Penetration Testing is a Bad Word

As a female penetration tester, I have had a fair deal of jokes thrown at me.

People outside the IT industry get shocked and confused.

People inside the industry try to quench their nervous laughs.

It’s gone to the point where I have formulated a number of scripted comebacks to common reactions. Most people are polite enough not to verbally say what they think, and get very relieved when I myself crack a stupid joke about the word.

 

Awkward situations

So far, most reactions have been benign and the worst case situations I have braced myself for have been avoided. Unfortunately, I think the biggest reason it has been avoided is that I change my behavior beforehand. Talking one on one, or within a team with a predictable group dynamics, is one thing. In these situations it’s much easier to feel comfortable.

I would think twice, or a dozen times, before standing on a stage talking about security testing with this word included. The fear of some loud person without fingerspitzgefühl that will shout out loud or grab the microphone during Q&A… I think it’s important for you, the reader, to know, that stories of people behaving like that has a deterring effect on public speakers of all genders.

Ironically, this blog post is actually a part of a pre-study for a conference talk I will do this fall: Why Penetration Testing Sucks, and What You Want Instead. Yes, pun intended – see above.

It’s non-descriptive

The “penetration” part of penetration tester actually refers to vulnerability exploitation. Is that a more comprehensive word? Maybe not. It still wouldn’t help my elevator pitch with the business people of a company, but at least it would describe to other IT professional what is included.

 

To sum up, the word penetration tester thus has quite a few problems:

  • It doesn’t communicate to the casual listener what it actually means
  • It doesn’t convey the right information even to an IT professional
  • It worsens an already huge problem with female representation
  • From what I hear, male hackers also avoid the word if they can

What to call it instead?

I’m trying to find a better word than this. I see the world of penetration testing being full of other, better concepts. Companies work with concepts like Hack Yourself First, Offensive Security, White Hat Hacking. These are some ways that I talk about it instead:

I am an exploratory tester with a special interest in security bugs.

I’m a security tester with emphasis on cost efficiency.

I’m a hacker.

 

This blog post is a part of a series of observations about traditional penetration testing. I try to be constructive, so if you feel attacked by me, please keep up a constructive conversation with me.