Becoming a Professional Pen Tester: Tips from Self-Taught Pros

Would you like to join one of technology’s fastest-growing occupations—one that many tech pros can master on their own?

In our recent article on top-paying non-certified skills, David Foote, chief analyst for Foote Partners, noted that penetration testers enjoyed a 7.1 percent increase in market value through the first six months of 2018. Moreover, some 50 percent of “pen testers” are self-taught.

For those unfamiliar with the field, pen testers are charged with simulating attacks on a client’s IT infrastructure in order to determine points of weakness. For example, a pen-testing firm might wait for a holiday weekend, then attempt to crack every single employee’s password. Pen tests are vital parts of comprehensive security audits, and in our era of high-profile data breaches, companies are intensely interested in making sure their systems are secure.

But how do you actually get into pen testing? We asked several self-taught experts to share their tips for entering this burgeoning field.

Ideal Background

Anyone with three to four years’ experience in a hands-on tech role should be able to learn the basics of pen testing, including how to proactively find and resolve vulnerabilities. If you’re transitioning from an unrelated field, learn the command line (either Windows or Linux) and take a fundamentals course in programming or networking before taking a pen testing course, advised Tyler Webb, a penetration tester and information security team lead.

“A prospective employer will likely test your knowledge through code reviews and a penetration test against an environment they control,” noted Jared Eversmeyer, a penetration tester and security researcher who goes by the handle “hacker for hire.” Learn (or revisit) the fundamentals of computer systems, networks and programming.

In this fast-moving field, certifications are more important than a degree. The Offensive Security Certified Professional (OSCP) is the industry’s most respected penetration-testing certification, and a good one to pursue. Attitude also trumps experience, explained Brian Whelton, director of Whelton Network Services: “Aspiring pen testers need the correct mindset. Security, either defending or attacking, changes constantly. What works today, may not tomorrow.”

Need motivation to get started? Whelton recommends that you check out these videos by newbie pen testers:

Mastering the Basics

Due to the growing utilization of apps that connect everything from computers, phones and even household appliances to the cloud, trainees should focus on learning web and mobile application testing first, according to Eversmeyer. There are numerous self-paced training courses available online (some are even free), or you can enroll in a bootcamp.

In terms of education, Whelton likes Cybrary, CBT Nuggets, ITProTV or YouTube for learning the basics. At the same time, practice all the stuff you’re learning by setting up a virtual pen testing lab at home.

As far as tools go, most trainees typically use a pen test distro such as Kali Linux or Black Arch, which provide a repository of tools to help with testing.

“If you’d rather learn just a few tools specifically designed for testing web applications, I would advise going with Burp Suite, Nmap and Nikto,” Eversmeyer said. “With those tools and sites such as DNSdumpster and Myip.ms, I can find out everything I need to know about a website’s infrastructure and fingerprint it. From there, I can analyze the source code and look for ways to manipulate it.”

Prove Your Skills

Even though the demand for pen testers exceeds supply, self-taught pros still need to prove their abilities to land their first job. Hone your skills and prove your worth at the same time by participating in bug bounty programs. Entering challenges such as Hack the Box or Immersive Labs or Capture the Flag (CTF) competitions can be the perfect way to showcase your newly acquired skills.

Go to community events and trade shows, hit the online forums, or contribute to websites such as Secjuice. “These events exist for people to share, learn and help; the attendees welcome newcomers with open arms,” Whelton said.

Related