1

While freelance software developers can show their work to potential clients by building personal projects or by showing their previous client's project how can a pentester do the same?

A pentester can't provide audit reports of previous clients as they are confidential and if he is new he may work for free for few clients and show his work but again, how would he show his work to potential clients without showing the actual reports?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ron
  • 11
  • 1
  • Work for a reputable company for a few years. Find some CVEs. Get a reputation doing bug bounties, especially if you find something on Facebook or another reputable website. Publish journals in academia of the latest 0day you have found. Find one of those amazing side channel attacks such as Spectre and also publish it in a journal. – user5623335 Jan 11 '20 at 01:13
  • 2
    This would be a better fit for workplace. The answer is no different than for any other career. As a software engineer I can't show off any of my code and no one cares about my side projects. How do I show that I am good at my job? By having work experience and going through their interview process. Each company has their own method for gauging talent, and you just do your best to show your experience – Conor Mancone Jan 11 '20 at 02:53
  • "As a software engineer I can't show off any of my code and no one cares about my side projects." are you serious? Am talking about freelance software developers. I have seen countless people on freelancing platform who refer to their previous projects. There are some web apps which they worked on and its live they provide links to them and pictures in their profile. – Ron Jan 11 '20 at 11:28
  • 2
    @Ron sure, but that doesn't mean that people who hire them care. I have a few side projects with lots of stars in GitHub, and have pointed them out prominently in my job applications and resumes. However, my potential employers have never looked at them or cared. Side projects are only helpful if the person looking to hire you cares, which is exactly my point. You get a job or gig by demonstrating the skills the person wants in whatever way they want it done – Conor Mancone Jan 11 '20 at 11:33
  • This is in a specific industry (and only one person's story) but it is related: https://towardsdatascience.com/sorry-projects-dont-get-you-jobs-3e5d8e74bfdc – Conor Mancone Jan 11 '20 at 11:37
  • Thanks @ConorMancone I would keep that in mind. A quick question, I have reported flaws to open source projects and lots of bug bounty program (including google) Should I include them in my resume and also while bidding or not, what you think? – Ron Jan 11 '20 at 12:12
  • Anything public is good to include in your resume (that's what I do) because it at least demonstrates experience even if no one actually looks at it. To be clear though don't literally include them in your resume - include a link somewhere that shows them off (blog, website, etc). The main suggestion I would give is to look at lots of job postings in your field and figure out what people *do* look for. – Conor Mancone Jan 11 '20 at 12:45
  • For instance, it is actually common in my "niche" for job applications to request links to GitHub. However, there has only ever once been a case where my past work was actually mentioned in an interview, which is why I don't think anyone actually looks at it. Instead, people just do whatever it is they think helps them evaluate candidates, and you just have to do your best to keep up. – Conor Mancone Jan 11 '20 at 12:48
  • Thanks a lot for advice @ConorMancone after you said this " I have a few side projects with lots of stars in GitHub" I was curious to check your GItHub, but I couldn't find any repo on your github profile with lot of stars (I believe you are talking about another account of yours) And yeah, don't think me as a stalker. I was genuinely curious to know about repos which gained lots of stars. – Ron Jan 11 '20 at 12:51
  • :) "lots" is relative. I'm not claiming to be in competition with *any* popular open source ststems – Conor Mancone Jan 11 '20 at 14:54
  • While following everyones advice keep your employment and other contracts such as NDA in mind! – skrap3e Jan 12 '20 at 05:08

2 Answers2

2

What you are talking about is "work product" (the pentest reports). There are lots of industries where someone cannot show their work product to another person to show their expertise. A cashier cannot show another employer their work product, because there is nothing to show.

What you are trying to figure out is what to show instead of your work product. That's actually quite easy.

  • Referrals
  • Testimonials from previous clients
  • Testimonials from co-workers/employers
  • Certifications (some people will flay me for this suggestion, but it helps support actual work you've done - certifications should confirm your expertise and not be the sum total of your expertise)
  • Performance in competitions
  • Work product in adjacent areas (CVEs, bug bounties, things you've coded, books, etc.)

You want to show, not your main work product, but your skills in adjacent areas that reflect your skill and expertise in your main work.

The easy way to do this? Get more public with your technical work (CVEs, competitions, CTFs, etc.) and create materials to help potential clients, whether they hire you or not. Books, a blog, anything to reach out to customers to help them but not sell to them. If you can help as a hired pentester, then you can help as a provider of general advice. Do that, and you develop trust. When you reach out to prospective clients, you can give them your free material, whether they hire you or not.

When you can't show work product, you need to have trust and reputation.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

A pentester can't provide audit reports of previous clients as they are confidential

I don't truly agree with this. Reports can be edited, sanitized and anonymized. For example if you just replaced or blacked out the IP addresses - it's already much harder to identify the client. Just omit the info that is too revealing.

Actually as a customer I would love to see report samples, because some security testers/auditors have a box-ticking attitude and do little more than follow a template and copy-paste. The reports actually tell it all about your skills and it's the most important deliverable.

It's not just your technical prowess on display but also your ability to convey complicated geeky stuff in simple terms to a non-technical audience.

When you think of it, plenty of employees are in a similar situation, they cannot easily prove how much money their brought it while working at some company, because obviously the financials are confidential too, but they can nonetheless explain their work process and should be able to provide testimonials. After all there is no reason why not a single one of your customers would decline to provide references.

Kate
  • 6,967
  • 20
  • 23