Penetration testing

Checklist for Hiring a Good Web Penetration Tester or Web App Security Consultant

October 14, 2015 by

The task of a web security tester or penetration tester is of course to audit the security of the web applications, web services, and web servers in a company. How would you hire a good web app security professional instead of a charlatan? Here are some qualities, skills, and guidelines you may want to consider:

Has an Average Developer Background (Knows How to Code)

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

You don't want to hire a script kiddie who shoots out his licensed web application vulnerability scanners like firing a cannon or laser.

Seriously, it won't just do!

The main advantages of training a developer over an individual who merely knows the ins and outs of a web vulnerability scanner include:

  • Knowledge of vulnerabilities and flaws in their developed applications and have learned how to secure, patch, or test it.
  • Automation or development of their own security tools in an assessment
  • It is easier for them to adapt to testing a web application if trained properly – This is based on my experience wherein I was hired in a software development company to train a group of developers who has little background in vulnerability assessment and security. Well, it turned out to be fine and it was easier for me to train these kind of people than training a non-developer group of individuals.
  • Has a good idea and understanding of the business logic and program flow of an application.
  • Can write a PoC (Proof of Concept) in a simple script.

Of course, I wouldn't hire someone who doesn't even know how to code HTML. The position is web app security tester right? Also, imagine hiring a static source code auditor who hasn't worked as a programmer or developer before. False positive tags could possibly be the main problem for that employee.

Know Thy OWASP (Open Web Application Security Project)

Familiarity with the Open Web Application Security Project Top 10, which is the flagship document of OWASP, is highly recommended because it gives an awareness about web application security.

The OWASP Top Ten covers the details about the most critical web application flaws namely A1 - Injection, A2 - Broken Authentication and Session Management, A3 - Cross-Site Scripting (XSS), A4 - Insecure Direct Object References, A5 - Security Misconfiguration, A6 - Sensitive Data Exposure, A7 - Missing Function Level Access Control, A8 - Cross-Site Request Forgery (CSRF), A9 -Using Components with Known Vulnerabilities, and A10 - Unvalidated Redirects and Forwards.

If he could summarize the OWASP Top 10 Project, then he or she should be fit for the job especially if he could demonstrate some attacks in his very own vulnerable labs or machine.

Aside from said project, if he or she is also familiar with some of the projects initiated by OWASP like Mutillidae or has an OWASP Broken Web Applications Project setup then he or she is really an OWASP lover and enthusiast plus the motivation to hack web applications.

Participated in Bug Bounty Programs

First of all, what is a bug bounty program? It is a program initiated by a company that rewards hackers if ever they found a security flaw in their applications and then have reported it through responsible disclosure. Cool right?

Is the applicant a bug bounty hunter too? If he or she is then he or she must have encountered and reported unusual bugs aside from SQL Injection, Cross-Site Scripting, RCE, etc. (the usual ones) which are usually duplicates. This is a good thing because he or she can find some good flaws in your company.

If you can see his or her name in some of the White Hat Hall of Fames of Google, Facebook, Twitter, Microsoft and other major web sites that offers bug bounties, then he or she is an exceptional talent especially if he or she has also received rewards for reporting vulnerabilities in Chrome, Mozilla or Internet Explorer. Who wouldn't hire a good bug bounty hunter who has names on major platforms?

However, be careful on hiring bug bounty hunters. Some bug bounty hunters rely on the shotgun method - finding and submitting bugs, even if the issues found end up being flagged as invalid bugs for the sake of being in the leaderboards in crowdsourcing platforms. Make sure you interview him or her then ask him or her about the bugs he or she has submitted.

Has published exploits or disclosures in Exploit-DB, Packet Storm, or other Vulnerability Databases

Exploit Developers, vulnerability researchers and bug hunters who have publicly disclosed their security findings on open source software and enterprise products – are also one of the good applicants you may want to consider especially if their bugs landed a CVE (Common Vulnerabilities and Exposures) ID or OSVD (Open Source Vulnerability Database) ID.

These kind of applicants can easily replicate, remediate and triage discovered vulnerabilities in a security scanner. Because most of these individuals are also developers who are adept in security then it is easier for them to develop proof of concept (PoC) codes for selected vulnerabilities.

Most of these kinds of applicants are also skilled reverse engineers and static source code auditors so yeah you shouldn't have some problem with them unless if they are not that motivated. Hire them right away! If they have contributed exploit and auxiliary modules to the Metasploit Framework then the better.

Curiosity and Passion for Security a.k.a The Hacker Mindset

You just can't train someone to be a good security tester if they don't have passion for security. They need to be motivated and must always be hungry for knowledge – that is the hacker mindset. Always exploring for new possibilities.

You can't just hire someone just because they know the OWASP methodology by the book and through the documents they have read. They must also know how to think outside the box and have applied it or tested it, like setting up their own security labs where they can hack their own vulnerable web applications that they can practice on what they have learned.

They need to think like a hacker because a hacker is someone who innovates and does things out of curiosity. It is better to hire someone who is always hungry for knowledge and willing to learn than a person who has many security certifications and has a lot of experience in the information security field but have not applied what they have learned from the trainings.

Let's admit it, certification doesn't make one a hacker – its motivation and passion but that doesn't mean that security certifications are bad at all. We will discuss about security certifications at the later part of this article on why it is also an advantage.

Knowledgeable in UNIX or GNU/Linux

Although most enterprise web application vulnerability scanners like HP Webinspect, IBM Security Appscan, Netsparker Web Scanner and Acunetix Web Vulnerability Scanner run on Windows there are also free and open source tools that can be used for web penetration testing and auditing that runs on *nix.

Being adept to GNU/Linux and UNIX gives you an edge over Windows users because it is easier for you to utilize penetration-testing distros like Kali Linux and Backbox Linux, which have bundled toolkits for penetration testing. Using command-line tools won't be a problem if you have a background in GNU/Linux and UNIX.

It is also most noteworthy that most of the websites are hosted on GNU/Linux servers because of stability and total cost of ownership.

Security certification is also a plus

Of course it is a plus! Passing an exam to be CEH / CHFI / ECSA / CISSP, etc. is an investment. Yes, you invested your time to have a proof that you want to have a foundation on ethical hacking and penetration testing. Attending a boot camp for a certain security certification like CEH allows you access to good resources for you to read, learn and practice.

Passing a certain certification will not guarantee you that you are already a hacker; it is still the beginning and a good foundation unless you just took it for a compliance in your company and then you already have the right skills.

However, this is not a requirement in hiring a web security tester because it still depends on the applicant's knowledge about web security and security testing. Knowledge + skills + certification is always an edge.

Has attended a security conference or a local hacker space

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Investing a good time in attending a hacker convention or conference like DEFCON, BlackHat, ROOTCON, Derbycon, etc. proves how an applicant is passionate he or she is about security and the hacker culture. Hacker cons have a variety of topics and contests, which will surely give a dose of good information and new stuff for the attendees.


aurelius is the creator of n00bs CTF Labs, bug bounty hunter, security researcher at Infosec Institute and an application security analyst. He loves playing games and watching movies aside from hacking.