Your Boss Wants You to Write Pentest Blog Posts... Now What?
Oh dear, what have I gotten myself into?
I recently started at White Oak Security and I’m getting a different set of pentesting experiences under my belt. Life has been great, many things have been hacked, I thanked the Academy, but one of the challenges that has been rather unexpected is being asked to write a pentest blog.
I have no idea what I’m doing.
I am one of the strange aliens on this planet that loves to create processes and write documentation. However, blog posts are uncharted territory for this fairly introverted person. I’d like to share my home-built process on how to create a blog post, along with the difficulties I encountered along the way. Feel free to use it for your own purposes or for ridicule of my future blog posts.
Pick A Topic:
This may be the most difficult part of this entire process. What do you want to write about? One of the great things about working in pentesting is either the topic has been covered in a super concise manner (so there is no need to write a blog post), or you are chartering an unknown course and have some information to share back to the security community.
Here are some topic ideas to get you started:
Did you recently exploit something in a pentest that you find interesting?
Did you find a cool tool that helped you achieve a goal but it did not have great documentation on how to use it?
Did you build a tool and want to give back to the security community?
Did you have a personal triumph or process improvement (security, technology, or productivity) that would be worth sharing?
Just Start Writing:
Do Your Research:
Once you have your topic selected, spend some time researching your topic on the Internet and any written references. Here’s a handful of ideas to help you along:
Are there any web articles or cool stuff you can link to?
Are there existing tools or newly built tools you used to create your topic?
If you are working on something newly created or undocumented, take lots of pictures/screenshots/notes to show your work
As great as it would be to publish anything, there are a few things that you need to worry about.
Has your topic been written about before? No plagiarism! Hackers like their recognition. If you want to include something in your research, check with the author or the license of the work.
Does your workplace have any particular requirements for writing a blog? Self-publishing may look different in comparison to writing on the behalf of a company. Do they want you to ‘sell the brand’ in addition to writing cool?
If this exploitation was found as part of a client assessment, are you allowed to share what you did? If not, is it possible to anonymize it to be more generic?
Does the company behind the application finding or exploitation have a responsible disclosure policy? Part of our goal is to ensure the world’s cyber security problems are resolved, but it does no good to out a company before they have a chance to fix it.
What publishing platform will your blog post be written on?
Can your blog post lead to litigation against you or your company?
For example, my searches led to the following articles…
… oh dear.
Writing Your Post:
This part of your writing is completely up for your writing style. Feel free to fit what works best for your blog post, but here is the simple, unscientific writing style that gets me going.
Beginning – Start with a short paragraph on what your post is about, the inspiration behind the post, and maybe some funny things if you are into that.
Body – Here’s where the content goes. Make it clear, concise, and remember who your target audience is. Don’t worry about formatting at first. Just get your ideas in there, and you can edit them later.
Ending – This would be the end of your post. Make sure you summarize what you have written about, any lessons learned, and maybe some recommendations on how to improve or provide call to action for your audience.
If you’re sharing code, make use of writing in a code block or a different font like Courier New to separate out your text. If someone is going to copy a code snippet, make it easy for them…
When you’ve finished writing your first draft, tidy it up (use your writing skills from school), format your text, and give it a good spell and grammar check.
It’s important to complete a peer review process. Sometimes you may have a great idea, but staring at your writeup won’t reveal the mistakes you have made. Try to find two different people to help you out.
The first person should review from a technical ideas perspective to see if the basic plot of your post is great and your technical information was correct. Can they recreate the steps of a technical post, such as downloading the files, running the software, and executing the content?
The second person should be your editor. How was the writing? Are there any spelling and grammar errors? Are you a writing a blog that is not in your native language and do you need help in translating some sentences?
Now that you have completed the writing and peer review processes, you’ll need somewhere to publish it. Look for the following things:
What website are you going to publish on? Most blog applications support text, screenshots, and potentially video, but does that platform support it all? Would it be able to support code blocks or different formatting for your code?
Do you need to host any files for download? Is there anywhere else reputable that you can host a file, such as GitHub?
When you preview your post, make sure your text is formatted correctly. Copy/pasting from a word processor/favorite text editor may not get you the results you need.
Hit publish and make sure everything works as it should! You will probably notice one more typos, so give it a once over and quick edit any changes.
Keep at it! Do not worry about your first pentest blog post being a great success as far as how many people view it and what impact it makes. Repeated efforts and continual improvement will get you the writing practice and public attention you need to be successful.
This is meant to be a humorous take of how to start technical writing for a public audience from my point of view. I’m not that terrified of blogging, and neither should you be. If you find something that is helpful or willing to add to these articles, please let me know! I’m sure this blog post will evolve over time.