Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Evaluating Pen Testers

From: van van <pentester () gmail com>
Date: Tue, 20 Apr 2010 16:17:54 -0700
Pen-testers fall into two categories. It's big difference.
One is to find published issues from a product/website. Another one is
to find unknow issues(0 day bug). The latter one is even more
difficult.

More and more companies love to hire the latter one to do final
product review to find the potential problems. To interview this kind
of pen-testers, you don't need to ask him security knowledges at all.
Just ask him some Assembly/C language and TCP/IP questions, you will
know he is good or not. With solid Assembly/C and TCP/IP background,
one could easily understand lots of pen-tester knowledges after short
training. On the other hand, if one could not understand Assembly/C
and TCP/IP, who believes he could find 0 day bug(a script kiddie?)?

Also, the background of interviewee about code review is very
important. Just give him some pieces of codes with security bugs, and
ask him what the problem is.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: