First of all, a pentester is a cybersecurity professional who executes targeted attacks on the IT infrastructure of a company or any computer system. These attacks are authorized, that is, companies request these services to check the vulnerabilities that their infrastructure has, with an ethical purpose and without truly compromising this company.
This may mean that a cybersecurity-related certification or degree is necessary to practice in this field. However some professionals in this field do not have formal training to practice as pentesters.
What does a pentester do?
Its main objective is to help discover vulnerabilities and recommend solutions to these failures in both the digital and physical network, to prevent them from being discovered and attacked by a real hacker.
So a pentester has to handle many technical tools like Nmap, Wireshark or for penetration testing to help them look for these vulnerabilities. In addition, they also document the processes and activities carried out to later prepare a report of the entire audit for their colleagues and clients.
These are some of its functions:
- Conducting vulnerability assessments
- Network scanning with tools like Nmap
- Performing an analysis of network structure and protocols with tools such as Wireshark
- Search for the most typical vulnerabilities in computer systems, such as those in the OWASP TOP 10
- Review large amounts of data related to the company to be attacked. Searching password and users
- Performing privilege escalation, lateral movements, pivots and post-exploitation
Typical features of a pentester
Now that we know well what a pentester does, it is also important to know if pentesting is the type of job most compatible with you. This is not a hard and fast rule, but typical qualities are:
Problem-solving ability
A good pentester is someone who has a lot of tenacity in order to solve problems. Wanting to get to the root of the problem and think creatively.
Creativity
In order to defend yourself from an attacker, you have to act like one. So this requires being able to think beyond scanning for typical vulnerabilities.
Curiosity
In cybersecurity one never stops learning new technologies, vulnerabilities and concepts. It is a very beautiful career, but also very sacrificed.
Within pentesting there are several disciplines, since you can specialize in pentesting web pages or within a network.
In general, the basic technical skills are:
- Network knowledge
- Knowledge of Linux
- Knowledge of Windows and Powershell
- bash scripting
- Another scripting language, I recommend Python as it is very versatile
These concepts can take many months to study. In addition, there are many cybersecurity courses with which you have a much more focused guide and enjoy this type of career in a more enriching way.
What does a web pentester need to know?
Now, if we focus on a web pentester, they must have knowledge of several web technologies:
- HTML, CSS and JavaScript: The pillars of website building, HTML, CSS and JavaScript are essential to understanding the basic functioning of web applications.
- Server Programming Languages: Knowing languages such as PHP, Python, Ruby, Node.js and Java, which are commonly used on the server side of web applications, is vital to understanding the underlying logic and detecting vulnerabilities.
- Web Frameworks and Libraries: Pentesters should be familiar with popular frameworks, such as Django, Flask, Ruby on Rails, Express.js, React, Angular, and Vue.js, as they can be vulnerable.
- Communication Protocols and Technologies: work with protocols such as HTTP, HTTPS, REST and SOAP, and related technologies, such as JSON and XML.
- Databases: Knowing query languages such as SQL and NoSQL, and popular database management systems such as MySQL, PostgreSQL, MongoDB and Oracle, can be useful in identifying SQL injections.
- Web Content Management: Familiarize yourself with web content management systems such as WordPress, Drupal and Joomla.
- Front-End Technologies: Understanding front-end technologies such as jQuery, Bootstrap, ReactJS, and AngularJS can help uncover vulnerabilities related to the client side of web applications.
- Web Services and APIs: with web services and APIs, including RESTful, SOAP and GraphQL.
Pentesting is a career of constant learning, therefore, it is essential that you like it, since cybersecurity does not stop changing and evolving, and it is necessary to keep up with this progress.