I’ve seen following questions pop up very often, so decided to write some brief blogpost about it from my POV.
For how long will the security testers’ work be required?
What is the future of IT security industry and penetration testing?
So pentesting is dead right? Only Bug Bounties and Red Teaming is good now?
This is my bio which adds some context to the whole article
I started my ‘adventure’ in the IT world from the very lowest positions. I’ve worked as a computer technician, network admin, web programmer, system administrator and after many years I started delving into the security related matters
Still working as a programmer, I started educating myself on an offensive security and enjoyed reporting security issues to variety of companies. It’s been over a hundred different companies – both popular, foreign giants as well as large Polish firms. It was all in times when Bug Bounty programs were not a thing yet and just a couple of the biggest corporations had some tiny researcher reward systems.
Even though it took some years before I finally started working in the security industry, I do not regret the time spent in my previous positions. Going through such a long way provided me with a lot of priceless experiences, thanks to which my perspective is now much wider. I understand the problems which employees on different positions have to deal with and by taking them into consideration, I can make more beneficial decisions for the companies and teams I cooperate with.
The long way gives not only more context, but also teaches us humbleness and all about the hardships of work in different roles.
Seeing how complicated the software production and maintenance processes are, we can distance ourselves from the problems and tone down our comments about the found bugs.
The security industry needs patient professionals, who can keep in mind the context specific for each company and cooperate with others without harsh comments more than ever. We need leaders, who can build and promote the security culture in their companies.
I spent a couple of years as a pro pentester, but I was constantly bothered with my constant search for higher purpose. I just felt that the value we as pentesters bring to the world and that although we’re working our asses off, not that much changes on a scale. Each few months I found the same errors appearing as regressions, I kept finding exactly the same vulnerabilities in new pieces of code and the world was not becoming any safer. Up to this day, trivial XSS bugs are being found in applications produced by companies such as Microsoft, Apple and other tech giants who have all the money in the world to harden their software engineering practices.
After having had reported close to two thousands security bugs, I came to the existentially painful conclusion. Pentesting and bug hunting just do not scale. It’s cool, it’s needed, it pays the bills, but no matter how many vulnerabilities I discover, the impact I make still doesn’t make any difference.
Even though pentesting is an important occupation and penetration tests are a critical element of all security programs themselves, for me, it was a questionable career path, if I wanted to change the global status quo. And the status quo was a very slow progress in appsec improvements among global companies and wasting tons of money on low ROI investments.
I decided to join some solid Silicon Valley based corporation as an internal security engineer tasked with building security systems and programs. I wanted to do stuff that matters and have impact on the whole business. My main goal was to focus not only on finding vulnerabilities, but most importantly, to prevent them from appearing in the future. Which was exactly what I was missing in the external pentesting roles, where most of the time you have 0 chances to influence internal software engineering practices of a company you’re working with. In the meantime, I also kept helping other companies and infosec fellows to build more robust security programs, increase their pentests’ and Bug Bounties’ ROI and just tried to scale myself by sharing my knowledge that can be used to optimize business processes at other places.
After a few years, I slowed down for a while and it was one of the most disappointing experiences of my life.
It’s been over 5 years since I decided to move on from pentesting alone and focus on something “bigger”. On a daily basis, you’ve got so much work and energy that you just push it all in and squeeze every last drop of your time to deliver great work. You learn, consume knowledge and apply it. You develop stuff, improve it, do other bigger things, because there are so many things to be done!
Until you eventually slow down a bit and look around. I was so busy doing stuff, that I went out of sync with the reality around me, and altho I was learning a ton and staying current with what’s up in the industry, I wasn’t keeping an eye on how are others really doing. And when I started looking at others I realized how badly I overestimated our lovely world. How much I overestimated the companies’ ability to implement pragmatic, comprehensive security processes and their ability to think and plan long-term.
Those 5 years ago I was 100% positive that trivial OWASP TOP10 bugs would soon be relicts from the past so I decided to focus on something greater, believing that many companies would follow and most of them would reach a sensible level of security soon. Because how much time can humanity waste on all those dull activities that can be effectively mitigated and automated?
It appeared however, that the sector I had just left, had its best years ahead.
Pentests, bug bounty programs and everything related to the offensive approach to security became more popular than ever before. Despite the huge industry’s investments in aforementioned activities, enormous amount of companies still can’t get the basics right and pentesters(+ malicious hackers obviously) keep discovering identical errors over and over again. We have a lot of shiny and pretty toys, however many of the initiatives undertaken by companies are not as effective, as they can and should be.
Most of these bugs can be so easily avoided in programmatic way that they simply should not have a right to exist in 2018. You can still see many companies wasting hundreds of thousands of dollars on incompetently managed external pentests and bug bounty programs. Also we as an industry are very myopic and happy to spend tens/hundreds of millions of dollars on short-term offensive initiatives that don’t really contribute to the bigger picture. Because the offensive side of ‘hacking’ is so fancy and praised everywhere, there are very few incentives for blue teamers to spend their lives on building things the world would not appreciate anyways. Altho the obsession about offensive side of security is great – especially for companies and peeps who make easy cash offering those services – we’re moved far away from playing the right game.
It seems like the security industry forgotten what our goal was and they have it completely mixed up. Our goal and mission was to make world a safer place, and hacking was meant to be just a tool to improve the defenses which contributes to the long-term strategy. Yet along the way, most of security PROs got distracted by money, hype, fun and dopamine shots, which caused our mission to be burried way below our core values, ethics and missions. The noble virtues have been mixed up with trivial tactics and strategies. That’s how online privacy ceased to exist. Not because of some evil companies that are after our personal data – FYI, those evil companies are nothing but a group of people, you know that, right? – but by lack of strong people who should’ve been guardians of things that matter.
But that’s a whole different story so let’s leave it for another sleepless night.
And for most folks what I’m saying above is some different level philosophical ranting, and maybe that’s what it is. But if you want to be a pentester and what you’ve read above put you in low energy state, then it absolutely shouldn’t! For you, an aspiring pentester, the whole shit-show in the security industry means that you’ve got a really entertaining and high paying job for the next decade or so! Hurra!
It’s not to say things aren’t getting better, because they absolutely are. But that’s not the pace we’d expect it to be and if world made a progress of this magnitude over the past 5 years, we can be pretty sure that there are still many years of frustration ahead of us.
So if you’re worrying if the pentesting career is still fine, then stop worrying and start doing what you feel is right for you. Pentesting, or even primitive vuln assessments are here to stay for the next decade or so. I wish world moved as fast as we want it to, but the reality is that we’re often blindfolded by watching only the biggest brands.
But that’s not who’s going to pay your bills really. There is a per mille of companies – those huge brands everyone uses on daily basis – that have effective security right and are moving fast. But that’s it. >90% of companies still have ugly software engineering processes, let alone security assurance, so trust me – you’ll have a lot of work for a very long time.
That’s it. Now go and change the world for better.