As hackers ramp up their attacks on organizations around the globe, penetration testers are in high demand, and they get paid well as a result. The 2021 national average salary in the U.S. for pentesters is $86,241 per year, according to Payscale, with some making more than $130,000. Dr. Wesley McGrew is director of cyber operations for HORNE Cyber, an author of numerous pentesting tools used by other professionals, a digital forensics trainer, university adjunct professor and frequent presenter at DEF CON and Black Hat USA. He says as a pentester, “you see interesting new things every day, and it’s an intellectually rewarding” career.
What is penetration testing?
Cybercriminals usually start by searching for vulnerabilities to breach an organization. Their probing tactics vary widely and can target an IT system, web application and others. Penetration testers are sometimes known as ethical hackers because in their work to identify and close off vulnerabilities before a hacker can find and exploit them, they sometimes perform the very same actions a hacker would use in their attempts to break in. Penetration testing often starts with covering off on the low-hanging fruit, as the saying goes. Pentesters first search for publicly known vulnerabilities in the interest of addressing any potential entry points. “You can identify publicly known vulnerabilities easily,” McGrew says. “Most of the known vulnerability information has documentation on how to test for something specific.” It’s finding new vulnerabilities that offer the most significant challenge and reward. In recent years, as networks grow increasingly complicated with the addition of internet-connected devices such as cameras, printers, HVAC accessories and much more, finding new vulnerabilities has become part science, part art. It’s also a race to find them before the hackers do.
What does a penetration tester do?
Whether working for a business or a pentesting consultancy, most penetration testers sit within a larger security team and spend their day using a mix of automated testing tools and manual processes, analyzing vulnerabilities or conducting reverse engineering. To learn more about the individual tasks they typically perform, read how to become a penetration tester. Other professionals choose to work as freelancers, usually after gaining experience working for an organization as part of a team. To understand how to succeed in this type of role, read what is it like being a freelance penetration tester? Often, vulnerabilities happen when those developing a system don’t fully understand how the code is transformed into what the user sees and interacts with on the front end, says McGrew. For pentesters, it’s therefore essential to have a lower level of abstraction than the person writing the code. “The lower and lower you go in the technology stack and the more you understand it in a detailed way, the better,” McGrew explains. “I encourage people to learn and to pick up some reverse engineering know-how so they understand vulnerabilities better.” Sometimes, the very nature of penetration testing can seem adversarial in an organization — but it shouldn’t be that way, says McGrew. The goal of finding vulnerabilities is to remediate them, and “our goal is to empower clients to get the resources they need to make positive change. We’d rather not be a ‘got you.’” Instead, the job of penetration testing is to fortify the security of an organization to stop data breaches before they happen.
How to become a penetration tester
To become a penetration tester, you need a broad knowledge of IT systems and networks and familiarity with cybersecurity principles, threat types and attack vectors. Gaining this knowledge doesn’t mean you have to have a degree, but computer science study is one way to get there. So are certifications that demonstrate your mastery of the subject. A few to consider include:
Certified Ethical Hacker (CEH) is valuable for understanding how to perform security assessments. PenTest+ is a newer certification from CompTIA that will test your skills around the pentesting process. Infosec Institute provides Certified Penetration Tester (CPT) and Certified Expert Penetration Tester (CEPT) certifications, as well as more targeted certifications, such as Cloud Penetration Testing, Mobile and Web Application Pentesting and Red Team Operations. Offensive Security Certified Professional (OSCP) is also a popular hands-on penetration testing certification.
While book study is helpful, so is gaining hands-on experience. You can find this through working as a systems administrator. You can also gain valuable insight into a home lab and participate in online capture the flags on virtual machines. According to McGrew, writing code in multiple languages will also serve penetration testers well, particularly when searching for new vulnerabilities. At his firm, they look for “somebody who can write code in multiple languages, somebody who can demonstrate knowledge in reverse engineering and who can do both application security testing and vulnerability analysis on networks.” To learn more about what it takes to be a penetration tester, watch the Cyber Work Podcast, how to become a penetration tester, with Dr. Wesley McGrew.
Sources
Average Penetration Tester Salary, Payscale