Ten tips after a year of pentesting

For the past years I was very hesitant about my future career choices. Originally, I'm a developer but I liked security and hacking a lot. I was doing all kinds of CTFs in my spare time. For my bachelor degree I had to do a final project (thesis) and thought it might be the best moment to shift into the (professional) security world. I finished my internship at Securify and was offered a job/traineeship. I've learned a lot in the last year and I would like to share some tips. The following tips are in no particular order and might even be applied to some other disciplines.

1) Discuss training opportunities with your boss

Any serious company has a yearly budget for training, conference and certification opportunities. Personally, I was learning a lot already on the job and did not feel like I needed such opportunities. Looking back, I should have at least followed a single training or certification. I would have acquired different knowledge than that is taught in-house with the extra benefit of it being recorded somewhere (CV).

2) Dare to ask for help

We all get stuck at some point. Trying to solve it yourself all the way might be a good trait. However most if not all projects have time constraints. Clients are paying real money. Gone are those student days where we had abundance of time. So ask for help from a colleague in a timely manner. This does not mean we should ask everything and anything the moment we encounter a problem. A minimum of effort is always required otherwise your colleagues might get tired of you. Personally, I'm still trying to find the nice balance between asking too soon or too late. I guess this comes from experience.

3) Argue but listen to what your seniors say

Being considered a "rock star" dev at university and previous internships, I had to get used to being the most junior employee. I had many disagreements with my seniors (and still have). It's only after some time I came to realise that I was wrong on many occasions. I mean some of my seniors were hacking when I was still at elementary school. Listening and being less stubborn is crucial for personal development. I must say that arguing a bit is good since you will better understand the reasoning behind certain decisions even if you don't understand it right away.

4) Avoid client politics

Sometimes we get hired by a client to test a specific product. However all kinds of parties get involved in some projects such as external developers, sysadmins, investors etc... Each party has their own interest or disinterest with such pentests. For example, sometimes external developers or sysadmins are not very cooperative during security assessments. It generates more work for them (security bug fixes) and/or reduces their credibility/trust by the client that hired them to build that product. If you see signs of uncooperative behaviour then do not argue too much with them and always contact the client that hired you. The client should be the main contact person.

5) Avoid overtime work

My pentests were timeboxed. I worked overtime on several occasions for different reasons. Didn't tell anyone. Most of the times it was mainly because I focused too much on certain leads which turned out to be dead ends. You know procrastinating the boring part of pentesting: writing the report. At the end of the pentest, I found myself writing the report late at nights. This is what my boss told me: nobody benefits from this; you, us (the company) and the client alike won't benefit from this. The client and the boss are not paying for the overtime since I didn't register it. The extra amount of work will go unnoticed but the worst thing is: the client will expect the same kind of performance for the same price. If you think you need more time, then report this immediately to your boss/manager. Communication does wonders! The client can be contacted, time can be allocated or the pentest can be re-scoped.

6) Don't procrastinate the security report

I think writing the security report for each pentest is maybe one of the most boring part of the job. This is also exactly why we shouldn't procrastinate this matter. A good combination I found useful was to write part of the report at the end of every day. Say for example in an 8-hour working day, I would do 1 to max 2 hours a day reporting. At the end of the pentest, the report is almost completed and I would have to just write the management summary with some other small details.

7) Write notes during the pentest

Did you find a lead? Maybe even a vulnerability? Write it down immediately. I prefer to use markdown but anything will do even a physical notebook. This can tremendously help when writing the final report. It can also serve as a reminder of what you have tested already and what not.

8) Start automating recurring tasks

Maybe too obvious if you're in IT but still worth noting. If you notice that you're repeating certain tasks with each pentest, then it is time for some automation. Think of creating Word macro's, bash/shell functions, python scripts etc... Creating ready-made templates for reports or code can also boost productivity.

9) Use Burp's highlighting and commenting features

In the beginning I found myself sometimes scrolling through hundreds if not thousands of requests searching for a certain request. Composing regexes based on vaguely patterns I could remember. It is much more efficient to highlight interesting requests directly upon seeing them. Adding comments can also help for future references. It is possible to filter on highlighted or commented requests in Burp. Another work around is to send the interesting request to repeater with a nice descriptive tab name.

10) Make sure to follow the security community

The security world is a fast-evolving sector. Everyday there are new papers being published, tools being made, vulnerabilities being found. The faster you get to know about these updates the better. You don't want to be wasting time on an old tool that keeps crashing while there's a new one out there or miss a critical vulnerability disclosed yesterday. Personally, I started using twitter and followed some guys/organisations that are authors of some of my favourite tools such as Burp, frida and radare2.

Questions or feedback?