A Day In The Life Of A Female Pentester | Corisande Evans
To celebrate International Women’s Day, we held a Women in Cybersecurity Roundtable discussion, where some of the brilliant women forging cybersecurity careers with SureCloud talked about female representation in the industry and what we can do to encourage more women to join this fascinating sector.
Within this blog, we speak to a speaker from our Cybersecurity Roundtable event about her own experiences of her own career in cybersecurity.
Corisande spends her days undertaking penetration tests for our clients. To continue the conversation and to celebrate women in cybersecurity, we’re taking a closer look at how she ended up working in this area, what a typical day looks like and why more women should be looking to follow in her footsteps.
To find out all of this and more, SureCloud’s Marketing Communications Manager, Lucy Montague, sat down with her to run through a quick Q and A.
Hello Cori, thanks for taking the time to talk to us, so let’s start at the beginning…
How did you get into penetration testing?
“I don’t have a computing background; my first degree was in Biology, and I originally intended to continue my studies in Forensic Science. However, I switched to Digital Forensics following a fascinating talk at the open day.”
“From there, I worked as a Cyber Analyst for a law firm, where I was able to shadow penetration testers for the first time, and that led me to my first role focused specifically on penetration testing, where I spent two years.”
“People came from a real variety of backgrounds – some were computer science graduates, but others from very different roles. That blend of backgrounds is actually really important for identifying vulnerabilities and thinking like bad actors, as hackers also have a wide variety of backgrounds and experiences.”
You joined the team SureCloud as a Cyber Security Consultant in November 2019. What does a typical day look like for you?
“We have a brilliant scheduler Sarah, who also featured in our roundtable. She gives us all of our jobs and allocates resources across different tests. So the first thing I do is check the schedule and see which tests I’m in.”
“Previously, we will have got all the prerequisites, setting out the particular application we’re testing, or the IP address, for example. I set up the platform we use to track each test and ensure the correct scope is set out.”
From there, let’s get into the nuts and bolts of penetration testing itself. What does this involve?
“Imagine I’m testing a web application like Instagram. The first step is light touch testing to understand what the app is and what technology was used to build it. This might involve imitating a user journey, profile creation, posting, and deleting photos, and so on.”
“The next step is to think more like a malicious user, understanding their motivations and goals. Here, this might mean accessing other users’ profiles or manipulating their photos. We have tools that allow us to manipulate requests from applications to the internet.”
“Another element of malicious activity is targeting the company itself, rather than other users, so those are scenarios we have to work through also.”
Much of this side of penetration testing is highly contextualised, working through different scenarios in relation to that particular test subject. However, it is also important to ensure those common vulnerabilities are strategically assessed. How do you ensure you don’t miss anything?
“We have a framework – a directional methodology called the OWASP Top Ten, which sets out some of the most common groups of vulnerabilities which people report on applications – things like injection flaws, broken authentication, and SQL injections.”
“Once the obvious questions are covered, I might do some research on the specific technologies identified. Are there any common vulnerabilities within those technologies or ready-made proof of concepts or exploit codes that someone might download?”
What’s the average duration for a penetration test?
“Timescales vary enormously. There are times where the authentication, for example, is so terrible that I can spend three days on it. Likewise, I might be the only pen tester working on a job, or there might be several of us.”
“I always share my findings with the wider team and vice versa. If we find something unusual, it’s always useful to have that direct, on-the-job learning.”
How would you best summarise your job?
“It’s like a big puzzle. That’s actually what sparked my interest in the first place; that’s why I liked biology and forensics. Imagine that there’s a vulnerability you’ve never seen. The proof of concept looks like it should work but doesn’t. You have to be prepared to troubleshoot to work through the puzzle. That’s your day-to-day.”
There is no denying that it is still unusual to find women in penetration testing. What would you say to women who are interested in getting into this male-dominated industry?
“I went into every single one of my degrees, thinking there was one job at the end of it. From Biology, I thought I was going to be working in a research lab. From Forensics I thought I was going to be working in a forensics lab. It was always ‘this degree gets me this one job at the end,’” she says.
“But actually, I had picked up so many transferable skills, and to be successful as a penetration tester, you don’t need to be that ‘hacker-esque’ programmer who does everything in a hoodie! I absolutely love it. It’s a place in the industry that is constantly changing. It’s so interesting.”
If you think a career in penetration testing could enthuse and interest you as much as it does Corisande, get in touch with SureCloud today at careers@surecloud.com or head over to our careers page here.
We look forward to hearing from you.
Missed our original webinar roundtable with the Security Senoritas? Watch it here.
Register in our pop up form below to be informed about our latest women in tech campaign alerts.
About SureCloud
SureCloud provides Gartner recognized GRC software and Cyber & Risk Advisory services. Whether buying products or services, your organization will benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products, enabling seamless integration of information, taking your risk programs to the next level.