We spoke to the latest addition to our penetration testing team, Jon Fan, about his background in software testing and why he decided to make the switch to become a penetration tester.
My exposure to the security testing
Prior to penetration testing I was a software automation tester for a web application. Throughout my time as a software tester I began to branch out from solely acceptance testing and ventured into other forms of testing such as accessibility, performance, and security testing. I developed a working knowledge of these types of testing but out of the types of testing that I conducted, one in particular caught my attention; security testing.
Retrospectively, my experience with security testing was incredibly surface-level. I utilised the OWASP ZAP’s API automated scanner to run in conjunction with my automated acceptance tests. Once the acceptance tests had finished, the scanner would return a report containing the findings from the scan. If a vulnerability was found, I would create new tasks for the developers to fix these issues. But if no vulnerabilities were found then the application was ready for an external penetration test.
Initially, I only learnt how to utilise ZAP for the security testing but then offloaded the findings to the developers to solve. I did not truly understand what the results or report meant. However, my perspective on that changed and I began taking responsibility for the findings from the report and began helping the developers on how to fix these issues.
By taking accountability for the findings, I was able to help remediate these vulnerabilities with help from the developers. For example, I had heard of the term ‘cross site scripting’ but I did not know how to prevent it from occurring or how to remediate the issue. In order to fill this gap in my knowledge, I dedicated time to reading and researching the most common vulnerabilities and how to mitigate them.
What I soon realised is that the security field is always changing. There is always new information being released and the need for adaptability is a necessity. The field is incredibly diverse and I truly recognized that there was an endless amount of things to read and learn. The more I researched in my free time, the more I began reading about topics not strictly related to the vulnerabilities found in the security test - such as bug bounties, malware analysis, capture the flags, etc.
In order to satisfy my curiosity, I knew that reading was not sufficient and that I had to get a more hands on approach to gain a better understanding of these vulnerabilities. Initially I learnt about different tools and how and where to use them, such as Nmap, Metasploit, Burp Suite, and SQLmap. Then I ventured onto hacking platforms such DVWA, OWASP Juice Shop and HacktheBox so that I could practice using these tools safely without fear of breaching any laws.
From this point on, I spent a lot of my time playing around on these platforms, reading walk-throughs, and listening to security focused podcasts. I highly recommend attending your closest hacking or security focused events and meet-ups. The opportunity to speak to and experience first hand what professionals and enthusiast hackers do is invaluable. I soon realized that I was fully immersing myself in the security field.
Transitioning to penetration testing
Fundamentally, the methodology of software testing and penetration testing are essentially the same as each other. You scrape through an application and see if you can produce an unexpected or undesirable result. However, with penetration testing, when you receive an unexpected result you try to act upon your findings by exploiting the vulnerabilities that have been found. It was this extra step that enthralled me and the desire and curiosity that pushed me to making the transition into penetration testing.
When I first started off I knew that I was severely lacking in some areas, such as networking, and that I required extra focus on those topics. Despite the studying I had conducted prior, I would in no way call myself 'proficient.' I had a high level understanding of topics such as scripting, tools, penetration testing methodology but a deeper level of understanding was required. But that's what excited me about the field, I was fascinated by the idea that there is an endless stream of information and knowledge that I could hope to acquire if I were to dedicate the time and energy.
Despite not possessing the technical prowess needed, I was still able to transfer keys skills from my time as a software tester to penetration testing. My past experiences have helped me develop a strong analytical and meticulous mindset. Attention to detail is vital in identifying differences between configurations or code which can ultimately determine the success of an exploit.
With any client based work, possessing strong written communication and soft skills is always ideal. The more experience you gain from speaking and writing to clients, the more adept you become. From my time as a software tester, I became well versed in communicating through countless interactions with different members of the multidisciplinary team. Communication also plays a vital role in penetration testing as it's not only your job to discover and exploit vulnerabilities but to be able to clearly and concisely present the findings to all levels of the client organisation.
Depending on person-to-person and from skillset-to-skillset, the learning curve can be incredibly steep. However, you should not let that deter you from making the transition if you have an interest in security and penetration testing. Initially, it felt like a tremendous task and I felt I was completely out of my depth but what helped me through it was the curiosity and consistency to always wanting to learn more.
What I discovered is that penetration testing is a very diverse topic and it in itself requires the knowledge and understanding of multiple fundamental topics. I can't iterate enough how rewarding and fulfilling it can be to discover these vulnerabilities and then successfully exploit them. It may seem incredibly intimidating at first but from my experience, research the things that interest you and you will soon be entering a rabbit hole of topics all of which will be driven by your curiosity.