Since you now have the perfect resume, you probably land some interviews! We decided to put together some advices on how to manage these interviews.
First the obvious, look professional. Wear a suit (or at least smart casual), clean shoes, clean and ironed shirt.
You never get a second chance to make a first impression!
The first question your future employer will ask himself after seeing you is “Can I send this guy to my clients?”
If you make a good impression, your future employer/manager know that you will make the same good impression to their clients. That’s why you should always avoid swearing too.
You need to learn about the company (visit the company website, know the key people, when it was created, recent talks?).
I used to run interview with someone in charge of the “non-technical” aspect of the interview, his first question was always: “Why do you want to work for/with us?”. Quickly followed by: “Who are the key people in the company?”.
Far too often, people had no idea of who was working in the company or even what the name of the CEO was… way too many awkward silences during that part of the interview. You cannot afford this kind of mistake, it just makes you look unprofessional and unprepared. And someone less talented than you could get the job just by looking more prepared.
The technical interview
You think you’re smart and you are going to work something out the day you need it (using Google?) like you probably did for all your previous job? A good interviewer will ask you in-depth questions and won’t let you go with half-baked answers or bullshit… You need to know your stuff and you need to be able to show that you know your stuff . Don’t forget that people on the other side are pretty smart as well. They shouldn’t be the average managers you use to b*****it before with random buzzwords. They actually know what you are talking about and may even be better than you at it…
If you don’t know or you’re not sure: say it. When you work as a security professional, you will sometime say to your clients: “I will need to look it up and come back to you”. It’s the same in an interview. People want to know that you’re not a bullshit artist. Accept that you won’t know everything people will ask you. Use sentences like: “I’m not sure but I think this is how it works”. It will make a great difference.
I put together some of the questions you may get asked (based on the ones I like to ask):
- “You’re going to PentesterLab’s website, explain what happens…”. Here the interviewers want to see your knowledge of TCP/IP, DNS, HTTP, SSL, …
- “What is the latest cool exploit/tool you learned/read about”. This will tell the interviewer what you’re interested in and how deep you usually dig into something.
- “Explain me the risk of an XSS if I was a CEO”. Here the interviewers want to see if you can vulgarise complex concepts.
- Explain a TCP handshake
- How does Windows stored passwords?
- What is a cookie?
- Opinion on vulnerability disclosure?
Hands on interview
After realising that there was a huge gap between being able to explain a concept and actually being able to apply it, more and more companies moved from a tech interview to a tech interview followed by a hands-on interview. The goal is pretty simple here, you have a target and you need to show how you will test/attack it.
After the technical interview, another interview is setup with hands-on test (only if the person did good enough obviously), some companies even use PentesterLab Free Exercises.
Interviewers running hands-on interviews want to see the following:
- How fast you are with your computer. The faster you’re, the more testing you can do in a given amount of time.
- How do you solve a problem.
- How do you test for vulnerabilities.
- How do you exploit vulnerabilities.
- …
As an interviewee, I think it’s important to keep your calm and know what the interviewers are after. They don’t want you to be able to do everything in half an hour or write a crazy exploit. They want to see how you think, how you work, how you debug, if you take notes…
Obviously, you need to practice for this. Make sure you know how to find bugs and exploit them.
The pub interview
One of my favourite part of the interview is the “pub” interview. If things go well, it’s common to go to the pub with the interviewee to share few drinks. That’s a really good way for the interviewer to get the interviewee to drop his line of defence and see how he/she behaves in every day life.
The obvious advice is too behave nicely to other people in the bar (if you are not already doing that every day… you should):
“You can tell a lot about a person by the way he or she treats a waiter.”
Another advice is to not drink too much and don’t start talking like it’s off-the-record. It’s obviously not. Trust me on this, whatever people say, it’s not off-the-record. Be more relax, enjoy the drinks, talk more freely but don’t start talking about illegal stuff and know when to call it home.
Hopefully, this post gave you some inside on what to expect during an interview and will help you land a job as a penetration tester.
