Professional penetration testing is about helping the client better understand and secure their network and systems. We are not there to make them secure their network - that is a business decision that the client's management needs to make for themselves. Because we are simply an audit tool in the eyes of our client's management team, it can be frustrating to see our remediation suggestions ignored; but that is how business works.
I would also like to explain that penetration testing is a lot of work, and involves a lot of research and learning. Keeping up with security trends, reading about the latest exploits, setting up a lab and recreating exploits, and documenting findings can be taxing on a person's time, especially if one wants to maintain their skills and be an asset to the team.
How long did it take you to write Professional Penetration Testing: Creating and Operating a Formal Hacking Lab? What was the writing process like?
The book took about a year from inception to print; however the training videos on the accompanying DVD had already been developed as part of the online classes at Heorot.net. The book was originally intended to support the training on the DVD, but it took on a life of its own. I ended up writing the book more as a college textbook, that would take the reader from conception to conclusion of a professional penetration test. The impetus behind writing the book in this manner was that I needed a solid textbook to use in my own college classroom at Colorado Technical University, where I teach students how to conduct a professional penetration test. As a result, the book and DVD can be used independently from each other, or together to provide a deep understanding of penetration testing and methodologies.
What new things did you learn while writing the book? How did the technical reviewers help shape the material?
Jan Kanclirz, my technical editor, was extremely helpful in strengthening different aspects of the book. It is a great benefit to having multiple inputs into any project, especially a book. Everyone tends to get myopic when working on a specific task, which is why I promote a more agile approach to projects, not just writing books.
What are your future plans? Any new books in the works?
I am a big believer in giving back to the hacker community, and plan on writing more, offer more security training classes, as well as expand on my current Open Source projects. I feel that hacking in general, and penetration testing specifically, are worthwhile causes that need more positive media attention. We'll see what comes of that in the near future.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.