Penetration Tester

Gandhar: Hey, my name in Gandhar and I’m a penetration tester at ZX Security.

So the official job title is penetration tester, also known as ethical hacker. Sort of the good guys. A penetration tester finds issues and vulnerabilities in client infrastructure. That could be in the form of a web app, mobile app and cloud infrastructure. Finds those vulnerabilities, creates a report and sends that off to our client.

Essentially I look to break stuff. I’m trying to break a web application or mobile app down to its bare bones and see if it still can run properly. I try to get the application to do unexpected things and take advantage of the unexpected response. If the application exposes itself I can pick up on there and cascade down into bigger attacks.

So the end goal is basically just to secure our clients' systems. So me working as a good hacker can try to hack these applications legally and find the vulnerabilities that the bad guys would find, and if I can find it and notify those to our client, they can mitigate those risks of a bad guy doing the exact same thing, stealing their data, crashing down servers and breaking down web applications.

The thing I like the most about this job is the learning aspect, so you’re always learning something new. We have projects that run for three to five days, and each project would be different. My project manager manages all my projects and makes sure that I have enough time for the project. I would have client meetings as well. Making sure everyone’s on the same page and that we have all the requirements that we need to start testing.

Week one I might be doing a mobile app. Week two I’ll probably do a cloud app or a web app, and each project introduces a different system, different software, different tools, and you’re basically just learning on the go. It’s a huge learning curve. That’s how it varies. You’re always doing something different per project.

I would definitely say a qualification would help your application, because you’ve got that basic understanding of tech itself. But if you can program a small application, if you can read code and you would definitely need to have a basic understanding of the networking protocols, so TCP/IP, ARP, and have a basic understanding of the vulnerabilities. Simple vulnerabilities like XSS, SQLI, REC, LFI, RIF. You would definitely need to have a bit of knowledge about that.

This job can get quite fatiguing and quite exhaustive. It’s a lot of grunt work. It’s a lot of long hours behind the computer, so it’s very important to look after your body and your mind.

I would say the most important attribute in this job would be curiosity. You have to have the inclination to be curious about stuff. Curious about how things work, curious about how to turn things and how to break things. That will really go a long way into the career.

The biggest challenge I face is the technical challenges itself. When you’re trying to break something there’s always going to be defences, there’s always going to be things that stop you, so you sort of need to have the grit to just keep going.

As a hacker when you penetrate a web application or when you get through the firewalls it sort of gives you a hit of dopamine. It gives you a surge of excitement or satisfaction. That’s sort of where my passion comes from. It’s quite rewarding as well at the same time.

I would recommend a role in cybersecurity because you’re always on your toes. You’re always learning something new. Like any tech job, you can jump between different disciplines. There’s a lot of opportunity, there’s a lot of growth. That and the fact that they do come with perks. Competitive pay salary and just a chill work environment as well.

Honestly it just never gets boring.