Many entering the field of computer security are fascinated with the prospect of working as penetration testers. In your opinion, what are the prerequisites one has to posses in order to become good at this job?
From a personal perspective, an inquisitive mind and thirst for knowledge are critical to perform penetration testing. An inquisitive mind will want to discover how things work and how they can be broken, while a thirst for knowledge will make the long hours of research possible.
From a Human Resource perspective, it used to be that penetration testers had to have years of experience to compete for a spot on a pentest team. Recently, I have seen requests from companies that are looking for college students with zero practical experience to fill security positions. This shift indicates two possibilities: One, that security professionals are in short supply; and two, penetest engineers can be trained. Not too many years ago, the methodologies behind penetration testing were considered obscure and simply not understood by corporate management. Today, companies are understanding the need for "red team" attacks, and able to grasp the processes behind such assessments.
In terms of the future, it is probable that the prerequisites for a position as a professional penetration tester will include college and certifications. And speaking of college, I cannot emphasize enough the value of writing and communication. Students interested in becoming penetration testers will spend a lot of their time documenting their findings and explaining the results in a manner that must be persuasive and understandable by those not familiar with information technology. English classes are your friend - trust me.
What are the main ethical concerns surrounding penetration testing?
Sometimes "ethics" is viewed as an obstacle to the actual attacks during a professional penetration test; the idea is that the black hats don't follow any ethical patterns when attacking a system, so ethics can only prevent a "good guy" from really understanding the risks to a system or network. This isn't a strong argument, since there aren't too many restrictions in a pentest, other than those that might jeopardize the continual operation of production systems; even then, the types of attacks that can disrupt a network or system typically fall under the umbrella of Denial of Service (DoS) attacks. The susceptibility of a system to a DoS attack is often a risk that the system owner acknowledges beforehand. Therefore, ethics doesn't really become an overwhelming issue in the actual attacks against a system (other than expanding the scope of the attacks without permission).
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.