Penetration test skills in demand

James Foster looks at the opportunity for skilled penetration testers

Hackers will try anything once to compromise a web site, server, network or application. The only way to stop this activity, which is usually organised crime, is to get in there first.

Think and act like a hacker and see what vulnerabilities you can find, before they do. This is penetration testing, and today it is required by many customers that have something to protect, whether it be customer data, financial information, intellectual property, or reputation.

Regulations such as the Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard (PCI DSS), and the government's Code of Connection require networks, firewalls, databases, servers, applications, mobile devices and more to be checked thoroughly for vulnerabilities.

Penetration testers are in greater demand than ever.

Historically, testing was retrospective. You would build an application, device, network or web site and then let an ethical hacker throw everything he or she could at it, documenting any failures, ideally before anything was put live.

Testing would be repeated regularly, perhaps once a year. Because it was only occasional, it was often outsourced to consultancies. Today, many such specialists charge upwards of £1000 per day.

Outsourcing is not for everyone

For some companies, outsourcing makes little sense. Large-scale application development is a good example why: with more businesses reliant on networked and web-facing applications that have to be delivered and updated to a schedule.

Waiting until the end of the development cycle to look for potential vulnerabilities is too risky.

In these situations, risks are assessed throughout the development process. Starting with best-practice, secure-coding techniques, each individual module is then code checked for flaws. The application is typically then tested pre-production, and repeatedly once it goes live.

This effectively places the tester inside the development team, compared with the more adversarial role played by ethical hackers of old outside the core team and most likely outside the company.

Testers today can even help train developers to code securely from the outset.

However, some penetration testing consultancies have updated their proposition to support continuous security assessments through the application development lifecycle.

The growth of in-house roles and reliance on digital platforms means more experienced penetration testers are being sought.

There are several levels of certification available for UK-based penetration testers.

• Certified Ethical Hacker (CEH) – the most junior qualification
• CHECK Team Member (CTM) – this is an experience-based certificate for British nationals only
• CHECK Team Leader (CTL) – This is subject to a theory exam
• CREST – This is subject to both experience and exams
• Tiger Scheme – This offers various levels of accreditation.

Most professional penetration testers will have at least two of the available certifications. Those with three at the highest levels are being paid extremely well, although commercial experience is equally important.

Government bodies have an understandable demand for the skills of the penetration tester, as do banks and other financial institutions. For both types of organisation, as for many businesses, testing today is not just against the threat of an external hacker.

Penetration testers also have key roles to play in providing assurance that internal networks, wireless and remote access systems, laptops, mobile devices, databases as well as applications are secure.

While black-box testing against the threat from an unauthorised individual remains the most common, I believe you should run grey-box and white-box tests, which provide the tester with different levels of authorisation and knowledge of the systems. This can help protect against threats from inside the organisation.

And I believe that those with Check Team Leader or Member, or Crest Consultant certification, and a few years' commercial experience (inside an organisation or consultancy rather than freelance) are most in demand.

If they can bring additional security skills, or contribute to ancillary services such as policy development, they can expect to demand a significant salary.

As businesses continue to add new technology in a bid to streamline and automate their processes, the role of the penetration tester will be increasingly important. Mobile networks, web applications and remote working all bring their own specific challenges.

James Foster is principal consultant at Acumin Consulting