13 October 2020
Today, everything is connected to the Internet, from our everyday objects (watches, smartphones, lamps…) to most of the services we use (health, taxes, sales sites, banks, emails…). All these elements must be protected. My job is to put myself in the shoes of a hacker to identify vulnerabilities and enable companies to improve the security of their products and IT systems.
Our framework of intervention is defined by law but also by our clients. We never go beyond that.
A technical audit lasts between one and two weeks. We start with generic tests and evolve towards more and more precise scenarios. Within a limited timeframe, we identify as many vulnerabilities as possible to give the client a concrete idea of the security level of the audited perimeter. At the end of this technical phase, we move on to the writing of the audit report, which is the deliverable that presents our results to the client. It also contains information on how an attacker could take advantage of the identified vulnerabilities, as well as advice on how to protect his company.
It happens that we find nothing, but this is rare because it requires a very high level of maturity on cybersecurity issues.
Customers are actually satisfied when we find vulnerabilities. The audit report allows them to improve the security of their products and information systems.
Team spirit is fundamental. We are rarely alone during a technical audit and most of the time, we work in pairs. The pentest is not an area in which everyone remains isolated. We are constantly exchanging within our team.
Pentest is a constantly evolving field with new technologies and techniques. There is always something to learn, and I like it. On the negative aspects, the limitation of scopes of intervention can be frustrating. Sometimes, we know that we could have gone much further in exploiting vulnerabilities, but we had to stop.
The first reaction is curiosity. People also often ask me if I can hack into a friend’s Facebook account… Overall, it is still quite positive and funny. I also sometimes face the cliché of the pentester in a hoodie; people do not expect a woman.
With experience, we are able to manage audits in their entirety, from pre-sales to the return of the audit to the client. The position then includes a part focused on project management. At Orange Cyberdefense, it is also possible to move on to technical or management expertise positions as well as to other professions, in a more cross-functional way, in the field of cybersecurity.
When you start, you may tend to rely too much on automatic vulnerabilities finding software. This gives the impression that the tools do all the work, which is far from being the case. They must be used wisely and supplemented with targeted manual tests.
Never, thank god! Contrary to what one might imagine, we do not have these temptations at all. Our customers entrust us with extremely valuable and sensitive data, we cannot allow any doubt about our integrity.
*The first name has been changed.
We are always looking for talent! Choose from a wide range of exciting jobs across our many topics and regions.
You find a number of these job opportunities on our Careers page. Have a look and maybe we'll meet in the team of security heros, building a safer digital society soon!Check job opportunities