Being a pentester in France
The profession of ethical hacker still suffers from many clichés. To paint a realistic picture of the daily life of a technical auditor, we interviewed Nadia*, a pentester for 3 years at Orange Cyberdefense.
If you had to explain your job to your grandparents, what would you say?
Today, everything is connected to the Internet, from our everyday objects (watches, smartphones, lamps…) to most of the services we use (health, taxes, sales sites, banks, emails…). All these elements must be protected. My job is to put myself in the shoes of a hacker to identify vulnerabilities and enable companies to improve the security of their products and IT systems.
To remain ethical, what are the limits not to cross?
Our framework of intervention is defined by law but also by our clients. We never go beyond that.
What does your daily life look like?
A technical audit lasts between one and two weeks. We start with generic tests and evolve towards more and more precise scenarios. Within a limited timeframe, we identify as many vulnerabilities as possible to give the client a concrete idea of the security level of the audited perimeter. At the end of this technical phase, we move on to the writing of the audit report, which is the deliverable that presents our results to the client. It also contains information on how an attacker could take advantage of the identified vulnerabilities, as well as advices on how to protect his company.
Are you always able to find vulnerabilities?
It happens that we find nothing, but this is rare because it requires a very high level of maturity on cybersecurity issues.
Telling a client that you have successfully found gaps in the audited perimeter can be tricky. How do you manage this part of the work?
Customers are actually satisfied when we find vulnerabilities. The audit report allows them to improve the security of their products and information systems.
Is team spirit important in your job?
Team spirit is fundamental. We are rarely alone during a technical audit and most of the time, we work in pairs. The pentest is not an area in which everyone remains isolated. We are constantly exchanging within our team.
What do you like best about your job? What is the most difficult part?
Pentest is a constantly evolving field with new technologies and techniques. There is always something to learn, and I like it. On the negative aspects, the limitation of scopes of intervention can be frustrating. Sometimes, we know that we could have gone much further in exploiting vulnerabilities, but we had to stop.
How do people react when they find out you are a hacker?
The first reaction is curiosity. People also often ask me if I can hack into a friend’s Facebook account… Overall, it is still quite positive and funny. I also sometimes face the cliché of the pentester in a hoodie; people do not expect a woman.
What can be the career developments for a technical auditor?
With experience, we are able to manage audits in their entirety, from pre-sales to the return of the audit to the client. The position then includes a part focused on project management. At Orange Cyberdefense, it is also possible to move on to technical or management expertise positions as well as to other professions, in a more cross-functional way, in the field of cybersecurity.
What “stupid” mistakes can be made at the beginning of a career?
When you start, you may tend to rely too much on automatic vulnerabilities finding software. This gives the impression that the tools do all the work, which is far from being the case. They must be used wisely and supplemented with targeted manual tests.
Have you ever been asked to switch to the “dark side of the Force”?
Never, thank god! Contrary to what one might imagine, we do not have these temptations at all. Our customers entrust us with extremely valuable and sensitive data, we cannot allow any doubt about our integrity.
*The first name has been changed.