We continue to recap sessions from this year’s SecTalks virtual conference by sharing insights from our panel of pentesters. In this session, we invited top members of the Cobalt Core—our community of highly-skilled pentesters from around the world—in order to showcase the talent that we work with and bring forward key learnings from their expertise.
Meet the Pentesters
Who are they?
- Aditya Agrawal, who has over five years of experience in the security industry and has been a member of the Cobalt Core for 2 ½ years.
- Stefan Nicula, a threat researcher and pentester with 5+ years of experience who joined the Cobalt Core in 2018.
- Dan Beavin, who has 8+ years of experience in security operations and red team/offensive security and has been part of the Cobalt Core since 2019.
How did you get into security and pentesting?
Aditya’s fascination with security started back in 2012 when he discovered he could find vulnerabilities to systems “just like we see in the movies.” For Dan, his start in security began at his first job when he volunteered to take on identity and access management work. Stefan began by studying program languages, operating systems—among other things—looking to learn as much as he could about security.
What do you like about being part of the Cobalt Core?
The panelists agreed that having the opportunity to work with other pentesters from around the world—and the diverse and collective knowledge that comes with it—is one of the best things about being a part of the Cobalt Core. They emphasized that their exposure to different skill sets and mindsets has been very beneficial, especially, Stefan adds, when working closely with clients. They also appreciate Cobalt’s overall collaborative culture.
How They Pentest
What are your favorite targets to test?
Every pentester has their favorite vulnerability to chase after. Aditya says that his go-to target is always authorization access control issues because they are consistently vulnerable to human error. Stefan notes that he looks for out-of-bounds expectations and getting to know the data—its applications and how it’s being processed. Dan focuses on the business-logic side by looking for exploits that will have an impact on the business. He says that because vulnerabilities can impact the entire organization, this is a way to get people who are not normally security-minded to think more about security.
How do you combine vulnerabilities to increase impact in your pentest engagements?
Every pentest engagement uncovers new vulnerabilities. Even when the vulnerabilities are not as critical, it’s important to convey the impact to the client. As Dan mentions, four or five low criticality vulnerabilities can actually translate into much higher risk than what they show individually. It’s about chaining the different vulnerabilities together to show their impact as a whole.
What are the biggest roadblocks you come across when pentesting?
For Dan, one of the biggest challenges is getting around access controls, especially when you start breaking those accounts up and doing role-based access control. For Aditya, it’s testing the custom applications, the ones that are developed in an unusual way, that can be a challenge. For Stefan, it’s the complexity of authorization tests.
Advice for Security Teams
How can you increase communication during a pentest engagement?
For security teams to maximize the results of their pentest engagements, one of the most important elements to focus on is communication. The panelists agreed that holding a kickoff meeting a few days prior to the start of the test is key. It’s a valuable time for customers to ask any outstanding questions, ensure that the brief is detailed and well-explained as well as clarify any no-testing windows.
Dan adds that it’s important to provide pentesters with enough information to do their job well. Sometimes security teams are reluctant to share what they have, thinking that in the real world an attacker might not be privy to all that information. However, it’s not just the outside attackers they should worry about. He says you also have to pay attention to malicious insiders who do have that information.
Why is scope important during a pentest?
Another way for security teams to optimize their pentest engagement is to be transparent about the scope of the project. Stefan highlights that transparency about where the target is located is critical, especially with complex applications. The panelists agreed that in order to avoid scope creep throughout the project, security teams should present pentesters with a full view of the applications from the beginning.
Advice for Other Pentesters
How do you stay informed and continue learning?
Because the cybersecurity domain is constantly changing and evolving, it’s important for pentesters to stay up to date on their techniques. Aditya recommends finding your specific area of interest—your “sweet spot”—and honing in on it. In terms of where to look for information, the panelists noted that capitalizing on free online resources—such as academic white papers, journal articles, books and even social media—are good ways to explore new content and the latest testing techniques. Dan notes that if you’re looking for a more standardized classroom-type training, uLearn offers valuable content and training courses.
How can you grow from a junior to a senior pentester?
For those looking to develop their pentesting skills or grow from a beginner to a senior pentester, the panelists suggest finding an area you’re interested in and then learning as much as you can about it. And, as Dan points out, it takes time to learn how to do this; you’re not going to become an expert overnight. Certifications, like the eLearnSecurity Junior Penetration Tester (eJPT), can be one way to enrich your resume, but the most important thing is being able to showcase your knowledge and skills.
Watch the live recording of this discussion and learn more about the event host, Cobalt’s Pentest as a Service (PtaaS) Platform.