August 29, 2011

Personality Traits for Pen-Testers

Posted in Pen-Testing, Psychology at 16:40 by Alex McGeorge

I recently had occasion to think about some personality traits that make can good pen-testers.

Words: 486

This post isn’t going to address what kind of knowledge one needs to succeed in this field, that’s largely determined by who you’re working for and what you’re doing for them. The offense oriented security industry is becoming increasingly specialized as the tools to build (and break) software become more complex and interconnected. Acquiring domain specific knowledge is straight forward compared to altering some of the key pieces of what makes you, you. Therefore I think it’s important to consider more about a person than just their knowledge of the field.

Ultimately I decided on two main traits:

Curiosity is so important because it can be a powerful motivator. Curiosity often compels discovery; discovery of the unknown is the fundamental goal of any penetration test. The uncovered issue may even be known to the client but rarely are all the implications. Curiosity is the catalyst for the breakthrough ‘what if?’

Persistence is the other side of this coin. When viewed beside curiosity, persistence is the enabler of continued curiosity. Finding esoteric bugs is often monotonous work, persistence enables curiosity to remain even after you’ve explored 90% of the seemingly identical paths available to you. It is difficult trait to cultivate and that makes the people who have it very valuable, but only in conjunction with curiosity can you harness it effectively. Computers are very good at being persistent, less so at curious and imaginative.

Back in my heady undergraduate days I had a research professor who stated that “obsession is not a character flaw in a scientist”. I think that statement is largely true and even somewhat applicable to penetration testing, this industry obviously makes very good use of the scientific method and logic.

The problem with obsession and where it crosses from character flaw into illness is when you can’t turn it off. Using obsession to fuel persistence can be dangerous. I have to think many of us have ridden that wave until the small hours of the night or across days chasing and finally hitting the crest only to be followed by a sort of post partum depression. This pattern is addictive, such is the nature of obsession. So much of offense work has to be done on a very strict time budget that being able to disengage and look for something new is absolutely essential, obsession makes that difficult.

Each team has different members that play different roles, similar traits may drive two people towards two different roles. Certainly there are many possible combinations of players on a winning team. I think curiosity paired with persistence are general enough yet simultaneously central enough to, what I consider, the proper mindset of a good player. Food for thought next time you’re involved in an interview.

This post is brought to you by: White Zombie – Blood, Milk and Sky

%d bloggers like this: