Interview With A Senior Penetration Tester

I am currently a Senior Penetration Tester for AppSec Consulting and I was recently asked to conduct initial phone interviews for a new Senior Penetration Tester position we are trying to fill. It’s been a while since I’ve done interviews so I wasn’t thrilled about it but I took some time to think through a few interview questions and began the process. The more I thought about the interview process the more I thought it would be helpful to share the questions I ask and the answers I would expect to receive from a Senior Penetration Tester.

Do you have any publicly available resources that I can review to better understand your skill set?

I want you to say yes and then provide me with a list of those resources. Got a blog, Twitter/Github/Bugcrowd/Hacker1 account, any CVEs? I’m looking for anything that will show me that you are passionate about Information Security and giving back to the community. If you don’t have any bugs under your belt, I’m not really worried about that. I want to see that you are doing some type of research, tool writing, teaching, etc.

Why am I looking for this? Often on a penetration test it is necessary to take a working proof-of-concept and turn it into a useful tool/exploit. In addition, it will often be necessary to supervise Junior testers and guide them down the path they need to take, blogs are a good way for me to determine if you have the communication skills necessary to do this.

Give me an overview of how you would conduct a blackbox external network test or a greybox web application assessment.

I want to hear a detailed list of steps you would take to perform these tests. I don’t care if you pause, say umm, whatever but I don’t want to hear, I guess I would do this or that. If you do not know your test plan off the top of your head or can not articulate it to me then you are not ready to be a Senior Penetration Tester. I realize that every test is different and that some steps will change depending on what you run into but there are certain actions you will always perform and you should be able to express those clearly.

If you are looking at these questions and wondering where all the technical questions are, there are none. I don’t care if you have all of the Nmap flags memorized or know all of the Metasploit modules by heart. What I need to know is if you can size up the situation you are in an make a plan of attack. Reading your blog, looking at your code, or reviewing bugs you have researched will tell me all I need to know on that front.

As I write this post, I realize that the primary difference between a Junior Penetration Tester and a Senior Penetration Tester can be boiled down to autonomy and ownership. For example in my role as a Senior Penetration Tester, I’m typically given a Scope of Work and the client Points of Contact. It is my job to contact the client and verify the scope, make sure they understand the testing I’m doing, and make sure that testing is what they expect. There are times when the Scope of Work and the client expectations don’t match or times when expectations will need to be adjusted mid project. I am responsible for helping the client understand why their expectations need to be adjusted and what their expectations should be.

In addition, when I submit a report, I’m expected to take ownership of that report, I am essentially saying, I performed this test to the best of my abilities and I stand behind the findings, or lack of findings. When a client pushes back on the severity of a finding or asks for justification for my finding, I have to be ready with an answer and I have own that answer.

Am I saying that technical prowess doesn’t play a role in whether a candidate is a Junior or a Senior, absolutely not but technical prowess comes with time and exposure to various networks and systems. I am saying that no matter how much technical prowess you have, if you can not be autonomous and take ownership of your work, you can not be a Senior Penetration Tester in my book.