My One-Sentence Summary
It’s quite possible to approach the highly-coveted career of penetration testing if you take a methodic approach.
- The book was written by Phillip L. Wylie and Kim Crawley who are two well-known experts and personalities in the infosec commuinity.
Pentesting requires not only computer technology skill but also practical thinking.
Wylie, Phillip L.; Crawley, Kim. The Pentester BluePrint (p. xix). Wiley. Kindle Edition.
- Structure: What is a Pentester, Required Skills, Education, Building a Lab, Certs and Degrees, Developing a Plan, Gaining Experience, Getting Employed
- I liked the description of “Pentests assess security from an adversarial perspective.”
- I liked the mention of methodology, including PTES, OSSTMM, NIST and OWASP
- I like how they differentiated vulnerability assessment from pentest, saying they are often done together but are not the same
- I like how they broke down different spaces that people focus on in pentesting
To assess the security of a target and to hack into it, you will need to understand the technology and the security. Deep knowledge of your target is required to be successful at penetrating the target.
Wylie, Phillip L.; Crawley, Kim. The Pentester BluePrint (p. 17). Wiley. Kindle Edition.
- I like that they gave a primer on basic information security concepts
- It seemed a little jarring to move from infosec basics to talking about the dark web to airgapped machines, but I get it—there’s a lot to cover
- I like their blueprint formula of Tech Knowledge + Hacking Knowledge + Hacker Mindset = Results, which reminded me of how I described it in previous talks. I think I said, TECH KNOWLEDGE X HACKER MINDSET, which is very similar. And I see why they added hacking skills to that
- I like how they are mapping the story along the temporal arc of how you’d proceed to enter the field, with book recommendations
- Whoa!, I’m in here! Thanks you two! That’s a fun surprise while doing a review!
- Surprised I didn’t see anything about Pentester Labs? Maybe I missed it?
- I liked the quotes of people talking about their own approaches to tools
- I was a bit confused about the skills plans concept. I feel like there could have been more conversation about, “If you want to head in this direction, here’s a possible path.”, vs. “if you want to head into this other area, …” So like skill trees in an RPG or something. Or like Lesley talks about in her blog post on career. I did like the quotes portion of the chapter though.
- Similar comments on the employment chapter. Would have been cool to see some visual career paths like an RPG. Just an idea
Takeaways, Questions, and Ideas
Ultimately I think this is the best-organized and most-detailed layout of how to go from zero to hero as a pentester.
I think they covered it in a logical flow, and provides not just practical “do this” advice, but also a series of references you can come back to later.