Penetration testers are now a critical part of effective, secure IT. As noted by Info Security Magazine
, good pen testers are now few and far between as the cybersecurity skills gap widens and the sheer volume of malicious attacks increase. What’s more, many companies have unrealistic expectations when it comes to penetration tester experience and expertise, meaning some qualified candidates never see the inside of an interview room.Want to land a new position as a penetration tester? Let’s dig in and discover what you can do pre-interview to improve your chances and what type of questions you can expect when you’re face-to-face with corporate recruiters.Qualifications and Keywords
One problem faced by potential pen tester applications is getting their resume through HR and into the hands of an IT expert. Just like everything in the digital world, potential testers must leverage the right keywords to get noticed — the InfoSec piece notes that applications lacking high-priority keywords are often overlooked. Best bet? Along with the basics — penetration testing, pen tester, vulnerability testing — also include specific mention of common attacks you can help mitigate such as SQL, XSS, and BEC.Another way to keep your resume front and center? Make sure you’ve got the right qualifications in addition to two+ years of practical experience. These include:
- Certified ethical hacker (CEH)
- Certified penetration tester (CPT)
- GIAC Certified penetration tester (GPEN)
- Offensive security certified professional (OSCP)
- Certified information systems security professional (CISSP)
What are interviewers going to ask you when you sit down for a pen testing interview?First, know that part of the interview will probably be hands-on. Interviewers will hand you a whiteboard marker, give you space to work and ask you to solve a problem. There’s no specific question list here — just make sure you do some whiteboard practice ahead of time and be prepared for the stress of it all to make you forget one or two essential details.The most important thing to remember? Be upfront. If you can’t remember something, tell the interviewer and find another way to solve the problem. They’re not looking for perfection here; they’re looking for someone willing to work until they find a creative solution.Now, the questions. Expect to hear things like:
Interviewers aren’t asking for an opinion here — although there might be a corporate preference — they’re looking to see if you can quickly articulate common strengths and weaknesses of both operating systems. For example, Windows lacks customization but comes with automatic, ongoing support while Linux offers a greater range of commands and leverages the double-edged sword of open-source code.
- What’s your penetration process?
Every pen tester has their favorite tools — Metasploit
, Wireshark, Retina to name a few — and prefers those over other options. Expect a question about which tools you use, why, and what your start-to-finish penetration process looks like. There’s no “right” answer here, but be prepared to field questions about why you prefer specific tools over others, and if you’d be willing to change your process.
- How will you protect data before, during and after testing?
If you can’t protect data before, during and after a pen test you’re not ready for the job
. Expect questions about how you will handle sensitive corporate information and safeguard test environments from potential compromise. For example, you might be asked how you’ll communicate your findings to C-suite executives and IT admins after the test is complete.Pro tip? Don’t say “email”; if attackers manage to compromise accounts, they could gain instant access to key network vulnerabilities. Instead, use a secure FTP or file-sharing tools that leverage SSL.
- How does SQL injection work?
You might also get asked about XSS attacks, account takeover or phishing attacks but given the ubiquity of SQL, it’s a safe bet you’ll hear at least one question about SQL attacks. So, make sure you’re able to accurately describe the anatomy of an SQL attack and perform one as required: Malicious actors leverage insecure input boxes to execute unwanted commands, gain access to resources and potentially compromise databases.
- I don’t know much about IT. Explain what you do.
Seems strange, given that you’re interviewing for an IT position, but as noted by Dark Reading
, communication is now a critical part of the process. Highly-skilled pen testers that can’t explain — in plain language — what they do and why it matters won’t be able to make a compelling business case to C-suite members or effectively communicate what improvements must be made to other IT staff. In a world where IT is now a critical facet of long-term ROI, “soft skills” such as non-technical communication are essential.Looking to nail the interview and secure a pen tester position? Don’t go it alone — get the skills, knowledge and interview prep you need with industry-leading IT career path planning