Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: The Story of a Pentester Recruitment - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Story of a Pentester Recruitment
blog.silentsignal.eu/2015/04/03/the-story-of-a-pentester-recruitment/

Interesting read...

A pentesting firm provided an isolated network with three hosts and three challenges for potential applicants. According to the article, "The challenges were simple and common pentesting tasks. Most contestants couldn’t think like a professional hacker, but the bigger problem was that they couldn’t seem to use Google either. This is really surprising since some CVs were really impressive, including good research and relevant experience at international security companies. It quickly turned out though that a nice reference doesn't replace hands-on experience. Most approached the challenges in a wrong way..."

Turns out it's hard to find good pentesters.
Brad

278 Posts
ISC Handler
The problem is that training and methods of practicing are so scattered. The SANS stuff is great, especially the Holiday Challenges, the challenges put up by the UK government are also really good. But in reality good, diverse and safe environments to learn the craft are few and far between. Setting up VMs for specific scenarios is really the only way to attempt certain tests. Pen testing has a broad scope, most pen testers know the basics or are really good in a one or two areas but for many as soon as they get into unfamiliar territory and have to think outside the box they get lost. I have to admit I have been in this position myself, where my mind has just drawn a blank and I run out of ideas.

Another issue is pen testers who want to jump right in at the deep end, they don't understand the nuances of computer networking, but have done some multi-choice cert like the CEH, but have very little practical skills outside of firing off a few tools in Kali.

Pen Testing is complex, it requires many ours of practical hands on experience and just as many hours reading and understanding the theory, finding someone with both theory and practical ability is difficult. (Just for the recorded I do not claim to an expert, I am merely a journeyman at the moment, so please do not think I am attempting to brag in anyway here)
TheJulyPlot

5 Posts
Nowadays there are biggest part of such security specialists, they are only theorycrafters and that's all )) scanforsecurity.com

2 Posts
Thanks for the nice article, I have read it with pleasure, but it is interesting to know how to use google Nokta

3 Posts

Sign Up for Free or Log In to start participating in the conversation!