Show HN: Building a Market for Penetration Testing

Hey Ken, hope you guys the best, good project.<p>As a seasoned (although retired) pen-tester I wanted to say you&#x27;ll have some serious problems with rating when it comes to results.<p>When a company hires pen-testers and pen-testers do or do not find stuff, the company has no idea about the coverage. So the pen-test team might have missed many stuff or identified all. I&#x27;m sure you&#x27;ve seen in real world even the same members of the same pen-test team might find different issues for the same test.<p>Therefore one of the biggest problems is to actually knowing whether they are good or not at what they do. It&#x27;s easy to rate communication skills, responsiveness, attitude, report quality etc. But very hard to rate the quality of the results (which is the real reason for carrying out a pen-test).<p>When they don&#x27;t find something, maybe there really is nothing there. When they found something, maybe there is more there. The customer has no idea at that point. It&#x27;ll be only a fair amount of time later they&#x27;ll figure out the coverage &#x2F; vulnerability finding quality.<p>I&#x27;m sure in the long run market will stabilize (assuming you can change your rating for a pen-tester even after a year) but this is something to consider.<p>Update: BTW personally I don&#x27;t like the idea of logging in via LinkedIn (for finding a security talent), it&#x27;s feels too intrusive, beside of the personal preference my experience showed me especially security industry don&#x27;t like SSO style things.

This may be slightly off-topic, but how do you get started in pen-testing? I read a book about it and the book, with focus on white-hat hacking, was very clear about making sure you have a green-lit target to test on, but even the company I work for isn&#x27;t going to let me randomly hack away and test security without an agreement in place (they would want to know I was doing it so as to filter false positive attacks, for example).<p>So without doing anything either illegal or unethical, things that could lose me my current job, how does one build up the skills and experience?

The best, most successful software pentesting teams barely market at all. NCC is one of the largest in the US, and nobody is finding them through Google ads, or, really, ads anywhere. The same is true off firms like Bishop Fox, Leviathan, and IOActive.<p>Which is to say, at least in the app pentesting market, I&#x27;m a little skeptical of the premise.

I like the idea of a marketplace, but I don&#x27;t think background checks and references are the way to build a credible list of the world&#x27;s best pentesters.<p>I think what patio11 is doing with Starfighters.io is orders of magnitude better. Run developers through a gambit of supremely difficult tests via a fun CTF-type game and pair the best hackers with the highest enterprise bidder. Works not just for pentesters, but all devs really.<p>Also, I know where to get the best pentesters because they&#x27;re listed on all the top companies&#x27; bug bounty pages. It&#x27;s <i>proof</i> of skill I&#x27;m after, not some Gartner-esque gatekeeper telling me who&#x27;s best because they&#x27;ve &quot;background checked&quot; them.<p>Give me a system more like StackOverflow or Starfighters where I can see the work. Not something subjective like eBay or Yelp, which can be easily gamed.

Hey @kenbaylor! I think that this is an awesome approach to addressing the issue of the infosec employee shortage. I&#x27;ve actually been kicking around the idea of building something similar for a while now, so it&#x27;s exciting to see someone making progress in the area!<p>I saw the StealthWorker table at Shmoocon and wanted to swing by and ask some questions, but I got distracted by some of the other goings-on. Anyways, I finally got around to signing up a few days ago.<p>One issue that I have from the pentester&#x27;s point of view is the lack of transparency after sign up. I haven&#x27;t seen any confirmation that my application was received and is under review. However, I understand that StealthWorker is still in its infancy so this is understandable.<p>Excited to see what the future of StealthWorker holds!

How does the requirements NDA thingy work? Does every single tester&#x2F;bidder need to sign an NDA? At what point of the process does the NDA need to be signed?<p>I feel a little uncomfortable signing an NDA unless the work has been outlined and the work is to begin.<p>Also I think you&#x27;re really cutting out a significant portion of the market with LinkedIn requirements. I understand it&#x27;s probably needed to filter the plebs, but you should probably allow for an alternative sign-up approach (ie combination of phone verification, require business email, etc).<p>Altogether very cool! I&#x27;m trying to get into InfoSec myself. Good to see innovation in the industry!

Aside from an announcement that you&#x27;ve begun, is there anything specific you&#x27;re looking for from the HN community? For example, are you looking for beta testers or pre-signups? I&#x27;m certainly interested in following your progress, but there is no call to action on this blog post.

Am I the only one unable to click on the hyperlink in the text? It seems like some sort of weird JS intercept is happening. The HTML shows it as a plain anchor, I&#x27;m not sure why JS is involved at all.<p>Here&#x27;s the error I get in my Chrome console:<p>Mixed Content: The page at &#x27;<a href="https:&#x2F;&#x2F;www.stealthworker.com&#x2F;blog&#x2F;rewarding-pen-testers-on-merit-not-marketing&#x27;" rel="nofollow">https:&#x2F;&#x2F;www.stealthworker.com&#x2F;blog&#x2F;rewarding-pen-testers-on-...</a> was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint &#x27;<a href="http:&#x2F;&#x2F;www.stealthworker.com&#x2F;&#x27;" rel="nofollow">http:&#x2F;&#x2F;www.stealthworker.com&#x2F;&#x27;</a>. This request has been blocked; the content must be served over HTTPS.

Interesting idea, a couple of thoughts from a quick read through.<p>- I&#x27;d suggest that customer feedback may not necessarily the best way to guage security tester* competence. Many testers report by exception so if the customer gets a relatitvely clean report they may be happy with that, but if the report doesn&#x27;t detail the testing completed, how do they know the tester just didn&#x27;t miss things from the review? You could enforce a consistent reporting style with tests completed to address that, but I&#x27;d guess that some testing companies wouldn&#x27;t appreciate being asked to re-tool their reporting process.<p>- The model seems to imply the customer scopes the review. In my experience for organisation with less experience of security testing, that&#x27;s one of the hardest parts to get right. More experienced&#x2F;larger companies would, I&#x27;d expect, be less likely to use this kind of service as they already have a panel process&#x2F;procurement in place. If Stealth Worker are going to participate in the scoping proces it would need the right set of people to complete that task (not a massively common skillset in my experience as it needs a good combination of technical experience and business understanding)<p>- Will the marketplace validate vendor claims of competence&#x2F;skillset, and if so how will they do that? This could be a good value add, but is expensive to do well (e.g. designing and running assessments for candidate companies to provide a level of assurance of skill in particular areas).<p>- It&#x27;ll be challenging to create an international model for this, as the regulatory requirements are different per country, and whilst testing companies might currently have indemnity insurance in their local market, that may well not cover international situations.<p>- The site could use some fleshing out on the team side. Currently says &quot;Stealth Worker is a team of CISOs, developers and lawyer&quot; .... To me there&#x27;s a large ommission there which is from that it implies you don&#x27;t have any testers on staff?!? I&#x27;m sure that&#x27;s not the case, so it&#x27;d be worth making sure that was in clear on the site.<p>*Pet peeve, I prefer the term security testing to pen testing. The term pen testing rarely describes what most organisations actually need and also what is delivered. Pen testing implies a black box adversarial review &quot;emulates a malicious attacker&quot;. This is only really desirable for mature organisations who have a strong handle on all the basic (which is not, in my experience, the majority). Also truly emulating attackers is very difficult as they tend not to worry about breaking the law, unlike testing companies (you&#x27;d hope!)

I think the arguments <i>against</i> penetration testing are interesting.<p>As a software test engineer, we do external audits like this, but I wonder: Documented or &quot;known&quot; vulnerabilities are not worth testing until there are systems in place that expect to cover them.<p>It seems that all vulnerabilities that are not intentionally addressed should be considered dangerous. If they are penetration tested but vulnerability is unknown, the best you could hope for is &quot;Not vulnerable for unknown reasons&quot; which is just as bad as vulnerable in my perspective.<p>With some admitted trepidation, I assert that all software should be tested this way, with expected behavior being a primary dependency.<p>Edit: hiring outside penetration testers is still totally valid and desirable, since development and testing are two totally different domains. I&#x27;m only pondering methodology.

This warning ruins the post.<p>Your connection is not secure<p>The owner of www.stealthworker.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This is Ken, who wrote the blog. I am in the thread.

How do you feel this will compete with the growing popularity of bug bounties that are a crowdsourced pay-per-bug model?

Site has a pretty hilarious typo... &quot;Have open cybersecurity positions that you are anxious to feel?&quot;

the same 5-7 guys will be showing up every time.