Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

10 things I’ve learned

I’ve recently passed the big 6 month mark as a penetration tester. It doesn’t seem like much in the scheme of things, and it certainly doesn’t give me the right to preach to you. It has however made me think about what I’ve really learned since starting work as a full-time penetration tester. In the true style of incident responders, I’ve entered the “lessons learned” phase, and here’s what I came up with (in no particular order) .:

  • The report is the most important part of a test.
  • Exploits are only a small peice of what a penetration test is all about.
  • If you don’t understand the protocols, all is lost. RFC’s are your friend here.
  • Testing your tools and exploits before a test is more than just a good idea.
  • Writing testing notes in a notebook may seem old fashioned, but it really helps.
  • Charts and Screenshots make people go “Ooooh” when they read the report.
  • No matter what you say in the final report, someone will always disagree on some point or another
  • Linux is your friend. Windows is also your friend, albeit a slightly slower friend that annoys you at times.
  • When you test something and can’t find a weakness, this is not a bad thing… and yes the good parts should also be in the report.
  • No one person can know everything (except Ed Skoudis) so knowing where to find the facts, and who to ask is an important skill to possess.

With the above said, I’ll try and expand on a few of these points in the coming weeks.

Happy hunting…


3 responses to “10 things I’ve learned

  1. geekyone September 19, 2008 at 23:01

    Nice list. I really like this “No one person can know everything (except Ed Skoudis)” it gave me a good chuckle.

  2. Matthew Becker September 24, 2008 at 14:02

    I concur. As a Penetration Testing, this list is truly some of the most important lessons that need to be learned. I especially would like to emphasize on two comments:

    “When you test something and can’t find a weakness, this is not a bad thing… and yes the good parts should also be in the report.” – This provides that the client has stepped up to the plate and taken a serious stance on security.

    “The report is the most important part of a test” – The is the “proof in the pudding”. Another addition to remember; if it is not documented, it did not happen!!

    Great Post!

    Shameful (but useful) plug – An addition to this post on for up and coming Pen Tester is Career Advise for Penetration Tester/White Hat Hackers.

  3. jcran September 26, 2008 at 17:53

    good stuff. especially the report delivery. you can have the best information in the world, but if your customer can’t digest it, it’s no good.

%d bloggers like this: