Discover the pentester (penetration tester) job: tasks, educational background, skills, salary and job opportunities at AViSTO. It is also possible to submit an unsolicited application.
Pentester is the contraction of "penetration tester". The role of this IT security professional is to find all the security vulnerabilities in a system and then perform intrusion tests, in other words, full-scale, controlled attacks.
The term vulnerabilities are to be taken in a broad sense: it is not necessarily a security breach making it possible to remotely take control of a machine, which is the ultimate flaw, but more simply the disclosure of information by a system that can give indications to a hacker to develop his attack.
Pentester Job Description
The activity of a pentester is to control the security of a whole set of web applications. We can mention mobile applications, the back end of websites that record credit card numbers, etc.
Let's take the example of a server:
- It all starts with passive recognition, without sending any requests. The pentester will search information on the Internet about its target. For example, he will explore potential messages posted on GitHub about requests for help with problems on the server being studied. Sometimes these messages contain screenshots that display "normal" account credentials and passwords, or even accounts with privileges, such as an administrator account.
Another example: this IT security professional will consult job offers or internships of the company using the server studied, looking for information on the software used, as well as the skills implemented by the teams.
- Next, the pentester will scan the server for its IP address, open ports, and so on. ; these are very classic actions.
As part of the study of a web application, he will create accounts, request a change of password, enter data etc.
- Thanks to the information gathered during these first two stages, the Pentester will define the level of criticality of the faults found and focus on some of them. He will then prepare an attack in the form of a proof of concept: it is not to go as far as a hacker, but rather to prove the flaw in a secure setting defined in connection with software QA, e.g. software quality assurance specialists from the audited company. More specifically, the intrusion test will be performed and a simple file will, for example, be deposited on the server.
- Finally, once the report of the intrusion test has been written, the pentester will present its conclusions to the team responsible for the server.
Become a Pentester
To become a pentester, you can follow a computer engineering school with a cybersecurity specialization, or an equivalent master course in a university.
But that's not the only way possible: pentester is a new job, and many self-taught people have been able to learn from information found on the Internet and a lot of practice.
Finally, stories of ancient hackers turned into pentesters also exist. But it is not easy to convince the ethical nature of one's approach when the red line has already been crossed in the past.
The skills of the pentester are numerous and particularly extensive.
In general, it can be said that one needs to have solid knowledge in network, computer security, and software development; in short, you need to know the systems you are going to tackle!
To this theoretical base, one must add a lot of practical knowledge that can only be acquired through experience. A good way to start is to participate in "Capture the flag" events, where the goal is to find and exploit the vulnerabilities of a system in order to get penetrate it. You then get flags, as a proof of the intrusion. To win this type of contest, you have to know a lot of "tricks" and know how to reuse them whenever possible.
Furthermore, penetration testing is most often done in an automated way with software applications, it is, therefore, necessary to know how to program, for example in Python. Good knowledge of Linux and its security-oriented distributions (eg Kali Linux) is also very useful.
At the human level, soft-skills and a dose of psychology are essential to present the flaws of a system to the team that conceived it and lead them to modify it without provoking counter-productive oppositions.
Finally, you need to have strong personal ethics, which is essential to evolve in the field of computer security.
In France, the salary of a pentester at the beginning of his career is generally between 33K € and 36K€.
Pentester job opportunities
You can apply on our job board spontaneously or in response to an offer. Do not hesitate, your application will be systematically studied!