There is value in becoming a fully-integrated tester…

...pentester should strive to move from 'vulnerability' to 'risk'.

There is value in becoming a fully-integrated tester…
Photo by Carla Cervantes / Unsplash

What’s integration? Here’s one (very rough, high level and extremely simplified) example from FMCG (Fast Moving Consumer Goods) industry.

Every finished product is dependent on some raw materials. Raw materials are bought (from other suppliers), processed, packaged as a product, and then sold.
When a business starts producing those raw materials, you can say that it is integrated.

Now onto testing (security assessment).

Here are the various activities that happen before (assessment): -

  1. marketing assessment services
  2. meeting potential customers, pitching assessment services
  3. preparing and submitting proposals (to potential customers who ask for one)
  4. plan for the assessment (scope, number of resources, who will do what, etc.)
  5. execute the assessment
  6. write the report
  7. present the report, highlight major risks to customer infra, app, and data; answer any questions that the customer may have, defend your finding
  8. project closure steps (store all assessment data into a secure location, remove customer information, add test cases to your repository, plan for a blog post on company portal, etc.).

Have you noticed (if you are still with me, that is) that assessment is only 1 among many activities done for a successful project?

Here’s another breakdown of the assessment activity.

  1. identify vulnerabilities
  2. prepare exploit(s)
  3. exploit
  4. assess the risk (what’s the impact when the vulnerability is exploited in the current environment, not just any environment).
  5. document the risk appropriately.

What does it mean? Customers don’t pay to know about vulnerabilities that lurk in their infrastructure or app. They want to know about the risk that is inherent in their infrastructure or app.

Most of testers don’t want to assess risk. Reasons range from 'don’t know how to do so' to 'expectations must align with payment'. 

There is huge value in knowing how to do all activities. 

  1. It makes you more aware about how each step affects those before and after it, which will bring more nuance to your delivery, and
  2. The skill will affect the outcome (from ‘vulnerability’ to ‘risk’). Discussion on ‘vulnerability’ needs lots of explanation to management. In contrast, management understand ‘risk’ (hint: risk management is what business is all about).
  3. Eventually, all this results in a satisfied customer, which usually results in more money, down the line.

Happy customer, repeat customer, more business, good referral, etc.

Strive to be a fully-integrated security assessor, not just a tester.

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r