Jr Pentester Job Research
I saw and pulled info from a Jr Pentester job posting in Linkedin.
Role has a long list of criteria.
Is a pretty good sample of what I will need to be proficient in if I want such a role.
About the role: The Junior Pentester primary responsibility is to support the senior engineering staff in the execution of penetration tests and vulnerability assessments for internal and external systems and applications.
Essential Functions
Assess web applications, medical devices, hardware devices, and third-party software for security vulnerabilities.
- Ok so web, CVE, research prep.
Provide initial research into applications and devices prior to security testing.
- Ok, initial recon into vulnerabilities and note scraping.
Responsible for compiling the findings of their testing into formal reports that will be provided to the system and application stakeholders.
- Report compiling.
Interact with the stakeholders during all assessment phases to coordinate access, resolve issues during testing, and help address security concerns, working with teams to provide possible remediation options.
- Soft touch with Customers, troubleshooting, and implementation based on findings.
Build relationships with other departments to better understand business needs.
Ability to meet established deadlines and communicate potential blockers.
- Basic PM skills.
Provide support to the senior security engineers by assisting in the management of security technologies (e.g. web proxy, IDS, EDR, WAF).
- Advising on implementations.
Assist in proof-of-concept initiatives for business applications.
- Build PoFs for whatever dumb C-level initiatives, ie. "Do a demo showing that the new firewall JUST WORKS."
Respond to employee inquiries regarding potential phishing emails and general security topics.
- Research/Screen/Validate incoming reported phishes.
Maintain an understanding of new vulnerabilities and attack techniques.
- Keep researching indefinitely, stay current.
Job Requirements
Bachelor’s degree in a related field is desired, not required.
OCSP, CEH, Security+, or other security related certifications is desired, not required.
2+ years’ experience in information technology, preference to those with development, network, or systems administration experience.
0+ Years of Penetration Testing Experience preferred.
Experience with at least one automation/scripting language (e.g. PowerShell, BASH, Python).
- Know scripting.
Experience and understanding of HIPAA, HITECH, and PCI preferred.
Some experience with web app or systems testing is desired.
Preferred Experience
Basic knowledge and understanding of at least one computer programming language (e.g. JavaScript, .NET, AngularJS, Java).
- Know coding demonstratibly.
Effective verbal and written communication skills. Should be able to adapt communication style to suit different audiences.
- Have actual soft skills.
Familiarity with testing tools such as Burp, ZAP, OpenVAS, Wireshark, HackRF, or Metasploit.
- Hmm need to learn HackRF.
Ability to setup a virtual environment using VMware, Virtual Box, or similar technology.
Compensation is between $70,000 to $80,000 annually
- All of the above for 80k/yr.Findings:
Ok so web, CVE, research prep. Need to keep practicing in HTB.
Ok, initial recon into vulnerabilities and note scraping. Need to learn a solid research process.
Report compiling. Need to learn how to write reports.
Soft touch with Customers, troubleshooting for seniors when X tool is dropping shells, and implementation based on findings. Need to become very familiar with a pentesting tool troubleshooting process.
Need to practice closing vulnerabilities with various products and services.
Basic PM skills. Need to keep learning from internal Cisco PM resources.
Advising on implementations. Closing vulnerabilities will help acquaint me with the common issues in implementations that I don't already know.
Build PoFs for whatever dumb C-level initiatives, ie. "Do a demo showing that the new firewall JUST WORKS." Need to work on recording handholding videos.
Research/Screen/Validate incoming reported phishes. Need to keep practicing here.
Keep researching indefinitely, stay current. Ok so keep up on that. Maybe build a digest of RSS feeds.
Know scripting. Need to become more familiar with Powershell and at least script out some bash for HTB.
Should keep CEH active. Until I get OSCP.
Know coding demonstratibly. So I need to write an app, I guess. And get into reversing BEFORE I try to get into a Jr role.
Have actual soft skills. Just keep up on them.
Hmm need to learn HackRF. This is the only one I haven't played with at length.
All of the above for 80k/yr. So for more than 80k I should expect to be PROFICIENT with everything above. If I don't put in the work then expect 80k or less.
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!