Pentesting Skillset
I’ve been fumbling together a list of skills necessary to succeed as a pentester. This was prompted by mapping out my own short-term education and by gathering a list of necessary skills for potential hires.
These are the skills i find necessary and want to promote in my own team. I’m curious if the list is what you would expect a penetration tester to know?
This list doesn’t focus on important things like the security mindset and other high-level skills like communication, organization, and discipline. It also stays away from specific technical (attack) tools and techniques. Its main goal is to establish a minimum understanding and capability baseline for a pentesting team.
- General / Overall
- Project Management – Start, maintain and complete a project
- Toolkit and Exploit Management – Maintain a useful set of tools
- Education – Stay up to date, learn new concepts (books, people, training)
- Teaching – Explain new concepts, publish information
- Research – Own a topic or research area
- Bullshit Management – Ability to work in close quarters
- Auditing
- Law / Regulation Knowledge
- HIPAA,FISMA,GLBA (High level regulations)
- ISO17799,ISO27002 (IT standards)
- PCI, COBIT (Lower-level guidelines)
- CISSP Domains
- Law / Regulation Knowledge
- Writing
- Technical writing ability
- Ability to analyze & correlate information
- Ability to reconstruct a narrative from technical information
- Social / People Skills
- Common Sense – Finding the quickest, easiest solution to a problem at hand
- Social Engineering
- Searching / Information Gathering
- Research Skills
- Google Hacking
- Recon Techniques
- Information Correlation
- Attack Modeling
- Risk and Threat Modeling
- Attack Modeling
- Security Mindset
- System Decomposition
- Web Application Skills
- General Development and Testing
- AJAX
- Design Patterns (MVC) – Ruby
- Javascript Debugging – Venkman, Firebug
- Web Services – Rest, XML-RPC, SOAP, json
- Web Specific Languages – ASP, PHP, JSP, Coldfusion
- Web Frameworks and Platforms – ASP.NET, J2EE
- Database Administration
- SQL / Data Query
- OS-Specific Skills
- System Administration
- OS Theory
- System Architecture
- System Security Models
- Filesystems, Networking, I/O
- Startup / Shutdown
- Analysis (dump, debugging, memory, forensic)
- Management + Maintenance
- Windows
- Active Directory
- Exchange / OWA
- SQL Server
- Linux / BSD
- Apache
- MySQL
- Sendmail / Postfix
- Package Managers
- OS X
- AIX / Solaris / Unix
- Kernel / Posix
- System Programming
- Networking
- Networking Theory
- Protocol Theory
- Routing and Switching
- Cisco & Juniper
- Firewalls
- Embedded Devices
- VOIP / Voice Skills
- PSTN experience
- Routing + Signaling Protocols
- Scripting Skills
- Bash,etc
- Perl, Python, Ruby
- PHP, ASP
- Batch, VBScript, Powershell
- Hardware Hacking
- Embedded Devices
- Electronics Theory
- Secure Design of a System
- Wireless
- WEP / WPA / WPA2
- Packet Injection
- Hardware / Driver knowledge
- Basic Encryption
- Symmetric ciphers
- Asymmetric ciphers
- 802.11
- Antenna Theory
- Mobile Networking
- CDMA, GSM, Mesh Theory
- Development
- Coding
- Regular Expressions
- Development
- Design Patterns
- Development Methodology
- Version Control
- Database Design
- Language
- C / C++, Java
- C# / dotNet Framework
- Vulnerability Development
- Reverse Engineering
- Buffer / Heap Overflows (explain + code + find)
- Creative Thinking
- Analytic Thinking
- Coding / Debugging
- Fuzzing
- Testing Theory
- File Fuzzing
- Protocol Fuzzing
- SPIKE, Peach, etc
- Attack Analysis / Forensics
- IDS / IPS experience
- Snort / Commercial IDS
- Honeypots
- Forensics experience
- Packet capture and analysis
- packet dumps, bpf, flows, wireshark
- IDS / IPS experience
Great list! I would add that it is very difficult for a single pentester to be an expert in a all of these areas (at least I have yet to meet one!). Hence, one of the things that bothers me is when I see a pentest company send one person out to do a two week penetration test! How could one person be an expert in all of these areas? This is why you should have a diverse pentesting team with experts in most of the ‘major’ areas (Web app, OS-Specific, Networking, scripting/dev) you listed. Other skill sets like vuln development can easily be learned by someone with skills in scripting/development. In general, the more diverse and well rounded your team is the better. 🙂
Tom
July 23, 2008 at 12:53 PM
[…] points to 0×0e’s post that puts forward a list of skills that a good pentesting team should have. It is a good list and […]
Interesting Information Security Bits for July 29th, 2008 « Infosec Ramblings
July 30, 2008 at 2:22 PM
Tom,
definitely, this was aimed as more of a wish-list for a team.
it would be interesting to put together a maturity model for a pentesting team. — what skills are absolutely (day-one) necessary for a generic pentest. i guess it depends on the network / idea of a “generic” pentest.
surely though, there should be some way to boil down to skills which are more essential:
– networking
– unix / linux
– security mindset
– scripting (debatable, but imo necessary…)
and those that are secondary (again, depending on a lot of factors):
– scripting++
– networking++
– unix-foo
– web-app skillz
etc.
again, all of this is debatable, and depends on the environment which needs testing.
the goal is to make a list of where anyone interested should focus. the short answer seems to be any of these areas, though some are easier than others…
jcran
September 3, 2008 at 4:45 AM
Thanks
I’m going to print this out.
And learn as much as the things from the list as I can.
For pen-testing and white hat hacker, this’ll be a good goal to set myself.
Panarchy
September 12, 2008 at 6:01 AM
[…] saw this post on Hexesec the other day that made me think about all the skill’s that when you put them together could […]
Building the pentest team skillset — spylogic.net
July 15, 2009 at 1:50 AM
What skills should one learn for a future job in penetration testing?…
Technically speaking, the experience that was of the most benefit for me was working as a network technician and later as an administrator for a large windows network. I would suggest getting your hands dirty in technologies that major corporations use…
Quora
April 4, 2012 at 3:48 AM
[…] Resources on What skills should one learn for a future job in penetration testing: https://hexesec.wordpress.com/2008/07/05/pentesting-skillset/ http://pentest.cryptocity.net/ http://www.pentest-standard.org/ […]
What skills should one learn for a future job in penetration testing | Resume Rewriter Free
September 29, 2013 at 6:40 AM
[…] another one i wrote a few (zomg, 6) years back, specific to penetration […]
Getting started in security…. a message to a student | PENTESTIFY
March 7, 2014 at 4:43 PM