Today in our Interview With A Pentester blog series, we deep dive into the mind of White Oak Security’s cyber security mentor. In this post, it is evident that Tib3rius loves sharing his knowledge and passion through education and mentoring. Learn how he became a penetration testing expert, his experience in the field, and how he helps tons of pentesters across the world.
This post will be formatted in an interview-type style and all opinions are those of the interviewee.
How To Become A Penetration Tester
Tell us about yourself! How long have you been penetration testing for, what types of certifications do you have, and what do you like to do outside of work?
I’ve been pentesting since 2012, which makes it 11 years now. I had several certifications throughout the years, but right now I currently have my OSCP cert. I really love my job – so in my downtime, I enjoy mentoring and eduating people in cyber security. I like to stream, create, and write courses, as well as play board games with friends and solve puzzles and non-standard sudokus. When the weather is right, I like to snowboard and mountain bike too.
How did you get into pentesting, what sparked your interest in cybersecurity?
I have always liked computers and technology, but in college when I was searching for something to major in, a few of my friends were in cyber security and told me to check it out. I got hooked because hacking was a lot of fun and quite the adventure!
How To Learn Cyber Security
What are 3 pieces of advice you’d give a new pentester?
I speak with a lot of new penetration testers or interested people trying to get into the field. The 3 top things I would say are:
- Ask Questions!
- Ask your team, senior mentors, the community, etc. We do not mind helping, answering questions, or going through things with you.
- You Will Miss Something
- Don’t feel bad if you miss something because it happens to everyone (and will happen to you). When it happens, don’t kick yourself too hard or get discouraged.
- Never Stop Learning
- In this career, you can’t sit back, relax, and autopilot it. You have to keep learning as new stuff that comes out – whether it’s through training, blogs, Reddit, etc.
What are some of the most helpful resources or certifications for penetration testers?
There are a lot of resources in the infosec community! There are free ones like Portswigger, Hack Tricks, and content creators (Youtube, Twitch, etc.) Some really great ones to check out are:
- TCM Security Academy
- InfoSec Streams
- Tib3rius Institute For Cybersecurity Courses
- Twitch – I stream Mondays (Cyber Mentorship Mondays are beginner-friendly), Wednesdays, and Fridays on various topics
- Hackers Academy and Udemy are great too!
What was your biggest hurdle of becoming the competent and experienced pentester you are today?
A big hurdle (that I’m not really sure you ever get over) is imposter syndrome. I think everyone experiences this to some degree. In web application security, you can have a bunch of well-coded web apps in a row and you go weeks or months without finding anything critical. You might start to think “oh, maybe I’m not very good at this”. Even though it’s still a lot of fun, you don’t find remote code execution or privilege escalation as much compared to network pentesting. Then you find 50 SQL injections in 3 days and a sneaky privilege escalation the next. It’s a whirlwind.
What helps/helped you overcome some of the challenges of the cybersec industry?
Early on in my career, I learned that you can try to do everything and be mediocre at it… or you can specialize in ONE specific area since InfoSec is such a huge realm.
In my second year, I started to exclusively do web apps. I did web applications in the past and had a good understanding of how they worked. I found that they were more fun in general. If you’ve tested a windows network once, then you’ve seen a lot of windows networks. BUT for web apps, there’s hundreds of differences between each one. They’re a big top seller in terms of pentesting – which makes sense since the web has just exploded in the early 2000s and everyone has web apps nowadays. It’s made it easier for everyone since they all use a web browser verus when everything needed a thick-client. However, there are a plethora of vulnerabilities! So, I’ve dedicated most of my career to this one area of expertise.
I’d also like to say that communication and intuition can really set you a part. Communication is important so you can properly talk to customers or explain what you’re doing. When you first start out it’s really hard. Same with intuition, it’s difficult to answer “what’s your web app methodology?” because it’s unexplainable. It’s my second nature at this point. I’ll just go into an environment and start looking at certain things, things will pop out to me, or I will have a feeling to try certain things. It’s why two different pentesters can go into the same new environment but find different things. Nothing or no one will find everything.
Time and experience help solidify these things.
How do you stay current with the everchanging penetration testing landscape, products, and tactics?
I use social media platforms. Twitter has a huge infosec community and if you subscribe to the right people you will get the news you need. Reddit also has a ton of subreddits you can follow, like r/infosec for example. I recommend following content creators on Youtube who release infosec/cybersec content on new things, like John Hammond – I really like him. Lastly, the Portswigger blog is pretty good too.
What is your biggest pentesting pet-peeve or most frustrating “hacking” misconception?
The public view of hacking is frustrating because there’s confusion of how “hacking” can be an entire industry. A lot of people associate hacking with bad actors only, which is understandable, but if you’ve ever messed around with an application at home (even if you own it), then you have done some hacking!
It’s not a bad thing. It’s a way of engaging with applications, services, computers, etc. and definitely a lot more than malicious acts or what the public sees.
I also have a crusade against the SQL injection blogs and resources teaching to inject OR 1=1 for SQL injections without teaching the risks involved.
How do you see the future of pentesting changing in the next 10-20 years from now?
10 years ago in web apps, we had command injections and it was easy to exploit those. Then developers mostly fixed them, but started using templates, which led to template injections, and now we still get remote execution, just in weird and wonderful ways – but tech is always evolving.
People are designing new technology with security in the back of their minds (if at all) and as new tech emerges people adapt very quickly… more new tech means more new vulnerabilities, and they just do not have the protection they need. Security is always an afterthought, rather than a first thought of “how will this be abused?” The new vulnerabilities are discovered, they are slowly fixed, and then it happens all over again. The cycle of technology and pentesting.
Another piece of change we see a lot of these days in pentesting, and just tech in general, is automation. A lot of it may be automated in the future, especially with the emergence of AI. I think that AI will struggle with red teaming and internal network pentesting, it just won’t be able to do what humans can do.
Penetration testers will not be at risk of losing their jobs over AI or automation though. It really requires human creativity to exploit vulnerabilities.
Working With White Oak Security Penetration Testing Experts
What’s your favorite part of pentesting?
My favorite part of pentesting is finding complex vulnerabilities – the things that people have missed or are not very obvious to exploit or took a lot of thinking and time to “break it”… it gives you a huge sense of accomplishment.
What is your favorite service to provide?
Web applications 😏
How can clients prepare for White Oak Security / penetration testing services to help set them up for success or best utilize the testing?
I’d say the best way to prepare for security testing services is to have a kick-off call 2 weeks before the pentest and hopefully we can get all the details/info we need. The biggest pain for pentesters is when customers say they will get us their credentials, URLs, etc. beforehand, but the day before the test we are still requesting all those items. The reason we ask for them early is so we can make sure we have access or troubleshoot access. Customers sort of shoot themselves in the foot when they waste the test time, so be sure to get things ready the week prior – just pretend your test is a week earlier than it’s scheduled.
Also, please work with us the entire way and don’t see us as an adversary. It’s our job to act like the bad guys – but you can trust us and we are here to help YOU. Work with us every step of the way, give us the info we need, and trust us… and we can best serve you!
What is something that many clients miss or don’t understand about penetration testing?
Organizations need to be proactive and hire/train their developers in SECURE CODING. There’s been many times where you get the pentest reports back and we explain how to remediate things with a list of techniques – however, it’s ultimately up to your team and the developers to provide a fix. If they have never done that before, then it will be really hard or time-consuming. So make sure your developers understand security. A great resource they can use is Veracode Security Labs for security training.
What is something that makes you love working with a client?
I love working with organized clients with lots of passion about security and finding vulnerabilities. I like when they are happy we found something, rather than annoyed. If we don’t find things, it doesn’t mean it is not there.. but if we do find things, it means they can be fixed! So a good attitude about that makes all the difference.