Presentation of the Pentest Team
In any case, this blogpost will hopefully enlighten you about key aspects of what we do and how we work.
TL;DR
- 60 people in the team
- 5 technical team leaders
- Offices in 5 French cities: Paris, Rennes, Lyon, Toulouse and Lille
- Full remote (in France) possible
- Security assessments carried out in pairs
- Dedicated red team within the pentest team
- 10 trainings publicly available
The team
The team is currently led by five people: Julien Legras, Damien Picard, Lena David, Jérémy Luyé-Tanet, and Matthieu Barjole, who handles red team assessments more specifically. Among other things, they manage the team members day-to-day, and serve as an interface between them and Synacktiv's board as well as sales team. Because we want the team to be able to discuss technical matters with their managers, all of them have themselves been pentesters for several years before they switched to a management position.
Some team members are also eager to tackle further tasks than their sole security assessments, which we are completely open to. For instance, some of them are involved in the hiring process, and some are in charge of handling specific kinds of assessments (e.g. regulatory-constrained certifications), or the assessments performed for some specific clients. This is done on a voluntary basis: some people prefer focusing only on technical tasks and do not feel like taking on new responsibilities, which is totally fine with us.
Projects and day-to-day work
Depending on the needs of the client, this generally means performing intrusion tests or a security audit on these assets. Sometimes, regulatory constraints require following specific frameworks - for instance, that is the case for PASSI audits, CSPN evaluations and ANJ-related assessments.
Most of the time, the approach that will be taken for a given security assessment is discussed beforehand by the client and the member of the sales team who initially handles the project. Sometimes, a pentester is also involved in the discussion - for the most part, that happens when the topic at hand has a specificity of some kind and requires in-depth knowledge.
Some general steps are involved regardless of the considered project. To describe that process roughly, when the sales team handles off a project to the pentest team, one team leader takes charge of it: among other things, they select the auditors who will work on it, schedule it, and reach out to the client to organize a kick-off meeting, during which the auditors and the client's team will have the opportunity to discuss the upcoming security assessment. The kick-off meeting typically occurs a few weeks prior to the beginning of the tests, which leaves enough time for the client to gather the needed prerequisites.
Pentest projects are performed by a pair of auditors for the most part. In our experience, it is an effective way to support the overall growth in skills and knowledge of the team, and to encourage people to learn from one another, which in turns allows for a more homogeneous skillset in the long run.
Most times, the tests are performed remotely, but some projects require on-site presence, which led pentesters to travel to Tahiti, Colombia, Mexico and Austria over the last few years, among other destinations.
When the tests are over, the auditors must still write a report - which serves as an additional reason to make people work in pairs, as it allows each auditor to write a bit less, and also allows for cross-proofreading within the pair, although the report will also be proofread by someone else in the team before actually being delivered to the client.
Overall, our projects can last from a few days to a few weeks - and sometimes span several months for things like red team engagements. Excluding the latter, the mean load for our projects is 16 man-days - which amount to 8 business days, because we work in pairs. This mean load includes both the actual tests and the writing of the report.
So, even though things can vary, in a typical week, a pentester will work with another on their assigned security assessment, either on the tests, the writing of the report, or a bit of both. They will likely also attend one, maybe two kick-off meetings for upcoming assessments, as well as a weekly one-hour team meeting on Friday morning. Apart from being an occasion to discuss the news pertaining to the company as a whole or the team more specifically, this meeting also creates a weekly opportunity for all team members to provide highlights on interesting resources, knowledge or tools they may have come upon in the week, to describe their progress on R&D topics, and to share ideas as to how to overcome technical hurdles encountered by others. An additional half-hour slot on Friday mornings, for which attendance is totally optional, serves as a means for everyone in the company to give short talks, about topics either technical or not.
As we value the opportunity for the team to work on scopes as diversified as possible, we are always eager to tackle varied client projects. Of course, a substantial part of the projects are scoped to usual targets such as websites, Internet-facing services or internal networks, but we also encounter less common targets on a regular basis. To only mention a few, here are a few examples of somewhat uncommon targets we've encountered:
- an automaton for analyzing blood samples
- a facial recognition solution
- a badge reading system
- a demonstrator for a fiber optics-based plane infotainment network
This diversity in projects benefits all team members, as opposed to only those with a certain level of seniority/experience: everyone can work on every kind of assessment. Of course, this does not mean that people are affected at random to projects: a team member without much practical experience on a given topic is always paired with someone who can work autonomously on that topic. This also implies that on some occasions, a project is carried out by a pair consisting of one pentester and one member of another team, e.g. a reverser. This is something we encourage whenever relevant, as it allows for both people in the pair to diversify their skills.
Within the pentest team, we have no subteams specializing on specific kinds of targets or assessments, with the notable exception of red team engagements. More specifically, to make the handling and conducting of the latter more effective, a few members of the pentest team take care of the ongoing red teams at a given time. This makes it possible for them to spread their work on a given scope over an extended time period, while monitoring different targets at all times, which allows for more realistic engagements. For example, if they are spotted by a blue team at some point, this leaves them some time to get forgotten, and attempt something else later on. In the meantime, they can focus on a different target, or work on more internal-focused topics, for instance by enhancing the existing tooling or methodology. Practically, this red team subteam consists of a few permanent member from the pentest team, as well as several rolling members who spend a few months within it before leaving their seat to someone else.
Apart from working on security assessments, sometimes team members also spend time looking into other security-relevant topics, either by researching a topic they choose or skilling up by attending an existing training or studying its content autonomously.
R&D
In any case, once a team member has decided on a topic to tackle, they can ask for some time to actually do so. They will generally be granted a few days, and more afterward if need be. It is possible for a team member to work alone on their chosen topic; it can also be the occasion to team up with people of either the pentest team or of a different team.
- around 20 blogposts
- around 25 security advisories
- about 15 talks in conferences
Internships
More specifically, our interns work on a predefined topic for their whole internship. These topics are published yearly in early fall, and are intended to be of actual use to the team. As such, many of them result from someone in the team realizing that further tooling to do something, or an enhancement of an existing tool, would be beneficial and help make the team more efficient. For instance, over the last years, internship offers covered improvements on our post-exploitation tooling for Windows systems, on our configuration analysis solution, and of our Wi-Fi attack automation platform.
Other internships may consist in studying software components commonly encountered during intrusion tests - e.g. Active Directory, or web frameworks. For that kind of subject, the aim is generally to analyze mechanisms that could be of use during security assessments and for which no or little documentation is publicly available, and to create (or enrich) a structured knowledge base and methodology so that it can be used by the team afterward. Publishing one or several related articles on Synacktiv's website is also strongly encouraged in that case.
This is actually quite similar to the origin of certain R&D topics; the main difference is that the latter are intended to be handled in a few days or weeks, whereas an internship subject should keep the intern busy for 5 to 6 months.
Because Synacktiv's aim is to hire interns as security experts when their internship is over, we also want them to be able to grasp as accurately as possible what a security assessment practically consists of. This is why throughout their internship, they are given the opportunity to take part in a few intrusion tests, along with seasoned team members who will be able to provide them with relevant advice, both technically and methodology-wise. Whenever possible, we have them contribute to assessments on which what they are otherwise working on can be used: for instance, a security assessment comprising Wi-Fi tests if they are tasked with improving our platform for Wi-Fi attack automation, or a whitebox intrusion test on a website relying on a common web framework if their subject involves producing documentation about that framework's internals.
Just like the rest of the team, interns participate in the weekly meeting, during which they can describe the progress they have made on their assigned topic, and the issues they encounter or envision for the near future. They are also welcome to share their thoughts about what the topics brought up by others, and more generally to contribute to the meeting just like everyone else.
Trainings
More specifically, Synacktiv offers trainings intended for an external audience, pertaining to topics such as Active Directory or cloud environments pentesting. When a team member is interested in learning more about the topic covered by a training, it is possible for them to ask to attend a session otherwise intended for people external to the company. We also plan internal sessions of some of our trainings at least once a year to ensure everyone ends up being able to attend them.
Additionally, when someone needs to learn more about a subject that is not tackled in one of Synacktiv's trainings, they can ask to attend an external training matching that subject.
Working remotely
Apart from these full remote cases, it is also possible for everyone to work from home from time to time or on a more consistent basis. We have no thresholds such as a minimal or maximal weekly presence days, and prefer to let everyone decide for themselves what works best for them.
Whom are we looking for?
At the moment, the whole team is francophone. French is the language we use for most of our resources - e.g. processes, methodologies, and documentation - as well as our day-to-day internal communication; therefore, you will need to be fluent in French in order to join in. Because communication with our clients also occurs in English on a regular basis, you will also have to be fluent in English.
Something noteworthy is that there are open positions for permanent contracts year-long; there is no such thing as a job-opening season for such positions. This means that if you want to apply, you do not have to wait for a job opening, and you can simply send an email and your CV at apply+pentest@synacktiv.com whenever suits you best. Our hiring process is described here (in French).
We are also open to applications for apprenticeships, with some restrictions regarding the duration of the time periods spent in the company. More specifically, given the nature of our work, we reckon that apprentices should spend at least a few weeks at a time working with us between two periods at school.