On a penetration tester career path, flexibility and curiosity are key
Becoming a pen tester takes more than passing an exam. Learn the qualities ethical hackers should embrace to achieve success on their penetration tester career path.
Their aim is to break into an organization's network, systems and applications, but pen testers aren't performing with ill intent. Also known as ethical hackers, these security evangelists' job is to legally break in to ensure malicious attackers can't exploit the same vulnerabilities.
If a penetration tester career path is in your future, so too might be the CompTIA PenTest+ exam. Launched in July 2018, the PenTest+ certification consists of a mixture of multiple-choice and hands-on, performance-based questions.
High-performance computing (HPC) sys admin-turned-pen-tester Jonathan Ammerman has taken the exam and authored the book CompTIA PenTest+ Certification Practice Exams for pen tester hopefuls to quiz their knowledge.
Ammerman described the certification as an at-a-glance verification that someone has the necessary skill set, knowledge and background to plan and perform pen tests. From vulnerability scanning and data analysis to communicating findings and reporting discoveries, the certification covers need-to-know pen testing info.
Here, Ammerman offers insights to help potential test-takers and explains why flexibility and curiosity are must-have pen tester qualities.
CompTIA PenTest+ Certification Practice Exams
Read an excerpt from Ammerman's book, and download a PDF of chapter 2.
Learn more from McGraw-Hill.
Editor's note: This interview has been edited for length and clarity.
How does the PenTest+ exam prepare pen testers for the real world?
Jonathan Ammerman: Contrary to a handful of other penetration testing certifications, PenTest+ is practically based. A lot of other certifications are focused only on multiple-choice, question-answer formats. That's doing a disservice to candidates in a field as varied as penetration testing.
PenTest+ is more focused on addressing the practical aspects of the exam itself, whereas that's not really a factor for other certifications.
What areas of pen testing does the certification cover?
Ammerman: Basic tasks that a pen tester should be expected to perform, as well as general workflow, are covered in the PenTest+ certification. As far as specifics, it's not going to teach you how to attack, say, Apache version whatever. It teaches you how to set up your pen test engagement, get contracts lined up and understand rules of engagement documents that certify you're authorized to perform the test. It will also walk you through open source intelligence gathering and identifying what you can collect in the public space without making your presence known to your target. It goes into port scanning and walks you through vulnerability identification to help you identify what your attack surface is.
Having taken the test and now working as pen tester, what challenges have you encountered?
Ammerman: I was an HPC systems administrator for about six years before I started shifting into security work and have been pen testing for about three years. Even with my background, when I was first starting out, it wasn't uncommon to run into things you don't have any sort of grounding on. A lot of it is having the mindset to be adjustable, being able to learn things on the fly.
Years ago, I ran into a service called ActiveMQ -- a message broker designed to allow rapid communication between remote systems -- that I had never encountered before. That said, it was part of the pen test engagement -- it's what I saw available as my attack surface because it was responding to my port scans. As a pen tester, you sometimes just have to be able to learn stuff in a quick, dirty manner and figure out how to attack it.
What advice do you have to do that?
Ammerman: Anyone who wants to get into this field has to stay flexible and be aware that it is a constantly growing field. It's not fair to say that security work -- and penetration testing in particular -- are new, but they're young fields and the dynamic right now is such that the landscape is always evolving. An analogy I like to use is it's similar to medical practice, where, if you're not staying current and you're not keeping yourself educated on the latest techniques or new information, you're going to get left behind.
Jonathan AmmermanPenetration tester, nDepth Security
If you're coming from a background that's strictly focused, like me as a sys admin, it can be a bit overwhelming. But, if you want to find a career field where you're not going to be able to get bored because there's always something new to do, I don't think you can do any better than security. It's a constantly shifting landscape. Anybody that enjoys learning for learning's sake would enjoy it.
Where are people getting tripped up on their penetration tester career path?
Ammerman: It's a young field, but there are a lot of individual niches. Some people can go off and specialize in vulnerability discovery and writing exploits; some people are better at web application attacks and focusing on browser-based technology.
The best thing I can say as far as what might trip people up is just be honest in their assessments of themselves as they're going through practice questions. For example, if you notice you're getting hammered constantly or missing stuff on, say, cross-site scripting or cross-site request forgery, just be honest with yourself, and acknowledge that might be a weak point.
That's not to say that you're not cut out for the security field because, again, it's a very broad field. It's more an indication of 'OK, you've got this weak point -- do something about it.' Security is very much a field that rewards intellectual curiosity.
What should people know before opening your book?
Ammerman: This book is not step one -- you need to have some baseline abilities before you start branching into security.
There's no prerequisite for CompTIA, but it has some recommendations as far as past experience and such. I would recommend, at minimum, to know a good bit about Linux and Windows and to be comfortable with command lines in both OSes. It's going to help you out to know a bit about programming, too, or at least scripting in a language like Bash, PowerShell, Python or Ruby.
With that knowledge and going through the all-in-one exam guide and the problems in the book that I wrote, a candidate will be well suited to take the exam.
How is the certification being received by employers?
Ammerman: It's still early days for that given it's such a new certification. That said, it's a CompTIA certification. I think it's going to take the same sort of stature as Security+ or Network+ for the pen testing field. Plus, the PenTest+ certification is going to start checking boxes for baseline government work. It is slated to be included in the Department of Defense Directive 8570, part of DoDD 8140, as a baseline qualification requirement for government employees who conduct information assurance functions by the end of the year. I'm also seeing it acknowledged in places like LinkedIn.
About the author
An English major turned army officer turned HPC systems administrator, Jonathan Ammerman has taken a decidedly less than typical route to the information security field. His experiences in the military and private sectors led to a heightened interest in the security arena, manifested in his current role as a penetration tester with nDepth Security. In his spare time, Ammerman enjoys spending time with his children and hiking or camping in areas that preclude the possibility of so much as a phone call.