I attended a computing industry conference recently and got a free copy of Philip Wilie’s “The Pentester Blueprint”. In my opinion, “pentester” isn’t so much a job description as it is an Additional Duty As Assigned to somebody already working on a project or at an existing job. It’s nevertheless important, so I grabbed the gratis copy. The first four chapters were so basic I assumed that the target audience of the book was management, since only mention was made of tools used and very little procedure or strategy was discussed. A few points were important in legalistic senses, such as the absolute need for preparation if challenged during break-in attempts, virtual or real. One needs immediate contact information to customer authorities and admins, plus written permission to engage in penetration testing. But most of these first four chapters related to definitions and background issues. Chapter 4, Education Resources, was helpful in that it contained descriptions of organizations (like OWASP) with which I was familiar, but told of aspects of those groups I’d not known. Prior to chapter 5, though, I was losing hope regarding a new experience of any kind.
Chapter 5 provided quite a surprise. Its title, “Building A Pentesting Lab”, had me expecting a cooking recipe sort of approach, relying on hardware and software recommendation lists like many other books have done. But the chapter didn’t take that route, instead containing interviews with working admins and testers who described how and why they put together their specific systems (revealing as much as possible without violating confidences). Rationales were provided for what tools and hardware were included. And they varied considerably. If you’re doing web application security, you may need only a couple of laptops. But if you’re looking at industrial control systems, a whole virtualized network or three would be a good idea – and constructed with the specific type of PLC host (programmable logic controller) you’d be trying to research, defeat and then protect. This interview-based discussion method by Wilie is one I’ve not seen used in the computer books I’ve read, but I’ve seen it used by first-person accounts in 2600 Magazine. AND Wilie mentions that magazine in a resource section of his book, making this the first time I’ve ever seen that happen. If you know, you know.
I could go on, but this middle-of-the-book switcheroo by Wilie totally fooled me. I didn’t think he would deliver the goods for quite awhile, but I continued plodding along. It paid off. Consider “The Pentester Blueprint” if you see it, since it informs those of many other job descriptions than just the one of the title.
