Professional Soldier

Wed, 23 Jul 2008 15:44:48 GMT
by pdp

I would like to draw a simple analogy between professional soldiers and professional penetration testers. I find a lot in common between them and I believe that this exercise may help some members of the audience to clarify their understandings regarding our industry.

We will drill into several categories where both professions will be compared to each other:

Skills

Both, professional soldiers and penetration testers, have professional set of skills which were build over years of experience. Although the soldier/pentester can be a specialist in several areas of combat, s/he is extremely capable in a few areas of interest. That could be foreign weaponry, tactics, vehicles, etc when it comes to soldiers or information gathering, infrastructure testing, application testing, etc when it comes to penetration testers.

Nobody is good at everything. This is why both professions are based around the idea of working in teams.

Weapons

Professional soldiers use professional tools. They can probably wipe out a small army with a knife, ala Chuck Norris and Steven Seagal, but that is besides the point. Professional soldiers can afford the toys. This is what makes them professionals and this is what differentiates them from the rest.

If you are a professional penetration tester, you should stick to the same principle. Very few of us can afford to have a range of the best penetration testing tools which usually cost too much money. We say that if you are a good hacker then you can hack with just telnet but that is besides the point. If you want to be treated as professional you have to project an image of professionalism.

You have to learn that no tool will make you redundant. The nuke did not make soldiers redundant. However, you have to equip yourself with the best tools if you want to play the game and having Nessus and Backtrack wont cut it.

Professionalism

If you screw up then it is very hard to pick yourself up. This applies mostly to professional soldiers. I guess they have more at stake than us. However, penetration testers should not feel like an exception to this principle. This is a rudimentary ideal which all of us should follow.

If you want to become a professional penetration tester then learn how to build and encourage professionalism in you and your clients. This means that you have to pay attention to all details but most of all strive to provide a quality service.

Archived Comments

MikeMike
If price was no object, what are some of the tools a professional pen-tester ought to be using?
CGCG
I see where you are going with the post but you are missing some important point. Assuming professional soldiers are not mercenaries but rather are part of some sort of military of a country or nation state there are several things in place that try to ensure a certain "quality of service" with soldiers that doesn't exist within the security or professional penetration testing community. These "things" include ENFORCEABLE standards of behavior, rules and regulations (also enforceable--usually at a more severe level than that of civilian law), oversight, governing body or chain of command, and required mandatory training to become a soldier. You could argue both ways about training...that hackers can be self taught, don't need certs, yadda yadda. For the sake of brevity i'll just say there are no currently AGREED UPON or formal training paths that guarantee a minimal level of competence for penetration testing like military basic training and occupational specialty training. Lastly, I don't know of any army or military that works "for profit" meaning they always operate at a loss in business terms. That in itself allows for much more money and time to be spent on creating professional soldiers where that business model wont work for any type of for profit pen-testing consultancy. Your comments in italics are right on. We as a community should start policing ourselves. possibly starting with defeating this notion that someone can pass an exam and go to work penetration testing. Just because you passed your hacking certification of the month doesnt make you ready to go out there and actually do it. Which goes right back to having some sort of governing body, enforceable standards of conduct and behavior, and required training (lasting longer than some IT Cert bootcamp).
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
Hey pdp, you know I love this topic of conversation is one of my faves :). We should also talk about the similarities between hacker/researchers and the masters would used to build samurai swords (as opposed to the warriors who use them in battles). warrior/soldier-> pentester/cracker military scientist/weapon crafter -> hacker/security researcher
M DundasM Dundas
I agree with your "Nessus and Backtrack won't cut it" comment ... I think .... are you saying that in order to be a 'professional' penetration tester you have to have commercial versions of penetration testing software and that open source is not adequate enough, or just that other tools besides "Nessus and Backtrack" are required?
pdppdp
yes, this is exactly what I mean...