Reporting: The Difference Between Good and Great Penetration Testers
February 22, 2012
One of the things that we are frequently asked at The Hacker Academy is to define what makes a really great penetration tester. And I’ve heard a lot of opinions. The really technical people out there think that it’s their ’31337 hax0r skills’ (“Dude, you should see how sick my shellcode is…“). But in my experience, that’s not it.
When I look at what differentiates the average penetration tester (and penetration test itself) from the truly great one, it’s not usually the quality of the technical results. Sure, if you’re working with a really high-end technical firm you might get a couple more interesting findings than an average one. But, on the whole, that doesn’t matter much.
In almost every case I’ve seen over the last 15 years in this industry, the primary differentiators for great penetration testing come down to two factors:
- The quality of the analysis of the findings and their application to the client’s reality
- The ability of the report writer to convey their message
Amazingly to me, almost nobody teaches that stuff. If you read all of the books and methodologies on penetration testing, the amount of time spent on reporting and relating data to the client is completely dwarfed by the amount of time spent on learning the intricacies of Metasploit.
Because of that, we’re actually going out to teach some “in person” classes this year. THA is primarily focused on cloud-based instruction, but this is a topic I consider important enough to go out and actually teach on a one-to-one basis, starting in a couple of weeks as one of the dojo’s at CanSecWest.
We’re really excited to be working with Dragos and his team to offer what we consider to be a revolutionary class to such a high quality forum – I can’t wait to get there and share! After teaching a few private clients this material, the response has been overwhelming. One information security manager who took the class told me that she’d finally be able to understand and critique the reports that her vendors were giving her. And one of the actual testers in the class told me that he considered it to be the most valuable training he’d ever had in the industry.
I have to admit… when you read the list of dojos at CanSecWest, it might be tempting to overlook “Penetration Test Analysis and Reporting”. But I believe it’s probably the most important class you’ll ever take if you’re a tester or if you work with testers (and get their reports) on a regular basis.
If you’re going to be in Vancouver, I’d love to see you there.
As a sneak preview… If you want an idea about what kind of content will be involved, we recorded a webinar last year on the topic:
Everything you say, Mike, I have wanted to say a thousand times to a hundred different geeks. There was a lot of head bobbing and shouting of ‘amen’ and ‘preach it brother’ on this end of the webinar.