Doing some random morning news browsing, and I followed a link to “10 things you need to know before hiring penetration testers.” I love lists! I love good ones, because they’re good, and bad ones, because you can rip them up and point out good things by using the bad examples. They’re just really easy to digest. Like sushi. Anyway, so what are the tips you need to know before hiring and are they good tips? (Turns out they are!)
1. Strong Communication Skills. Ok, this article starts out strong by repeatedly mentioning something I hold very dear and consider myself to be very strong about: being able to adjust communication between deeply technical and far less technical for those not so inclined. I also really like the mention that technical skills can be taught, but communication skills are far harder. I think the one exception to this rule would be those people who are very reserved and quiet before either breaking out of their social shell or gaining that confidence and voice in what they’re saying. Some people just need past that imposter syndrome feeling, and they’re off to the races.
2. Beware of “Secret Sauce” Consultants. I didn’t understand this item from the title, but really this is talking about making sure findings are repeatable as described and accurate, and partly to know what you’re talking about for a pen testing methodology. I wish this item was longer and more expounded on, though.
3. Get Involved with the Security Community. Keep in mind this article is about things someone needs to know before hiring a pen tester, so this item is asking the hiring manager to get involved with the security community and go where the experts are. There’s not much to say about this. I’ve had managers who are technically involved and others who really just don’t know anything about the greater IT community outside the company. While both can be effective, one tends to be better tuned than the other.
4. Reputation is Everything. A really strange bullet point, but packed with very valid points. The exception, of course, will be entry level people who really do come out of nowhere, but I agree with the points that a pen tester should be known to some degree or other. They don’t have to necessarily be a keynote speaker, but participating and being involved to whatever degree and demonstrating some continued learning and passion should certainly be a factor. I really do like the parting comments about bewaring of egos and rock stars. There can be a certain level of “clubbyness” to a certain half-technical level of known speakers and infosec pundits who get really big egos and many followers/fans, but who are really only just complaining about the same things everyone else is and not offering much new other than stroking the ego.
5. Technical Acumen: Required. This seems obvious. Pen testing is not a task you can just talk your way through. Yes, you can fake it pretty well, since no one hiring you may be smart enough to call the BS (“Sorry, I couldn’t find anything wrong…”), but ultimately that will always get found out, and we start talking about the previous point about reputation. This ends up being a really good bullet point about results and understanding tools, rather than just blindly wielding automated suites.
6. Well-Rounded, Recent Experience. This is a touchy subject lately. If every pen testing position required experience, we’d never get new ones. I get the points about needing experience; I actually agree that the typical pen tester should not be fresh out of high school or probably even university. But there are exceptions and there certainly are positions next to full pen testers that entry level persons can fill. This article appeared in 2014, and today there are many more opportunities to at least practice and demonstrate and build skills in pen testing activities. But the point is still really strong. To me, pen testing really should require plenty of real world experience in, at least, IT in general.
7. Hire Passionate Hackers. Maybe my favorite bullet points on here. I’ve done some participation in interviews for fellow IT admins in the past, and I always look for what I call the “geek side” of candidates; do you geek out about this stuff at home as well as work? And so on. I know that can lead to burn out, but I find it important to be passionate and enjoy this work, and to demonstrate that and be around others with similar passion. And I echo the quote in here; I love the challenge and solving puzzles and learning, but it’s very much about helping others be more secure and make them better, whether that be fixing technical holes or educating on practices.
8. A Willingness to go Off-Script. Being creative and being able to wield those surgical tools rather than only knowing automated suites. That’s the bulk of this point, but I dig that it hints at being able to employ some tradecraft, i.e. evasion and covert practices that change with every engagement.
9. Know that a Pentest is Only Part of the Picture. Pretty obvious!
10. Don’t be Afraid of Pentesters. I like this point, too, and it’s not as obvious or one that I likely would have thought about. Don’t be afraid of the testers; include them in your operations. Don’t be afraid to direct their work/output. A really good point and a great way to close out the article.