| certifications | security - David Brown
Day in the Life of a Pen Tester: Job Responsibilities
A penetration tester is hired by a company to look for security issues in a company's IT infrastructure. You might call them a white hat hacker, an ethical hacker, or a security consultant. The idea is to employ the same kind of tools and strategies that a malicious actor would use in order to perform technical assessments of a client's IT security. In many cases, that means using Kali Linux.
There is a bit of excitement to it. Some engineers may get a rush out of trying to outwit IT infrastructure designers and administrators. It can be satisfying to track down problems with a network and eventually point them out to the client — diplomatically, of course.
But it's not all fun and games. Penetration tester Sam Kitchen reports, "As with any job, there are boring bits, and it's just about being prepared to take the rough with the smooth." And like other pentesters who have attested to their daily work, some parts can be a drudgery — especially writing the report at the end.
But there's good and bad in every job, of course.
Roles and Responsibilities of a Pentester
To get a better understanding of the life of a pentester, first let's have a look at what they do. A pentester's duties are rather unique in the realm of information technology. Normally, we think of an IT professional as someone who designs, configures, installs, maintains, or troubleshoots IT systems. But a pentester does none of those things. He tries to break into them.
Every pentester will have their own way of doing things. But we can identify certain categories of activity that will occupy a pentester's time. It starts with some basic evaluations, gets more detailed, and moves on to final stages that include reporting results to the client.
First, a pentester undertakes external and internal assessments. By pressing, poking, and prodding as a hacker might, a pentester can investigate and identify holes in the IT defenses. Attempting to gain entry from the outside, the pentester looks for open ports and other vulnerabilities, such as weak passwords or exposed data. Internal assessments involve setting up a beachhead within the client's network, then searching for ways to attack and exploit IT systems from the inside.
Performing web application assessments means looking for potential attacks on installed software, such as SQL injection, broken access control, or XML external entities (XXE). For more information on web application vulnerabilities, see our article on the OWASP Top Ten list.
Other assessments include:
- Wireless assessment. Wi-Fi systems are tested for their security.
- Physical assessment. Involves attempting unauthorized access to a facility.
- Social Engineering assessment. Fooling people into breaching security for you.
- Phishing assessment. The use of email or web pages to get people to click on links that they shouldn't.
The final phases of a pentesting project include report writing and debriefing. This is all about summarizing and explaining the results of the penetration testing to the customers who hired you. These responsibilities require decent social and communication skills and a certain kind of diplomacy in dealing with the client's problems.
The Rigors of Pentesting Certification
If the testing involved in certification for pentesting is any indication, the profession can involve some long and challenging assignments. Getting certified for Offensive Security is hard work, anyway. These exams can literally last for days. Consider the time allowed for some of the tests:
- Offensive Security Certified Professional (OSCP) — 24 hours
- Offensive Security Certified Expert (OSCE) — 48 hours
- Offensive Security Exploitation Expert (OSEE) — 72 hours
Obviously, the certification company Offensive Security believes that their candidates should have the commitment and stamina to work long hours to investigate complex issues. Testimonials from actual pentesters do not reflect this same work requirement. But nearly every IT professional has had to pull a few all-nighters, so there is some logic to it all.
A Day in the Life of a Pentester
Though not our specialty, we looked at some interviews with actual pentesters to prepare for this article. Not surprisingly, some of them report that they work independently from the comfort of their own homes. One professional talked about rolling out of bed and being at work in front of his laptop in five minutes, his fat house cat by his side. Another penetration tester, Llyian Velikov, gave a more mundane description of how his day begins:
"A normal day is come to the office on the client site, start your testing, and analyze the data and start the reports."
So, the place of work could differ depending on the pentester's individual setup. One guy works from home. Another works at a customer's site. And another might go into the office in a more traditional way.
Inevitably, someone will likely have to go to the client's facility at some point. One of the jobs of a pentester might be to see if they can slip into a customer's building without authorization. That could mean hanging out on the loading dock with the smokers and following them in the door as they go back in. Or seeing if they can get into a company's office by entering through the lobby and sneaking up the stairs.
Not all security testing is technical. These kinds of physical intrusion exercises, or sly attempts to get someone to give you their password over the phone, are all part of a pentester's workload. And while they may not be doing this every day, it may come up somewhere in their career. He could also hand off this type of security testing to a colleague while they focus on the remote testing.
The bulk of the work is on the network, as one might expect. IT professionals are used to hours in front of the computers (and many of us have the troubled neck, shoulders, and eyes to prove it). Whether the pentester actually works long or odd hours will depend on the particular project and the customer's requirements.
The work of informing the client about penetration test results is not a favorite for many pentesters. A number of interviews revealed that they simply don't like writing the reports. But it's part of the job, so they do it. Giving an oral presentation to clients may suit them better. It all comes with the territory.
The Pentester Career Path
As with many IT professionals, penetration testers come to the profession from a variety of directions. Some may have started as programmers and diverted into security testing along the way. Others may have chosen the field and invested the time and effort to get certified, demonstrating their pentesting knowledge and skills in a formal way.
However they got into it, pentesters will find that they have found a job that is financially rewarding. The job board Indeed lists the average annual salary for a penetration tester at $116,272. If that's not enough to keep them interested, the technical challenges make it an interesting career choice for IT professionals.
Is Pentesting for You?
It's hard to say whether you should go into the pentesting profession or not. That's something you'll have to work out for yourself. If you do decide to take it up, expect to develop a very broad knowledge of IT systems and networking.
You'll need to know something about operating systems, and coding, and business practices, and reporting — among other things. And you'll need a lot of patience and persistence if you want to be successful in this field. Let's face it: Penetration testing is not for everybody.