Hiring pentesters - http://blog.pentesterlab.com

Hiring the right people is becoming harder and harder. I decided to share some tips and feedback based on few years of reading resumes and interviewing people.

I don't think you can really have an equation to rate the right person, I think it's more like a list of things I like or dislike in a resume.

In my opinion, the best hiring process follows the following steps (for the technical side of it):

• Review resume.
• Technical interview.
• Hands-on interview.
• Drinks.

In this first post, I'm going to provide more details on how I review a resume and what affect my decision.

Pre-processing:

• Resume looks ugly: -1
• Obvious spelling mistakes in the resume: -3 (native speakers), -1 (others)
• Resume sent by a recruiter: +/- 5, some recruiters can take a resume and make it looks terrible or can make it look better...
• Buzzwords in the resume: -3
• Hotmail address: -3 ("Excuse me, are you from the past?")
• Own domain name: +2, with own SMTP server: +3
• Number of occurrence of the word "hack" in the resume: -1 per occurrence
• No internet presence: +/-10, can indicate the best and the worst

Formation:

• Developer formation: +2 someone who can write code will often be more useful than someone who can't
• Learn different things at school: +3, with special points for Maths, Cryptography, Data Mining, Signal processing, Electronic, ...
• Didn't go to high school: +/-0, some really really smart people didn't spend much time at school.

Job experiences:

• Job hopper: -5, training people takes time (especially if you're not using our exercises), you cannot afford to hire someone who is going to leave after a year (with your company's knowledge).
• More than 7 years working for one big company/big 4 and bragging about it: -2, if someone is not happy, he should move on, and not stay at the same place for that long
• Worked as a developer: +2, someone who can write code will often be more useful than someone that can't.
• Web site developer: +3, a big part of our job is web-based, knowing how to develop for the web gives people a lot of knowledge needed for penetration testing (common mistakes, ability to review code, ...).

Certifications:

• CEH: -2, too often I have been disappointed during technical interview by CEH. Most of them just want to hack stuff and don't learn properly how things work.
• CISSP: -3, CISSP is in my opinion a good certification for people who want to show general knowledge in security... not really the kind of people a pentest company is after in my opinion.
• ISO-2700*: -4, same as CISSP with even less technical knowledge
• PCI-DSS: -2, not really technical but some really good people are certified.
• All of these certifications together: -3
• Special points for "Firstname Lastname CISSP": -4

IT knowledge:

• List tool instead of Technic: -3, sqlmap" instead of "sql injection"
• List really old security tools: -3
• Obvious lack of security knowledge: -10, Non-sense in the resume for example

Code:

• github profile: +5
• github profile with projects: +5, +3 if really good code, +4 if code in different languages
• github profile with patches for opensource projects: +5 (-3 if advisory published for silly vulnerabilities)

Vulnerabilities:

• published a vulnerability in some project in version 0.1: -3, +3 if it's a full code review and they found "all" the bugs and report them prior to the disclosure.
• published a stack-overflow in some Russian mp3 player: -3 (typical CEH profile)

Others:

• References from someone: +10
• Twitter account: +1, -1 if only chitchat, -3 if security circus, +2 if real information on vulnerabilities
• Blog with interesting articles: +5
• Play CTF: +5
• Available on IRC: +2
• Talk during conferences: +5, unless talk on SCADA: -3
• Read Phrack: +5
• Wrote in Phrack: +20 (Phrack is the *BIG* deal, writing in phrack shows both a lot of skills and the good attitude)

Hobbies:

• Any achievement: +3, black belt in some martial arts, won something, ...
• Did/do some team sports: +/- 0. to be honest I don't think most good pentesters are team players, they are more like traders, sharing information/tools with people they know/like/respect or people who share with them.

I know a lot of people won't agree with this rating, mostly because it's really subjective (and part of it is a bit trollish I guess). However, most of the time it provides a good overview of a resume... Obviously, if I get a resume that matches all these points, I will be really suspicious now :p 

 

==============================================================

 

After the first post on hiring pentesters I thought I had to keep going... A lot of people read it and apparently liked it... If you are really interested by the interview process, matasano's one is pretty impressive...

Before the interview (or even before you read the resume), it's good to have a basic opinion on someone's skills... I wrote a simple website with 20 questions to get a quick feeling of who I'm talking to.

The questions are simple but allow to detect people with no security knowledge. Below are 2 of the 20 questions so you can see what I'm talking about:

• unmd5 is the PHP function used to retrieve the clear text of a md5 ? True/False
• Windows passwords are stored in C:\Windows\System32\drivers\etc\shadow ? True/False

If someone passes this test, the real technical interview can start.

As always, you will have the normal security questions (I guarantee most security companies ask for these):

• explain a tcp handshake
• how Windows passwords are stored?
• what is a cookie?
• opinion on disclosure?

From my experience, I think it's better to ask people to explain things than just to ask them what it's. You can really see what level of understanding people have of a problem...

For example, with Cross Site Scripting, you can have the following responses:

• "it's a problem of filtering and it allows an attacker to inject script in the page"
• "it's a problem of filtering and an attacker can display/run arbitrary code in victims' browser"
• "it's a problem of output encoding and can be used to inject Javascript or HTML in the page sent back to victims"
• ...

That way, you're able to see if the person really understands what's going on and how he will be able to explain it to someone else.

You need to have 2 types of questions:

• questions based on memory: "what port is used by X", "what nmap options do you used"
• questions based on reflection: "how will you solve that problem"

I also have my favorite set of questions:

• "You're going to PentesterLab's website, explain what happens...", that way you can see someone's knowledge of TCP/IP, DNS, HTTP, SSL, ...
• "What is the last cool thing you learned/read", that way you can see what people are interested by and where they at

After this test, another interview is setup with hands-on test (only if the person did good enough obviously), it's currently the web application of the exercise "From SQL injection to shell" and it's used to see how people think and behave with a computer.

You can see a lot of different things:

• what people use for desktop
• how fast someone is with his computer
• how people solve a problem
• if people bring a working laptop (yes it happened, someone came to an interview with a broken gentoo...)
• learn from people: sometime people show you cool tricks you didn't think of
• ...

Obviously, not everyone (actually only one person did it without any help so far) knows how to exploit a SQL injection manually (why do you think I created PentesterLab). But during the test, we help people and show how things work to see how they can learn new things and incorporate information into their way of thinking.

 

What is heap and stack?

The stack is a place in the computer memory where all the variables that are declared and initialized before runtime are stored. The heap is the section of computer memory where all the variables created or initialized at runtime are stored.

What are the memory segments?

The distinction between stack and heap relates to programming. When you look at your computer memory, it is organized into three segments:

• text (code) segment
• stack segment
• heap segment

The text segment (often called code segment) is where the compiled code of the program itself resides. When you open some EXE file in Notepad, you can see that it includes a lot of "Gibberish" language, something that is not readable to human. It is the machine code, the computer representation of the program instructions. This includes all user defined as well as system functions.

Now let's get to some details.

What is stack?

The two sections other from the code segment in the memory are used for data. The stack is the section of memory that is allocated for automatic variables within functions.
Data is stored in stack using the Last In First Out (LIFO) method. This means that storage in the memory is allocated and deallocated at only one end of the memory called the top of the stack. Stack is a section of memory and its associated registers that is used for temporary storage of information in which the most recently stored item is the first to be retrieved.

What is heap?

On the other hand, heap is an area of memory used for dynamic memory allocation. Blocks of memory are allocated and freed in this case in an arbitrary order. The pattern of allocation and size of blocks is not known until run time. Heap is usually being used by a program for many different purposes.
The stack is much faster than the heap but also smaller and more expensive.

Heap and stack from programming perspective

Most object-oriented languages have some defined structure, and some come with so-called main() function. When a program begins running, the system calls the function main() which marks the entry point of the program. For example every C, C++, or C# program must have one function named main(). No other function in the program can be called main(). Before we start explaining, let's take a look at the following example:

int x;                           /* static stack storage */
void main() {
   int y;                        /* dynamic stack storage */
   char str;                    /* dynamic stack storage */
   str = malloc(50);        /* allocates 50 bytes of dynamic heap storage */
   size = calcSize(10);       /* dynamic heap storage */

When a program begins executing in the main() function, all variables declared within main() will be stored on the stack.
If the main() function calls another function in the program, for example calcSize(), additional storage will be allocated for the variables in calcSize(). This storage will be allocated in the heap memory segment.
Notice that the parameters passed by main() to calcSize() are also stored on the stack. If the calcSize() function calls to any additional functions, more space would be allocated at the heap again.
When the calcSize() function returns the value, the space for its local variables at heap is then deallocated and heap clears to be available for other functions.
The memory allocated in the heap area is used and reused during program execution.
It should be noted that memory allocated in heap will contain garbage values left over from previous usage.
Memory space for objects is always allocated in heap. Objects are placed on the heap.
Built-in datatypes like int, double, float and parameters to methods are allocated on the stack.
Even though objects are held on heap, references to them are also variables and they are placed on stack.
The stack segment provides more stable storage of data for a program. The memory allocated in the stack remains in existence for the duration of a program. This is good for global and static variables. Therefore, global variables and static variables are allocated on the stack.

Why is stack and heap important?

When a program is loaded into memory, it takes some memory management to organize the process. If memory management was not present in your computer memory, programs would clash with each other leaving the computer non-functional.

Heap and stack in Java

When you create an object using the new operator, for example myobj = new Object();, it allocates memory for the myobj object on the heap. The stack memory space is used when you declare automatic variables.
Note, when you do a string initialization, for example String myString;, it is a reference to an object so it will be created using new and hence it will be placed on the heap.

===========================================

The stack is the memory set aside as scratch space for a thread of execution. When a function is called, a block is reserved on the top of the stack for local variables and some bookkeeping data. When that function returns, the block becomes unused and can be used the next time a function is called. The stack is always reserved in a LIFO order; the most recently reserved block is always the next block to be freed. This makes it really simple to keep track of the stack; freeing a block from the stack is nothing more than adjusting one pointer.
The heap is memory set aside for dynamic allocation. Unlike the stack, there's no enforced pattern to the allocation and deallocation of blocks from the heap; you can allocate a block at any time and free it at any time. This makes it much more complex to keep track of which parts of the heap are allocated or free at any given time; there are many custom heap allocators available to tune heap performance for different usage patterns.

Stack:

• Stored in computer RAM like the heap.
• Variables created on the stack will go out of scope and automatically deallocate.
• Much faster to allocate in comparison to variables on the heap.
• Implemented with an actual stack data structure.
• Stores local data, return addresses, used for parameter passing
• Can have a stack overflow when too much of the stack is used. (mostly from inifinite (or too much) recursion, very large allocations)
• Data created on the stack can be used without pointers.
• You would use the stack if you know exactly how much data you need to allocate before compile time and it is not too big.
• Usually has a maximum size already determined when your program starts

Heap:

• Stored in computer RAM like the stack.
• Variables on the heap must be destroyed manually and never fall out of scope. The data is freed with delete, delete[] or free
• Slower to allocate in comparison to variables on the stack.
• Used on demand to allocate a block of data for use by the program.
• Can have fragmentation when there are a lot of allocations and deallocations
• In C++ data created on the heap will be pointed to by pointers and allocated with new or malloc
• Can have allocation failures if too big of a buffer is requested to be allocated.
• You would use the heap if you don't know exactly how much data you will need at runtime or if you need to allocate a lot of data.
• Responsible for memory leaks

Each thread gets a stack, while there's typically only one heap for the application (although it isn't uncommon to have multiple heaps for different types of allocation).

• The OS allocates the stack for each system-level thread when the thread is created. Typically the OS is called by the language runtime to allocate the heap for the application.
• The stack is attached to a thread, so when the thread exits the stack is reclaimed. The heap is typically allocated at application startup by the runtime, and is reclaimed when the application (technically process) exits.
• The size of the stack is set when a thread is created. The size of the heap is set on application startup, but can grow as space is needed (the allocator requests more memory from the operating system).
• The stack is faster because the access pattern makes it trivial to allocate and deallocate memory from it (a pointer/integer is simply incremented or decremented), while the heap has much more complex bookkeeping involved in an allocation or free. Also, each byte in the stack tends to be reused very frequently which means it tends to be mapped to the processor's cache, making it very fast.