This is yet another guest post from our good friend Matt Gardenghi! If you enjoy this one, don’t forget to check his last one: Trusting the Browser (a ckeditor short story).
Often, I hear arguments that go like this: real hackers write code and exploits; everyone else is a script-kiddie.
That is a dumb argument from all sorts of levels. For starters, those who make this observation are usually those who can write code. Therefore, everyone who can’t meet their personal standards/abilities as a coder are “skiddies” who demean the profession.
I find it intriguing that everyone defines the basis for a good pentester by their own capabilities. Clearly you think that you are good and it’s normal to think that everyone will want to be good just like you. Consequently, they should all do as you do, right? Wrong. We need diversity of backgrounds, skills, and opinions. It’s healthy not to inbreed (intellectually or otherwise). Arrogance is the assumption that I set the standard. So, let’s not be arrogant. None of us are so good that we objectively define the standard for all other pentesters.
We are all in a process of growing and developing. We all started as “skiddies” and we all progressed from there. Instead of drawing people onward in the profession, to many practitioners discourage those coming behind. The “experienced” testers set the bar equal to their own skills and years of experience or to their skill set when they walked into their first pentesting job. (Doubt me? Go look at forums where someone asks what skills are necessary to be a pentester. Every single answer is different and is based on the author’s personal skill set and experiences.) I may not have a tool in my toolkit that you have. That doesn’t mean I can’t get the job done, I just might have to think differently and creatively to solve it in another way.
I took GWAPT from Kevin Johnson and Seth Misenar. Anyone care to call them skiddies? They both walked into the field from other professions and lacked the ability to read much code or write much code. They still don’t consider themselves coders; they say that they hack code. And yet they developed into experienced and qualified testers. So why would you tell newcomers that they need a CS degree and the ability to read/write shellcode or else they aren’t capable of being “good?” You could be pushing away the next best security guy by telling him that he’s not qualified to start.
We don’t want everyone to be an expert in the same field. That leads to a lopsided inbred situation. Since no one person can be an expert in every field, we need people who specialize in shellcode and exploit writing. We need others who are experts in working through website security including the process of abusing assumptions. We need some who have the skillsets to combine and apply the multitude of tools created by others in new and creative ways. We need to interact and support each other and recognize that we actually need each other and the diverse talents that others bring.
I do think that all users should seek to understand what’s going on in an exploit. No one should fire off an exploit until they know A) it’s not backdoored and B) whether it will hurt anything if it goes off badly.
As to those who wear their exploit writing skills on their sleeve? Go for it. It gives you a competitive advantage and you earned that. Just recognize that you aren’t the standard for the industry. Other guys can often do the job competently and may meet the specific needs of the clients more effectively. There is nothing wrong with that. (For the record, I don’t support people who call VA scans pentests. That’s a different issue.)
I just think that we as an industry, need to recognize that people with differing skill-sets might be better suited to a particular job than we are. That and everyone has to start somewhere. So please, how about we stop defining skiddies as anyone missing a piece of our personal toolkit?