I’ve been fumbling together a list of skills necessary to succeed as a pentester. This was prompted by mapping out my own short-term education and by gathering a list of necessary skills for potential hires.
These are the skills i find necessary and want to promote in my own team. I’m curious if the list is what you would expect a penetration tester to know?
This list doesn’t focus on important things like the security mindset and other high-level skills like communication, organization, and discipline. It also stays away from specific technical (attack) tools and techniques. Its main goal is to establish a minimum understanding and capability baseline for a pentesting team.
- General / Overall
- Project Management – Start, maintain and complete a project
- Toolkit and Exploit Management – Maintain a useful set of tools
- Education – Stay up to date, learn new concepts (books, people, training)
- Teaching – Explain new concepts, publish information
- Research – Own a topic or research area
- Bullshit Management – Ability to work in close quarters
- Auditing
- Law / Regulation Knowledge
- HIPAA,FISMA,GLBA (High level regulations)
- ISO17799,ISO27002 (IT standards)
- PCI, COBIT (Lower-level guidelines)
- CISSP Domains
- Law / Regulation Knowledge
- Writing
- Technical writing ability
- Ability to analyze & correlate information
- Ability to reconstruct a narrative from technical information
- Social / People Skills
- Common Sense – Finding the quickest, easiest solution to a problem at hand
- Social Engineering
- Searching / Information Gathering
- Research Skills
- Google Hacking
- Recon Techniques
- Information Correlation
- Attack Modeling
- Risk and Threat Modeling
- Attack Modeling
- Security Mindset
- System Decomposition
- Web Application Skills
- General Development and Testing
- AJAX
- Design Patterns (MVC) – Ruby
- Javascript Debugging – Venkman, Firebug
- Web Services – Rest, XML-RPC, SOAP, json
- Web Specific Languages – ASP, PHP, JSP, Coldfusion
- Web Frameworks and Platforms – ASP.NET, J2EE
- Database Administration
- SQL / Data Query
- OS-Specific Skills
- System Administration
- OS Theory
- System Architecture
- System Security Models
- Filesystems, Networking, I/O
- Startup / Shutdown
- Analysis (dump, debugging, memory, forensic)
- Management + Maintenance
- Windows
- Active Directory
- Exchange / OWA
- SQL Server
- Linux / BSD
- Apache
- MySQL
- Sendmail / Postfix
- Package Managers
- OS X
- AIX / Solaris / Unix
- Kernel / Posix
- System Programming
- Networking
- Networking Theory
- Protocol Theory
- Routing and Switching
- Cisco & Juniper
- Firewalls
- Embedded Devices
- VOIP / Voice Skills
- PSTN experience
- Routing + Signaling Protocols
- Scripting Skills
- Bash,etc
- Perl, Python, Ruby
- PHP, ASP
- Batch, VBScript, Powershell
- Hardware Hacking
- Embedded Devices
- Electronics Theory
- Secure Design of a System
- Wireless
- WEP / WPA / WPA2
- Packet Injection
- Hardware / Driver knowledge
- Basic Encryption
- Symmetric ciphers
- Asymmetric ciphers
- 802.11
- Antenna Theory
- Mobile Networking
- CDMA, GSM, Mesh Theory
- Development
- Coding
- Regular Expressions
- Development
- Design Patterns
- Development Methodology
- Version Control
- Database Design
- Language
- C / C++, Java
- C# / dotNet Framework
- Vulnerability Development
- Reverse Engineering
- Buffer / Heap Overflows (explain + code + find)
- Creative Thinking
- Analytic Thinking
- Coding / Debugging
- Fuzzing
- Testing Theory
- File Fuzzing
- Protocol Fuzzing
- SPIKE, Peach, etc
- Attack Analysis / Forensics
- IDS / IPS experience
- Snort / Commercial IDS
- Honeypots
- Forensics experience
- Packet capture and analysis
- packet dumps, bpf, flows, wireshark
- IDS / IPS experience
Jonathan Cran 
Great list! I would add that it is very difficult for a single pentester to be an expert in a all of these areas (at least I have yet to meet one!). Hence, one of the things that bothers me is when I see a pentest company send one person out to do a two week penetration test! How could one person be an expert in all of these areas? This is why you should have a diverse pentesting team with experts in most of the ‘major’ areas (Web app, OS-Specific, Networking, scripting/dev) you listed. Other skill sets like vuln development can easily be learned by someone with skills in scripting/development. In general, the more diverse and well rounded your team is the better. 🙂
Tom,
definitely, this was aimed as more of a wish-list for a team.
it would be interesting to put together a maturity model for a pentesting team. — what skills are absolutely (day-one) necessary for a generic pentest. i guess it depends on the network / idea of a “generic” pentest.
surely though, there should be some way to boil down to skills which are more essential:
– networking
– unix / linux
– security mindset
– scripting (debatable, but imo necessary…)
and those that are secondary (again, depending on a lot of factors):
– scripting++
– networking++
– unix-foo
– web-app skillz
etc.
again, all of this is debatable, and depends on the environment which needs testing.
the goal is to make a list of where anyone interested should focus. the short answer seems to be any of these areas, though some are easier than others…
Thanks
I’m going to print this out.
And learn as much as the things from the list as I can.
For pen-testing and white hat hacker, this’ll be a good goal to set myself.