News
Pen Tester Candidates: What to Expect in the Interview
Dice
Over the past several years, penetration tester jobs have become some of the most sought-after positions in cybersecurity, as attacks against organizations continue to increase and security and risk management remain front-line concerns for corporate leaders.
On the security job board CyberSeek, a joint initiative of the National Institute of Standards and Technology’s NICE program, Lightcast and CompTIA, more than 16,400 pen tester positions remain open. This mid-level position is also lucrative for candidates with the right qualifications; the average salary is pegged at $124,400, according to CyberSeek. (The Dice Tech Salary Report, however, has the annual compensation listed slightly lower at $111,348.)
The job of pen testers, also called vulnerability testers or ethical hackers, is to simulate the same type of malicious activity attackers would use to penetrate a network. By analyzing how these incidents unfold, security teams can find weaknesses and vulnerabilities in applications, platforms and other parts of the infrastructure and fix those before an actual ransomware or other type of attack occurs.
While a significant deal of the cybersecurity conversation during the last year has focused on automating processes and using technology such as artificial intelligence to detect the threats networks face every day, pen testers add a much-needed human element to security, noted Dave Gerry, CEO at Bugcrowd.
“For years, pen testing has played an important role in regulatory compliance and audit requirements for security organizations. In simple terms, adding human-intelligence-led testing provides more comprehensive and in-depth testing versus automated scanners,” Gerry recently told Dice. “Additionally, it allows organizations to target specific focus areas for testing to ensure scope coverage is met.”
For those tech professionals interested in pursuing a pen tester career, either as a starting point or as the next career steppingstone, the interview process to land these jobs is critical. The process likely includes sit-downs with human resources and recruiters and meeting with potential colleagues and the hiring manager to demonstrate knowledge of the cyber and technical skills needed.
To help prepare candidates for the interview process and to help anticipate questions that may come up, several security experts offered their advice about what to expect beyond having the right background and certifications needed for a pen tester position.
What Pen Testers Should Expect
As with other job interviews (whether a technical position or not), pen tester candidates are likely to go through multiple rounds of interviews, starting with the HR department to discuss goals, skills, specifics of the position, desired salary and available start date.
From that point, candidates will have a technical interview with experienced pen testers within the organization. This part of the interview process helps assess a candidate’s ability to conduct tests and determine if their technical skills are an appropriate match for an open job, said Billy Giles, attack and penetration leader at security firm Optiv.
“Candidates should be prepared to discuss penetration testing methodology and commonly used tools,” Giles told Dice. “Candidates may also be asked to describe how they would approach a particular scenario, like enumerating a web application or scanning a large network.”
The final interview will include the hiring manager. While the purpose can vary, Giles noted that the interviewer will typically want to assess a candidate’s interpersonal skills and gain additional insights into their ability to communicate while describing technical subjects to non-technical audiences.
When interviewing candidates, asking applicants questions about a particular cybersecurity topic or technical subject is a favorite line of questioning for Warren Kopp, a senior manager at security consulting firm Coalfire.
“We can help build security and testing experience, so long as the candidate can articulate complete thoughts,” Kopp told Dice. “I love to ask about their specific hobbies or experiences with a certain technology or business, then have them describe something very detailed. This teaches me about their communication style. Does the candidate push back for more explanation, or do they launch into a nuanced description of their favorite project?”
For others, the interview is about showing practical expertise. John Bambenek, president at Bambenek Consulting, said he may craft a capture-the-flag exercise or ask the candidate to complete a technical task to gauge their abilities. “Lots of people can talk pretty … this role needs doers,” he added.
Pen Tester Candidates: What to Keep in Mind
For tech pros preparing to interview for a pen testing position, Bugcrowd’s Gerry offers a checklist that candidates should keep in mind in the runup to these meetings:
- Technology experience: What types of applications, infrastructure, hardware, APIs, etc. have the candidate worked on testing previously?
- Role experience: What types of roles has a candidate been in previously? Has he or she done pen testing before?
- Vertical experience: Does the candidate have specific talent testing in a particular industry? For example, has she or he done a lot of work in financial services or insurance, and do they have a good understanding of potential business risks that exist within that vertical?
- Curiosity: Pen testers should be curious (i.e., “have a breaker mindset”) and be able to articulate complex concepts and questions.
- Experience with reporting: A large part of the job is reporting back to the client or the organization about what they have found. Pen testers need to be able to articulate that in both technical and non-technical terms, such as business risk.
- Customer-facing experience: Does the candidate have experience interfacing with clients?
In many cases, the interview and questions will come in two flavors: Technical and non-technical, which can cover issues ranging from personal skills to communication abilities.
On the tech side, candidates should prepare to address broad knowledge on a wide range of issues, said Patrick Tiquet, vice president for security and architecture at Keeper Security.
“On the technical side, the hiring team is looking for foundational knowledge in networking, operating systems and security protocols,” Tiquet told Dice. “Candidates may be asked about their understanding of network security, including topics such as zero-day exploits, ransomware, supply-chain attacks and social engineering techniques. Questions about wireless security could cover WPA3, rogue access points and the risks associated with open WiFi networks. Familiarity with operating systems, exploitation tools and incident response procedures are also crucial.”
On the non-technical side, candidates can be asked to evaluate their communication skills, problem-solving abilities and teamwork.
“Questions might explore how they prioritize vulnerabilities, incident response and procedures to communicate findings or handle ethical considerations,” Tiquet noted. “Certifications and training are often used to gauge a candidate's overall suitability for the role.”