Suckless project management
Table of Contents
It is with great sadness that I announce that I am back. This time, I would like to take a moment to talk about a topic I only recently realized is not talked about enough: Project management in penetration testing and the approach some companies take.
Preamble
I would like to first note that if you look up this topic now, you may find one video from ISC2 Seattle chapter:
Working with a Pentest Project Manager & Tips for Being Your Own PM
I must extend a huge thanks to Tory Fisher; without you, I would never have known that it’s not just me being weird!
What project management entails
If you know what a penetration test is, you can probably imagine how a project goes: First, a project manager sets up the environment. Accounts are created, a timeline is agreed upon, access is provided and goals are set. Without these steps, a project cannot start. The project manager then passes all the necessary information to the pentest team, who use this information to start. After the team performs all necessary tests, the project manager can then pass the report to the client, schedule a report review and any potential retests.
I always valued project managers; thanks to them, I could never do my job to the level I wanted to. They took so much weight off me, but until recently, I never realized how much.
PMs are weird
A good project manager has the exact qualities I could never understand:
- They are outgoing
- They talk to people (and enjoy it, sometimes)
- They can keep track of many tasks at once
All these are qualities I don’t have and don’t know how to do properly. For me, talking to clients, even via e-mail, is a pain. I will procrastinate, spend an afternoon writing one e-mail. I am an introvert, and that may be why I enjoy pentesting: I like dealing with tech, not people. PMs, especially good PMs, enjoy working with people and can keep track of time. I often forget to have lunch unless someone tells me. I cannot juggle many tasks at once!
And who do you think did the managers put into this position? Someone who would spend half a day preparing the whole year’s worth of pentests?
No. It’s yours truly.
How much I suck at PM’ing
When you’re an internal pentest lead, many things may be overlooked. One you may hear or think is “Why give these guys a PM? They know people in the company, talking to colleagues is easy!”
Well, it’s not. I don’t care how long your pentesters have been employed at your company, but they probably don’t know the inner workings enough, or just don’t care. Would you give an external company the name of your application owner and tell them “Good luck?” Probably not. So why is it that when you’re testing applications your company is developing, all this “extra service” is suddenly not provided? Why?
All the service you would provide to a contractor should ideally be afforded to your internal team as well.
How much did I manage?
Surprisingly, I managed a bit: I performed one internal webapp pentest, sent off e-mails asking for kick-offs, and even managed to argue for some trainings for my team. On the other hand, I only managed one in two months. Why?
At the start of the year, I asked about what I would have to do to perform my actions. The conversation went something as follows:
Who do I have to get in touch with to schedule pentests? The application owners. Okay, where do I find those? In the spreadsheet. What spreadsheet? The one John has. Who is John?
This went on for around 30 minutes. After 30 minutes, I had a list of names and after a few days, I mustered up the courage to e-mail them. The answers, I was not surprised to see, were quite similar.
We’re here to test your shit. Sure! Do you have the accounts? Nope, where do I get them? Just submit a ticket. Okay, for which team? The one that creates accounts.
This is my experience every step of the way. This is why every pentest team needs a project manager. At this point, I am starting to almost hate my job, and why? I am forced to run through hoops talking to people and navigate corporate bullshit. And lastly, I am told I may be “too expensive” to do pentests. Of course I am bloody expensive, I’m dying, one spreadsheet at a time.
If you are a manager
If you manage any team, any sort of team, I implore you: Spare your technical people. They will be happier and more capable/willing to focus on the things that make them grow. Do not force them to perform actions which another person can do ten times better.
If you are a pentester
If you currently got tasked with project management for your team and you’re a technical person, please refer your boss to this blogpost or the ISC2 video. You may have time to focus more on what you’re actually good at!
What I am going to do
I am probably going to hold out for the foreseeable future and see if my pleas gain any ground. We shall see what the future brings, but I can honestly say I am not good at project management. If you or anyone you know is a project manager, please tell them I appreciate them.