To catch a thief: Careers in penetration testing

Written by Mike Chapple Published: 21 August 2014

Hackers live and work in the shadows, but you don't have to be a criminal to know — and use — the tools of an illicit trade.

Close your eyes for a moment and imagine a hacker. What picture appeared in your mind? If you’re like most people, it was probably a teenager, or maybe a 20-something, sitting in a messy room in the middle of the night surrounded by soda cans and empty pizza boxes. You probably didn’t think of a well-dressed professional sitting in a modern office sipping her morning coffee. The difference between these two individuals lies in their motivations and rewards. The teenager in his basement bedroom may be motivated by solving a difficult technical challenge and getting an ego boost, while the professional is motivated by career ambition and a lucrative paycheck.

PROFESSIONAL HACKERS

Yes, you can be paid to be a hacker. Organizations hire such individuals to rigorously test the security of information systems using the same techniques employed by hackers around the world. The language may change — “hacking” becomes “penetration testing,” and “hackers” become “information security professionals” — but the tools and methods remain the same. If this sounds like an exciting professional option, then you may wish to consider a career as a penetration tester.

"White hat hacking skills are in very high demand and salaries for qualified penetration testers are among the highest in IT."

IT professionals pursuing a career in penetration testing have a rosy future ahead of them. White hat hacking skills are in very high demand and salaries for qualified penetration testers are among the highest in IT. The 2014 Global Knowledge IT Skills and Salary Survey found that individuals with the Certified Ethical Hacker (CEH) certification can expect to earn a whopping $103,822 per year, on average. That’s a plenty respectable paycheck for an IT staffer without a management role, and it’s one of the main motivations for many aspiring penetration testers.

BREAKING INTO THE FIELD

If the idea of hacking for a hefty paycheck has piqued your interest, then you’re probably wondering how you can get started in this challenging, competitive field. First, you’ll need to have some relevant work experience. Penetration testing is not an entry-level technology job and some prior experience is a requirement for almost any position. There are two common paths you can follow to gain the prerequisite experience: as an information security professional or a software developer.

"You’ll want to have a solid understanding of the types of threats facing modern organizations with a specific focus on software flaws and web application security."

If you choose to enter the field through the information security career path, focus on gaining a broad exposure to security topics. You’ll want to have a solid understanding of the types of threats facing modern organizations with a specific focus on software flaws and web application security. If your organization employs penetration testers, spend time with them and absorb as much information as you can about their craft. If you outsource penetration testing, try to get an assignment as the liaison to the consultants performing the tests. You’ll pick up a lot along the way!

Software developers are also uniquely well suited for a career in penetration testing because they have a deep understanding of applications — one of the most common sources of vulnerabilities exploited by penetration testers. Programmers seeking a career in penetration testing should focus their professional development opportunities on security issues — learn about injection flaws, cross-site scripting (XSS), cross-site request forgery (XSRF) and other application issues that provide potential attackers with a point of entry into a system.

"No employer is interested in hiring a staff member with a criminal past for a sensitive security position. Steer clear of illegal experimenting and stick to authorized activities."

Many people ask whether performing unauthorized penetration tests is a good way to gain experience and a reputation in the industry. It most certainly is not! While you can certainly gain knowledge and experience by engaging in illicit testing, there is no difference between these “unauthorized tests” and illegal hacking. No employer is interested in hiring a staff member with a criminal past for a sensitive security position. Steer clear of illegal experimenting and stick to authorized activities. If you’re interested in getting some experience without a job, consider volunteering to perform penetration tests for local nonprofit organizations.

CERTIFICATIONS PAVE THE WAY

One way you can get a leg up on other candidates for a penetration testing position is to prove your interest and aptitude by earning a penetration testing certification. There are several well-recognized credentials available to help you demonstrate your skills to potential employers.

The SANS Institute offers two security certifications focused on penetration testing. The GIAC Penetration Tester credential covers penetration testing tactics, techniques and procedures, as well as exploring the legal issues surrounding penetration testing. Earning the credential requires passing a three-hour, 115 question examination with a score of 74 percent or higher. The second SANS credential, GIAC Web Application Penetration Tester, is focused specifically on the use of penetration testing techniques to assess web applications. The exam requirements here are somewhat less challenging — you’ll need to achieve a score of 70 percent or higher on a two-hour, 75 question test. Neither SANS credential requires professional experience or classroom study.

The EC-Council’s Certified Ethical Hacker (CEH) program also challenges candidates to demonstrate proficiency in the tools and techniques used in conducting penetration tests. Before sitting for the CEH exam, you must either attend an accredited course or demonstrate two years of information security work experience. The exam itself lasts four hours and consists of 125 multiple-choice questions. Candidates who earn a score of 70 percent or higher are awarded the CEH certification.

Penetration testing is an exciting branch of the information security profession. Practitioners have the opportunity to use the tools and techniques of hackers on a daily basis, and earn a generous living by doing so! Entry into this field doesn’t come easy: If you’re seeking a new start as a penetration tester, be prepared to study hard and work your way up through the ranks of information security professionals, or application developers. Once you get there, however, employment as a penetraton tester is almost guaranteed to be exciting and challenging.