with those tasks. You might have to start by taking one for the team and putting in your own hours in helping out, without getting a break from your “regular” job. Consider this extra time an investment in yourself. At first, you could help with tasks such as project scoping, false positive reduction, and remediation verification. Later, offer help in preparing a high-quality penetration testing report. Over the space of several months or even a year, you’ll demonstrate increasing skills and can ask management or other groups in your enterprise for a move more directly in the heart of penetration testing work.
Path B: Working for a Company or Division that Focuses on Penetration Testing
There are many companies that provide third-party penetration testing services to other companies, including organizations such as Verizon, Trustwave, and FishNet Security. Many of these organizations are looking to hire exceptional penetration testers, especially those who have experience. If you have no direct penetration testing experience, you may still want to try your hand by applying for a junior role in such organizations. A solid background in secure networking, development, or operations will prove helpful. But, if experience is absolutely required, consider moving through Paths A or C to hone your skills before jumping to Path B.
Path C: Going Out on Your Own
If you are more entrepreneurially minded, you may want to consider forming your own small company on the side to do vulnerability assessment for local small businesses, such as a local florist or auto mechanic. Start with just vulnerability assessment services, and build your skills there before going into full-blown penetration testing. There are a couple of huge caveats to take into account with this path, though. First off, make sure you get a good draft contract and statement of work template drawn up by a lawyer to limit your liability. Next, get some liability and errors & omissions insurance for penetration testing. Such protection could cost a few thousand dollars annually, but is vital in doing this kind of work. Once you’ve built your vulnerability assessment capabilities, you may want to gradually start looking at carefully exploiting discovered flaws (when explicitly allowed in your Statements of Work) to move from vulnerability assessment to penetration testing. After your small business is humming, you may decide to stick with this path, growing your business, or jump into Paths A or B.
Regardless of whether you go down paths A, B, C, or your own unique approach to entering the penetration testing industry, always keep in mind that your reputation and trustworthiness are paramount in the information security field. Your name is your personal brand, so work hard, be honest, and always maintain your integrity. Additionally, build yourself a lab of four or five virtual machines so you can practice your technical skills regularly, running scanners, exploitation tools, and sniffers so you can understand your craft at a fine-grained level. Learn a scripting language such as Python or Ruby so you can start automating various aspects of your tasks and even extend the capabilities of tools such as the Metasploit framework. And, most of all, give back to the community by writing a blog, sharing your ideas and techniques, and releasing scripts and tools you’ve created. You see, to excel in pen testing, you can’t think of it as a job. It is a way of life. Building a sterling reputation and contributing to others is not only beneficial to the community, but it will provide many direct and indirect benefits to you as you move down your path from new penetration tester to seasoned professional.