Shortly after qualifying as an OSCP and entering the pentesting workforce, one thing quickly became clear to me: pentesting is not really a single profession but actually several; all related to a greater or lesser degree but requiring somewhat distinct skillsets.

Of course, they all share a requirement for a certain type of mentality: one that asks the question “what if I do this, will it break it? Or if not, what will happen anyway and will it be interesting?” But in terms of specific technical skills and knowledge, the branches of pentesting can be quite different.

The main two branches, at least for now, are probably network infrastructure and web application pentesting (with mobile app testing also arguably being a contender). These really are quite dissimilar in terms of skills: web app testing is essentially about capturing and observing HTTP traffic and amending it or analysing it in one way or another to see if anything interesting results. While that sentence (perhaps unfairly) glosses over a huge amount of potential work and knowledge, that is essentially what web application pentesting is.

With web application pentesting large amounts of information are known (or inferable) about the target:

  1. What is the nature of the target? It’s a web application(!)
  2. What technologies does it use? It will be using a handful of languages/technologies.
  3. What is its purpose? It serves as an interface for people to do something with data with the end goal of achieving something: purchasing a product, booking a holiday, etcetera.

Contrast this with network infrastructure testing, where the pentester usually starts off with far less knowledge of the targets. IP addresses are fine, but what’s on them? The web app tester knows that a web app is the target of the test – the infra tester usually knows nothing about the services that will be found – will it be a single service per IP address, or 10, or 20? What will they be? The network infra tester needs to know about far more completely different services and technologies than does the web app tester. Thus, the web app tester can focus studies a little bit more while the knowledge of the network tester must be more diverse.

So should testers specialise?

Commercially, it’s difficult to say that you’re a “network tester” or a “web app tester” as clients usually expect you to be able to do both. So maintaining a working knowledge of both these main branches of pentesting is probably wise. But paradoxically, given the vast amount of knowledge needed for any type of pentesting, skill-wise it may be worthwhile to focus on a single branch of testing as a “specialisation” while retaining this basic knowledge of the other branch. Being honest about which is your specialisation and which is not is the key: communication, as always, is the best option.

Which type of testing is “better”?

Well, neither of course, but the pentester’s own temperament might give an idea of which may be more appropriate for them to specialise in – if they choose to specialise at all. Network infrastructure testing involves a (usually) large amount of target machines which may have almost anything on them in terms of services. If this type of discovery and surprise (and dispersed targets) is something a tester enjoys, perhaps network infra is for them. If this sounds like a nightmare and the concept of fewer targets with services whose purpose and nature are already understood sounds better, web app (and perhaps the closely-related API) testing may be better for a tester. I myself am firmly in the “web app” camp: I don’t really like multi-target engagements and I like to (at least vaguely) know what I’m up against before a test begins. I also like to be able to study web app technologies with the knowledge that they are likely to soon be useful, rather than reading about a network service I may not encounter for weeks! But it’s purely a personality thing.

So in conclusion: I do think that specialisation in pentesting is generally a good idea as there is simply too much to know, and at least specialising allows focus on a single area. But in reality, the market doesn’t really understand that, so if a specialisation is chosen it’s wise to at least somewhat keep up to date with developments in the other area(s) of pentesting! And I must say that I do recognise how annoying this contradictory advice is!

PS: I’m aware of other areas of pentesting beyond the main two, such as IoT, mobile app, cloud account testing, wifi testing, etc – these are definitely specialised. It may be possible to entirely focus on these branches of pentesting but I would not advise it – if a tester is interested in one of these fields I’d suggest also keeping up-to-date with one of the main two branches as well, just in case!

Matthew Bowers – Senior Penetration Tester – iSTORM®

(Images are the consultants own)