Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Penetration Testing

A Day In The Life Of A Female Pentester | Corisande Evans

A Day In The Life Of A Female Pentester | Corisande Evans
Written by

Corisande Evans

Published on

10 Aug 2020

A Day In The Life Of A Female Pentester | Corisande Evans

 

To celebrate International Women’s Day, we held a Women in Cybersecurity Roundtable discussion, where some of the brilliant women forging cybersecurity careers with SureCloud talked about female representation in the industry and what we can do to encourage more women to join this fascinating sector.

Within this blog, we speak to a speaker from our Cybersecurity Roundtable event about her own experiences of her own career in cybersecurity.

Corisande spends her days undertaking penetration tests for our clients. To continue the conversation and to celebrate women in cybersecurity, we’re taking a closer look at how she ended up working in this area, what a typical day looks like and why more women should be looking to follow in her footsteps.

To find out all of this and more, SureCloud’s Marketing Communications Manager, Lucy Montague, sat down with her to run through a quick Q and A.

Hello Cori, thanks for taking the time to talk to us, so let’s start at the beginning…

How did you get into penetration testing?

“I don’t have a computing background; my first degree was in Biology, and I originally intended to continue my studies in Forensic Science. However, I switched to Digital Forensics following a fascinating talk at the open day.”

“From there, I worked as a Cyber Analyst for a law firm, where I was able to shadow penetration testers for the first time, and that led me to my first role focused specifically on penetration testing, where I spent two years.”

“People came from a real variety of backgrounds – some were computer science graduates, but others from very different roles. That blend of backgrounds is actually really important for identifying vulnerabilities and thinking like bad actors, as hackers also have a wide variety of backgrounds and experiences.”

You joined the team SureCloud as a Cyber Security Consultant in November 2019. What does a typical day look like for you?

“We have a brilliant scheduler Sarah, who also featured in our roundtable. She gives us all of our jobs and allocates resources across different tests. So the first thing I do is check the schedule and see which tests I’m in.”

“Previously, we will have got all the prerequisites, setting out the particular application we’re testing, or the IP address, for example. I set up the platform we use to track each test and ensure the correct scope is set out.”

 

From there, let’s get into the nuts and bolts of penetration testing itself. What does this involve?

“Imagine I’m testing a web application like Instagram. The first step is light touch testing to understand what the app is and what technology was used to build it. This might involve imitating a user journey, profile creation, posting, and deleting photos, and so on.”

“The next step is to think more like a malicious user, understanding their motivations and goals. Here, this might mean accessing other users’ profiles or manipulating their photos. We have tools that allow us to manipulate requests from applications to the internet.”

“Another element of malicious activity is targeting the company itself, rather than other users, so those are scenarios we have to work through also.”

Much of this side of penetration testing is highly contextualised, working through different scenarios in relation to that particular test subject. However, it is also important to ensure those common vulnerabilities are strategically assessed. How do you ensure you don’t miss anything?

“We have a framework – a directional methodology called the OWASP Top Ten, which sets out some of the most common groups of vulnerabilities which people report on applications – things like injection flaws, broken authentication, and SQL injections.”

“Once the obvious questions are covered, I might do some research on the specific technologies identified. Are there any common vulnerabilities within those technologies or ready-made proof of concepts or exploit codes that someone might download?”

What’s the average duration for a penetration test?

“Timescales vary enormously. There are times where the authentication, for example, is so terrible that I can spend three days on it. Likewise, I might be the only pen tester working on a job, or there might be several of us.”

“I always share my findings with the wider team and vice versa. If we find something unusual, it’s always useful to have that direct, on-the-job learning.”

How would you best summarise your job?

“It’s like a big puzzle. That’s actually what sparked my interest in the first place; that’s why I liked biology and forensics. Imagine that there’s a vulnerability you’ve never seen. The proof of concept looks like it should work but doesn’t. You have to be prepared to troubleshoot to work through the puzzle. That’s your day-to-day.”

There is no denying that it is still unusual to find women in penetration testing. What would you say to women who are interested in getting into this male-dominated industry?

“I went into every single one of my degrees, thinking there was one job at the end of it. From Biology, I thought I was going to be working in a research lab. From Forensics I thought I was going to be working in a forensics lab. It was always ‘this degree gets me this one job at the end,’” she says.

“But actually, I had picked up so many transferable skills, and to be successful as a penetration tester, you don’t need to be that ‘hacker-esque’ programmer who does everything in a hoodie! I absolutely love it. It’s a place in the industry that is constantly changing. It’s so interesting.”

If you think a career in penetration testing could enthuse and interest you as much as it does Corisande, get in touch with SureCloud today at careers@surecloud.com or head over to our careers page here.

We look forward to hearing from you.

Missed our original webinar roundtable with the Security Senoritas? Watch it here.

Register in our pop up form below to be informed about our latest women in tech campaign alerts.

About SureCloud

SureCloud provides Gartner recognized GRC software and Cyber & Risk Advisory services. Whether buying products or services, your organization will benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products, enabling seamless integration of information, taking your risk programs to the next level.