, Track 2
This talk dissects the disillusionment of junior testers expecting a corporate world CTF. We discuss training hackers vs testers, the culture of discussing tests, and unspoken expectations in corporate. While it's self-therapy for the anxious junior tester, it offers insights for providing training.
The talk dives into the initial misconceptions and subsequent disillusionment often experienced by junior testers in the corporate world. Many enter the field with expectations of it being a continuous CTF exercise only to find that reality differs. While being a good hacker will definitely make it easy to be a good pentester, the skillset is not entirely overlapping. To steal a good analogy I saw: ""Hacking is to pentesting, as improvisation is to acting"".
This talk aims to dissect those feelings and the above theme, breaking them down into some key areas. Firstly, addressing one of the main methods of training new testers - introducing them to online lab providers. While learning the technical skills of hacking are important, it's not a substitute for a good training program which not only covers the technical aspects of hacking but also building the practices of being a pentester. Labs and CTF-heavy training also breeds a mentality where a tester may expect to find a high severity exploit on every test which may not be realistic or perpetrate the ""get root"" mindset of a person who mainly does CTFs.
Additionally, part of peeling back the cover of corporate is also the unsaid work behind the scenes, not brought to recruiting talks in universities and schools. The reality is the scoping engagements and reporting cover often cover as much time as the active testing periods. Pentesters also have a lot of unsexy stuff to contend with like risk and business context. However, training in firms often neglects these areas of development for junior testers.
Being careful that this talk doesnt turn into a laundry list of training shortcomings, the talk also aims to cover what these good practices junior testers can build are. The benefits of good reconnaissance, helpful tips for documenting process and reporting, as well as building your own methodology based on your testing style.
Using some potentially good memes, some scuffed MS Paint illustrations, the promise of the overused ""breaking into a house"" analogy and perhaps a Venn diagram, this talk will definitely be a little bit of self-therapy for myself but hopefully not just provide some advice to those entering or prospective junior testers, but also provide some insights to those who run training programs or enjoy some mentoring. (And hopefully not do this discussion to death)
Despite also being a Malaysian, now based in the UK, self-proclaimed comedian, and a fried rice enthusiast named Nigel Ng, I unfortunately do not own the Uncle Roger persona though I will claim I've made half his jokes before he blew up.
Since 'retiring' from esports, I'm now a junior pentester at KPMG UK.