Pentester worden: hoe doe ik dat?

As companies of all sizes increasingly encounter Cybercrime, penetration testing (pentesting) is increasingly important. After all, discovering vulnerabilities so security teams can be prepared for attacks is invaluable. But how can people interested in pentesting enter the field and really make a difference in digital security? We visited Ruben Homs, one of our pentesters, with some frequently asked questions to find the answers.

Where should I start to become a pentester?

This is a question Ruben encounters regularly; after all, building the basics is not exactly cut-and-dried. Ruben recommends participating in various learning programs to become a student (again) in a sense, regardless of background and degrees. After all, the technologies and risks involved in Cybersecurity are endless. This means that anyone determined enough to do the necessary research can make the switch to pentesting.

Spartel offers a number of bootcamps to teach new skills to security professionals of all levels. Other organizations such as Hack the Box and Google Gruyere offer opportunities to learn and develop new skills. For demonstrable knowledge and expertise, accreditation is also very valuable; consider the Offensive Security Certified Professional (OSCP) certificate offered by several institutions in the Netherlands.

There are more and more programs for high school and university students that allow them to learn more about Cybersecurity and pentesting. A good example is the Associate Degree Cyber Security at the Hogeschool van Amsterdam, which provides a hands-on starting point for future Cyber specialists. The Cyber Security seminar provided by Radboud University, which highlights various pentesting techniques, is also an interesting entry point for future pentesters.

How can I further develop my skills?

Once you've entered the field of pentesting, there are several ways to keep your skills sharp. For example, it's always a good idea to learn new programming languages. Although there is no "most important programming language," Ruben recommends scripting languages like Python because knowing them makes it easier to create tools for pentesting on the fly. It's never a bad idea to know as many programming languages as possible, because it covers both reviewing existing programs and building new ones. Knowledge of HTML, Javascript and PHP can also be very valuable, as it is a common programming language and offers many opportunities for further learning experiences.

Participating in Capture-The-Flag competitions is a practical way to gain new knowledge and experience. In a CTF challenge, you must penetrate an insecure system that has been intentionally made vulnerable. A true pen test, however, involves testing a complex system that is usually protected by a team of security specialists (blue team). The practical difference between these? There are rules and restrictions on what pentesters are allowed to attack, followed by many whys and hows. These are known as the "Rules of Engagement. This means that someone who simply wants to gain practical experience is not allowed to simply perform a "real" pen test on any system.

The characteristics of a Cyber Specialist

Collaboration is in the nature of the Cybersecurity community, which makes it easier to continually improve. Indeed, open source tools and important Cybersecurity-related documentation abound. For example, the INFOSEC community is a popular source for finding new tools and perspectives. This means that good research skills are extremely important for a pentester who wants to keep improving; the knowledge is there, but the challenge lies in finding it.

Technical skills, by the way, are not the only indicators of success for someone who wants to be a pentester. In fact, Ruben emphasizes that personal skills also play a big role. An important example of this is determination to keep going despite adversity. However, a pentester must also be willing to ask for help when needed. Finally, adaptability and the ability to learn on-the-fly are great skills for a pentester. Of course, these are skills that can be learned and improved in practice.