Dare to become a web application pentester? Here are a few essential “WHATS 101”!

let’s start with all the WHAT’S;

WHAT is pen-testing?

In short, it’s a step by step procedure to finding vulnerabilities that an attacker could exploit in a web application. Firstly,

  1. We analyze the application for any weaknesses, technical flaws, or vulnerabilities.
  2. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.

Most clients don’t engage pen testers to do a full-spectrum test. Instead, they want small parts of their IT infrastructure tested in a controlled environment. They hire professional services or consulting firms to assess the security posture of specific systems or they employ penetration testers to be a part of their internal security teams. Even for a hobby, hacking can get really frustrating. Penetration testing is also considered one of the most frustrating jobs in the field.

Now, don’t you get disheartened, let’s move to WHAT does a pen tester do?

Although it sounds like a cool kid job, unlike real-life hackers, you may only have days to compromise systems. If that wasn’t tough enough, you are expected to document and explain your methods and findings and working with managers to design security protocols and policies.

Let’s go through the responsibilities step by step:

PT image

 

WHAT are the basics needed?

You should be clear with the below points for starters:

  • Knowledge of operating systems, software, communications, network protocols,  web applications, client-server architecture, databases etc.
  • Linux (Ex: Kali Linux – a Debian-derived Linux distribution designed for digital forensics and penetration testing).
  • Basics of a web application, TCP/IP protocols at the packet level, technologies used in web application etc.
  • Go through OWASP top 10, SANS 25 and OWASP Testing Guild v4.
  • Follow some non-profit organization like Null and participate in some CTF (capture the flag) and read through Hackerone reports.
  • Once you have a strong foundation, you can download and use one of the vulnerable applications like DVWA, Mutillidae, Webgoat etc for learning purpose.
  • Learn to use an automated vulnerability scanner like OWASP’s ZAP or Burp Suite.

Oral and communication skills are two other biggies that employers are looking for. In addition to the amount of paperwork ( reports and assessments), you might be surprised at how often you will have to talk to people, explaining your methods to technical and non-technical audiences. The only way to become a penetration tester is to practice, innovate and keep oneself up to date always. You need to know enough about security vulnerabilities to be able to evaluate each finding of the automated tool.

Here are a few technical skills we have seen employers favoring:

  • Windows, UNIX and Linux operating systems
  • C, C++, C#, Java, ASM, PHP, PERL
  • Network servers and networking tools (e.g. Nessus, Nmap, Burp, etc.)
  • Security frameworks (e.g. ISO 27001/27002, NIST, HIPPA, SOX, etc.)
  • Security tools and products (Fortify, AppScan, etc.)
  • Vulnerability analysis and reverse engineering
  • Metasploit framework
  • Forensics tools
  • Cryptography principles

Certifications For Penetration Testers:

There is no master list of preferred certifications for pen testing. We would recommend you to start with CEH or any other basic certification and build from there. Here are a few suggestions to get you started with:

  • CEH: Certified Ethical Hacker
  • CPT: Certified Penetration Tester
  • CEPT: Certified Expert Penetration Tester
  • GPEN: GIAC Certified Penetration Tester
  • OSCP: Offensive Security Certified Professional
  • CISSP: Certified Information Systems Security Professional
  • GCIH: GIAC Certified Incident Handler
  • GCFE: GIAC Certified Forensic Examiner
  • GCFA: GIAC Certified Forensic Analyst
  • CCFE: Certified Computer Forensics Examiner
  • CREA: Certified Reverse Engineering Analyst

 

Author: Nimi Kuriakose

SecuArk Pvt.Ltd