The Journey from Pentesting to Security Code Review

I think the hardest part for pentesters transitioning into security code review is going back to the low level of confidence they had when starting as blackbox testers and starting all over again. A big part of becoming a good blackbox tester is learning to be uncomfortable until you finally become comfortable: you're more knowledgeable and you know you can figure it out with a high degree of confidence. Security code review is exactly the same.

Here's the honest truth about this transition:

  • It’s Hard: There’s no sugar-coating this. It's a challenging journey that demands patience and perseverance.
  • It Takes Time: Just as it did with pentesting, mastering code review is a gradual process.
  • Be Prepared to Feel Dumb Again: This is part of the learning curve.

Key Tips for the Transition

# Stay Focused

Commit to spending substantial time on one codebase. Don’t switch targets every few hours just because you haven’t found a zero-day vulnerability. A chaotic approach won't help you grow as a code reviewer.

# Find Good Targets

Selecting the right codebases is crucial. You don't want something too hard or something too simple. You need to be able to grow. For guidance on this, check out our other blog post on How to start reviewing code?.

# Measure Success Differently

Stop measuring your success by the number of vulnerabilities you discover. Instead, look at your improvement in understanding code, navigating codebases, and deciphering complex code structures. These metrics are far more indicative of your progress as a reviewer.

# Understand That What You Read/See Is Not the Reality

You have probably come across a few blog posts or talks at security conferences and you think that what you read or saw is how code review happens. When you read or watch those, you only see the happy path: a shortcut that explains the issue. These rarely highlight the struggle, the real path the reviewer took to find a bug, or the thousands of detours they took along the way. They also don’t talk about the hundred times the reviewer wanted to give up.

# You’re Not Wasting Your Time

Even if you feel like you're not making significant progress, remember that all the time spent will at least help you become a better pentester. It's never wasted effort.

So, take a deep breath, embrace the suck, and dive into the world of code review with a positive mindset. You'll find that with time, persistence, and perseverance, you'll get there!

Photo of Louis Nyffenegger
Written by Louis Nyffenegger
Founder and CEO @PentesterLab
Related Blog Post
☝️