Recap: Elite Pentesters Tell All in a Live Q&A
Three elite HackerOne pentesters, Peter M. (@pmnh), Pranit G. (@rootsploit), Erfan F. (@mico02), and HackerOne’s own Juan L. recently shared their stories in a live AMA session that looked at the impact and results of community-driven pentesting, broadcasted back in December, 2023.
The participants answered live as well as carefully curated questions from popular community platforms such as Quora, Reddit, and LinkedIn. Below is a quick look into the question categories:
- Pentesting Insights, Experiences, and Technical Aspects
- Differences between pentesters and bug bounty researchers
- Pros and cons of community-driven security testing solutions
- Communicating the importance of pentest results
- Bug bounty competitiveness vs. pentest collaboration
- Manual vs. automated processes in pentesting
- Industry Trends and Future of Pentesting
- What’s ahead
- Impact of generative AI and Machine Learning on hacking and pentesting
If you’re weighing the benefits of community-driven pentesting against traditional models, or simply curious to learn more about the evolving trends in pentesting, check out some of the insights from our expert pentesters in the original Q&A format below, or watch the on-demand recording to hear their in-depth discussions and professional advice.
Meet the HackerOne Pentesters
Peter M. (@pmnh)
Peter is a full-time ethical hacker/pentester with over three years of experience in the security field and more than 20 years as a lead developer/architect in software and engineering leadership roles. At HackerOne, Peter has conducted numerous successful penetration tests and source code reviews, consistently identifying high/critical vulnerabilities in flagship programs.
Pranit G. (@rootsploit)
Pranit Garud is an experienced Security Engineer and Bug Bounty Hunter with over seven years of dedicated experience in various domains of offensive security, including pentesting, red teaming, application security, vulnerability research, and attack surface management. With a proven track record, Pranit has collaborated with industry-leading organizations, including Fortune 500 companies, significantly enhancing the security posture of these enterprises.
Erfan F. (@mico02)
Erfan is a seasoned Security Consultant with an extensive track record in partnering with organizations across finance, healthcare, transportation, and technology sectors in the United States and the United Kingdom. Outside of his professional sphere, Erfan is an avid bug hunter, enhancing his pentesting skills through this rigorous practice.
Juan L.
Juan has been in the infosec industry for over ten years while holding various positions. He started off in the industry as a tester and, over time, moved over to customer support. After a few years of customer support, Juan made his move to Project Management, becoming a Technical Project Manager before arriving at HackerOne, where he is a Technical Engagement Manager.
Pentesting Insights, Experiences, and Technical Aspects
Q: What is the most important skill a pentester can have?
Erfan: “I'd say the attitude to be a lifelong learner. The cybersecurity field evolves very fast. New techniques, bugs, methods of exploitation — it all develops quite quickly. You should take the responsibility of educating yourself and be a student of the industry. This process of learning never ends. And, if you don't keep yourself updated, you basically go out of fashion, since your skills won't be able to pick up the latest and the greatest bugs.”
Q: What are the differences between the ways pentesters and bug bounty researchers work?
Peter: “They are typically solving similar but different problems. With a pentest, you’ll get more rigor. Most pentesters have a fairly formal checklist that they go through to make sure that they're covering the many different categories of vulnerabilities. With bug bounty, typically, it's more open-ended. You can go after what you like within the scope of the program.
The other major difference that I've observed is that pentests will have more or deeper access to the application being tested than you would in an open bug bounty program. You'll be testing internal applications or authenticated apps. I recently did a white box pentest for HackerOne, in which we were given the source code of the application to audit, something you would very rarely find in bug bounty except for open-source-type research. As a customer, you'll get different results from these modes of testing.”
Q: What are the pros and cons of using crowdsourced solutions to cybersecurity, as opposed to more traditional solutions?
Pranit: In the case of a traditional pentest, you hire a vendor, you vet the vendor, you see that the vendor has the specific skill set or the talent pool, and then you engage them for a specific scope. every time the scope changes, the budget for the pentest might change. If you want to add another web app or mobile app, it changes. It can be pretty heavy on the pocket from the financial point of view.
In the case of crowdsourced solutions, once you have a vendor, they'll get the talent pool, and they'll assign the people. If you say that you want only the experienced hackers in your particular bug bounty program, the vendor will vet the hackers with specific metrics and assign them. With crowdsourced, you'll have diverse skillsets, it’s cost-effective, and you can cover a broader scope.”
Q: How do you communicate the importance of web application security to executives and board members?
Peter: You have to realize that the people who are consuming your reports are managers and executives, who might not have the deep technical experience that you do. The technical details of how you did what you did are important for remediation purposes, but you also need to be able to explain the business impact of a vulnerability. What could an attacker do? How easy is it for an attacker to have an impact on the business? Being able to communicate the impact of a vulnerability is going to get the engineering dollars to fix it.
Q: Wouldn't bug bounty be more competitive than pentesting, with hunters trying to be the first to get the bounty without sharing useful information with fellow researchers?
Peter: With bug bounty, yes, a lot of what you do will be solo. But one of the things that I love about bug bounty is that there's a great community. There are Discord servers, Twitter/X, and a lot of other ways to make connections within the community and collaborate with others. I can ask, ‘I'm working on this program. Is anybody familiar with it? Do you want to collaborate on this issue that I found?’ There are many people out there who have the same questions you do and are more than happy to help.
Erfan: Pentests have a place, and bug bounties have a place. What I've seen work is doing a pentest on a particular application to find all the low-hanging fruit. Then after pushing it to the outside world, you use bug bounty methodologies to come along and find the cracks between the pieces of the puzzle. Regarding sharing tools and techniques, we try to share more in pentests, and yes, bug bounty may be more competitive, but they serve each other.
Q: How much manual vs. automated work do you do in pentesting?
Peter: I'm mostly manual, given my background, and given the subpar results that I've seen from typical out-of-the-box automated scanning. The value of having a human pentester is applying that human knowledge to the pentest — really digging deep into the business functionality and obscure test cases that an automated tool isn't going to be able to intuit. And that's where you find the really impactful, hard-to-get bugs.
Q: What are the most effective ways to report pentest results? And what's the significance of following a recognized methodology?
Erfan: The most effective way to report results: debriefs. Having a meeting with customers after a test is conducted is the most effective way to communicate what's going on. They receive a lot of reports from a lot of different teams; to them, everything looks like it's on fire. So, you have to make a case around what you found to help the team who requested the pentest get the right dollars behind it.
Unfortunately, in my experience, a lot of clients don't ask for debriefs. It's free. It's offered. Please go for it. It's going to help you make a good case and it's going to help you understand the pentest.
Why is it important to follow penetration test methodology? We need to have a way to standardize and have consistency. And that's why we have to have a methodology. We have a checklist that every pentester follows at a bare minimum. Finally, there are legal and compliance aspects. Certain standards require pentests to be done a specific way.
Industry Trends and the Future of Pentesting
Q: What does the future of pentesting look like? Where is the sector headed over the next few years?
Pranit: In terms of pentesting, it really depends on the development teams. If there is a new product or new technology that is coming out, there is a requirement to secure that domain. For example, blockchain was not very well known when Bitcoin first launched, but recently, there have been many projects on the blockchain as the need for security has accelerated. As a result, pentesters always need to learn different things.
Q: How has generative AI changed hacking? Can artificial intelligence and machine learning be used for penetration testing?
Pranit: AI and ML are no strangers to the cybersecurity domain. The only question is how we can utilize it better in pentest. There are a lot of companies coming out with their own ML models. The way AI and ML work is you first train the models based on the preset data. So, if you deploy your own instance, you can learn more about how to utilize AI and ML for security purposes and pentesting.
Peter: These technologies have their own classes of vulnerabilities, but they're also integrated with your other internal APIs and data sources. It’s very common for vulnerabilities and those underlying APIs to be exposed through an ML or chatbot-type interaction. They're part of a bigger ecosystem, and you need to make sure you're looking at the whole ecosystem and the security profile, not just each bespoke technology.
Complete Your Security Program With HackerOne Pentesting
Interested in discovering how HackerOne Pentest is safeguarding businesses by tapping into top-tier security and pentesting expertise and merging it with a platform that offers real-time insights into ongoing pentests, enabling you to monitor essential metrics from initiation to remediation?
For a deeper understanding of how pentesting can be tailored to meet your organization’s specific needs and objectives, view our on-demand product demo or contact HackerOne's pentesting experts today!
The 8th Annual Hacker-Powered Security Report