What Are The Responsibilities of A Penetration Tester
A penetration tester is an ethical hacker that finds and exploits security vulnerabilities inside a web based application, a system or network. In simple words, a penetration tester is a paid hacker. You get tons of penetration tools to work with or you design them yourself and then simulate real life cyber attacks and help your organization improve security by showing them these scenarios.
Penetration testing is kind of cool and boring at the same time. You will mostly be stuck with your PC throughout the day. You are also expected to produce documentation over your findings and the methods you use.
Here is the complete list of responsibilities common with a Penetration Tester.
- Perform penetration tests on systems, networks and web based applications
- Create new tools or tests and use them
- Find out and explain the methods attackers use to exploit system weaknesses
- Help in cost cutting, cost engagement within a security strategy of your company
- Document all your security findings and share it with the senior staff or IT teams
- Make improvements to the security system by enhancing the existing technology or by providing support
- Test physical security of systems, network devices and servers
- Find out security loopholes and fill them up with new password policies and the like
- Define and review the requirements for any new security solution needed
- Provide feedback over security issues to your organization and then opt to fix them
In order to join a company as a penetration tester, you may need to start with the following jobs:
- Network Administrator
- System Administrator
- Network Engineer
- Security Administrator
After that, you can go on for a senior position
- Security consultant
- Security architect
- Senior penetration tester
Penetration testers are commonly also known by the names
- Assurance validator
- Ethical hacker
The median salary of a penetration tester is around $72,878. You should still expect to make around $44,000 – $117,398 in a year.
Most penetration testers hold a specialized degree because ethical hacking is more of a technical skill than a theoretical one. If you have the appropriate job or relevant technical real world experience, then you may not even need a degree to begin with.
If you want to improve your standing, you should go to hacking conferences or do a professional certification on ethical hacking.
Overall you need at least 2-4 years of security related work experience with a lot of practice in penetration testing or vulnerability assessment. If you want to become a senior penetration tester, then you should have at least 7-10 years of experience in penetration testing.
A penetration tester is often compared to a bad guy. This is because as a pen tester, you have to act and think like a bad guy to predict what could come next. Employers demand creativity, curiosity and complex puzzle solving skills in candidates.
You should also have good attention to detail with a little bit emphasis on oral and written communication skills. Some organizations will require you to have a very strong sense of communication skills because you may be required to educate people in your team or organization.
- Unix, Windows and Linux operating systems
- Software systems and Computer hardware
- Security products and tools
- Metasploit Framework
- C,C++,C#, Java and other computer languages like PHP and PERL, ASM etc
- Network scanning tools like Gold Disk, ACAS etc
- Understanding of web based applications
- ISO 27001/27002, SOX, HIPPA, NIST etc
CEH: Certified Ethical Hacker
CEPT: Certified Expert Penetration Tester
OSCP: Offensive Security Certified Professional
GCIH: GIAC Certified Incident Handler
CVA: Certified Vulnerability Assessor
CPT: Certified Penetration Tester
GPEN: GIAC Certified Penetration Tester
CISSP: Certified Information Systems Security Professional
Latest posts by Jake Ciber (see all)
- USA Muni market is slowly paying attention to cyber risks - June 15, 2017
- The cybersecurity industry will face massive worker shortfall by 2022 - June 8, 2017
- Is cybersecurity a threat to our interconnected future? - May 22, 2017