In the most recent article in my “pentest quality” series, I discussed how it really does take a village to ensure quality in pentesting. In this article, I will focus more on the main player, the pentester, who is responsible for the hands-on keyboard activity.
In my opinion, the best pentesters are creative, inquisitive, dedicated, fearless, and lifelong learners. The security field is ever changing, and a great pentester needs to keep up with not just vulnerabilities, but the overall technology field, including development, infrastructure, frameworks, etc., in order to be an effective ethical hacker.
Let's chat about how we can verify what a pentester knows and feel comfortable with their skills and the approach they will take.
I have seen my fair share of individuals working in this field and can attest that the best pentesters aren’t always those that hold all the certifications, or have a college degree in the field. While attaining a certification does relay your ability to learn, retain information, and pass a test and/or practical, it does not always relay your approach to learning and keeping up with the latest trends in security.
As a matter of fact, some of the most popular certifications do not require you to renew or re-test. Once it is yours, it is yours forever. This means that we, as buyers, hiring managers, and team leaders, are putting a lot of faith in certifications that can, and do, become stale shortly after attainment.
Certifications don’t tell the full story. Instead, it’s important to consider how testers are vetted and onboarded and how they work to keep up with their skills and relevancy. Working to verify a tester can investigate security flaws well isn’t easy, and can be costly and time consuming.
Below are a few approaches I have seen be successful in vetting pentester skills:
The above lists are not all-inclusive, but they should give you an idea of how to make sure the pentesters investigating your environments are keeping up to speed with the technologies they are testing.
Don’t get me wrong, certifications can be a good way to find talent, and they should be celebrated when attained by members of your team (I’ve held my fair share). There are times when specific certifications are needed, like PCI compliance or for other types of testing for regulatory entities.
However, the majority of the time, you should be looking for experienced testers in the technologies that are present in your environments. That experience will go a lot farther than a one-and-done certification ever will. Look for creativity, thoroughness, and that life-learner trait as an indicator of the tester’s ongoing capabilities.
In the next installment of my article series, I’ll talk about keeping pentesters focused on what they do best: hacking. In the meantime, do you have anything to add to my list? Or anything to share about any of the other articles in this series? Did I miss anything you find absolutely essential when hiring or vetting pentesters? Send me your thoughts at [email protected].