Comments on: Pentesting Skillset http://hexesec.wordpress.com/2008/07/05/pentesting-skillset/ sudo apt-get install ... security? Mon, 28 Dec 2009 10:12:56 +0000 http://wordpress.com/ hourly 1 By: Building the pentest team skillset — spylogic.net http://hexesec.wordpress.com/2008/07/05/pentesting-skillset/#comment-86 Building the pentest team skillset — spylogic.net Wed, 15 Jul 2009 01:50:49 +0000 http://hexesec.wordpress.com/?p=8#comment-86 [...] saw this post on Hexesec the other day that made me think about all the skill’s that when you put them together could [...] [...] saw this post on Hexesec the other day that made me think about all the skill’s that when you put them together could [...]

]]> By: Panarchy http://hexesec.wordpress.com/2008/07/05/pentesting-skillset/#comment-29 Panarchy Fri, 12 Sep 2008 06:01:12 +0000 http://hexesec.wordpress.com/?p=8#comment-29 Thanks I'm going to print this out. And learn as much as the things from the list as I can. For pen-testing and white hat hacker, this'll be a good goal to set myself. Thanks

I’m going to print this out.

And learn as much as the things from the list as I can.

For pen-testing and white hat hacker, this’ll be a good goal to set myself.

]]> By: jcran http://hexesec.wordpress.com/2008/07/05/pentesting-skillset/#comment-28 jcran Wed, 03 Sep 2008 04:45:30 +0000 http://hexesec.wordpress.com/?p=8#comment-28 Tom, definitely, this was aimed as more of a wish-list for a team. it would be interesting to put together a maturity model for a pentesting team. -- what skills are absolutely (day-one) necessary for a generic pentest. i guess it depends on the network / idea of a "generic" pentest. surely though, there should be some way to boil down to skills which are more essential: - networking - unix / linux - security mindset - scripting (debatable, but imo necessary...) and those that are secondary (again, depending on a lot of factors): - scripting++ - networking++ - unix-foo - web-app skillz etc. again, all of this is debatable, and depends on the environment which needs testing. the goal is to make a list of where anyone interested should focus. the short answer seems to be any of these areas, though some are easier than others... Tom,

definitely, this was aimed as more of a wish-list for a team.

it would be interesting to put together a maturity model for a pentesting team. — what skills are absolutely (day-one) necessary for a generic pentest. i guess it depends on the network / idea of a “generic” pentest.

surely though, there should be some way to boil down to skills which are more essential:
– networking
– unix / linux
– security mindset
– scripting (debatable, but imo necessary…)

and those that are secondary (again, depending on a lot of factors):
– scripting++
– networking++
– unix-foo
– web-app skillz

etc.

again, all of this is debatable, and depends on the environment which needs testing.

the goal is to make a list of where anyone interested should focus. the short answer seems to be any of these areas, though some are easier than others…

]]> By: Interesting Information Security Bits for July 29th, 2008 « Infosec Ramblings http://hexesec.wordpress.com/2008/07/05/pentesting-skillset/#comment-4 Interesting Information Security Bits for July 29th, 2008 « Infosec Ramblings Wed, 30 Jul 2008 14:22:38 +0000 http://hexesec.wordpress.com/?p=8#comment-4 [...] points to 0×0e’s post that puts forward a list of skills that a good pentesting team should have. It is a good list and [...] [...] points to 0×0e’s post that puts forward a list of skills that a good pentesting team should have. It is a good list and [...]

]]> By: Tom http://hexesec.wordpress.com/2008/07/05/pentesting-skillset/#comment-2 Tom Wed, 23 Jul 2008 12:53:57 +0000 http://hexesec.wordpress.com/?p=8#comment-2 Great list! I would add that it is very difficult for a single pentester to be an expert in a all of these areas (at least I have yet to meet one!). Hence, one of the things that bothers me is when I see a pentest company send one person out to do a two week penetration test! How could one person be an expert in all of these areas? This is why you should have a diverse pentesting team with experts in most of the 'major' areas (Web app, OS-Specific, Networking, scripting/dev) you listed. Other skill sets like vuln development can easily be learned by someone with skills in scripting/development. In general, the more diverse and well rounded your team is the better. :-) Great list! I would add that it is very difficult for a single pentester to be an expert in a all of these areas (at least I have yet to meet one!). Hence, one of the things that bothers me is when I see a pentest company send one person out to do a two week penetration test! How could one person be an expert in all of these areas? This is why you should have a diverse pentesting team with experts in most of the ‘major’ areas (Web app, OS-Specific, Networking, scripting/dev) you listed. Other skill sets like vuln development can easily be learned by someone with skills in scripting/development. In general, the more diverse and well rounded your team is the better. :-)

]]>