Nothing will work unless you do

Nothing will work unless you do
Nothing will work unless you do - Coach John Wooden

In the past article we talked about how processes, methods, and actions during an engagement are bets with time.  Despite the relentless nature of time itself, it can be a dear friend or a bitter enemy. It is the great equalizer. Learning to master your use of time is, in my not so humble opinion, the greatest tool a professional can develop.  By knowing what to do, when to do it, and what not to do, we can build some serious advantages.

Let’s start with the obvious, how much time you have to perform affects everything.  In the 10 minute art challenge videos you can see the impact time has on an artist’s ability.  The differences going from minutes to seconds are profound. For the professional, how long an engagement is set for represents a deadline of action. In a weeklong engagement, each day you work represents 20% of the overall project. Why is that we ignore that those realities impact us as testers?  Squandering a day on things which dont provide value is a big deal! But time can also work to our advantage. In bug bounty, a 3k payout for a day’s worth of effort is more valuable than the 3k finding that took you a month.  The bug bounty pays out the same regardless. Equally, clients are typically not forgiving of lateness regardless the reason.  In the past 10 years of testing, I can assure that a project manager’s willingness to shift a due date, even if it is entirely on their end, is very low. 

Time is relentless and so are some clients. So how do we improve our use of our time?

The first part is practice (it is also the 3rd and 4th part). In this sense, I learned more from Chris “Mindfreak” Angel about time management, then I ever did in my MBA program.  I was watching his show (quite randomly) and there was an episode on where he was going to be locked up, put in a box, placed next to explosives, that would go off at the same time a car ran over the box.  Time management mattered.  In a lapse of magician’s etiquette, Chris quipped that the real secret to this trick was that the second you couldn’t see his hands or him, he was already breaking out of his chains, and when he was put into the box as it was carried out he had likely already picked the lock inside, etc.. The struggle you saw was not the real struggle at all. The magic happened in the weeks/months/years of prior training that allowed him to do all this. 

Practice is about turning “learning” into capacity.  It’s about getting your reps in on your own tooling to make sure you don’t waste time on an engagement.  If Chris Angel was trying to remember how to pick the lock while performing that trick—it could be deadly.  At that moment it was all about performance.  Struggling to get find that one tool you used that one time, being off by one decimal point, or trying to remember how to exit vim*— all of that eats at your time (and your clients). This is where investing the time in intentionally practicing core skills beforehand will pay off in dividends. While I promise to get more into practice later, for now—lets just leave it this: you have to do the work: frequently and with purpose.

The second part is all in preparation for the task. If we go back to the timed art challenge video, there are clearly ways you can stack the deck to work in your advantage. Pay close attention to the video.  In the 10 minute video, the artist spends nearly the 20% sketching the outline and only then does he get into details on the eyes.  In the 1 minute video, he drops building an outline and goes straight into trying to draw a head, and in the 10 second video… crap.  The resulting art is very different. But does it need to be? Let’s say you are a professional spiderman drawing expert.  Couldn’t you have some pre-traced out body placements already setup for your most common poses? He is always swinging on something or on a wall! He is doing what ever a spider can! It is a common practice among tattoo artists to have a library of “go to” work they can reproduce. This saves them time and still is quality work. If you are prepared, you can still deliver something reasonably professional.

Pentesting is no different in this regard. If you are doing a web app test, there are lots of things you can have setup and ready to go before you ever even start. A doctor isn’t ‘just remembering’ she needs a scalpel during surgery, her work area is already setup for it. Don’t have a way to get XSS call backs? You can fix that before you start. Don’t have a way setup for password cracking? You can set that up before you start. Don’t have a way to launch testing sites locally to check if attacks are working? You can build most of that out before you start. How about a cheat-sheet of already built out payloads you just need to adjust for the specific client? You can do that before you start too.

This is a huge aspect to the craftsmanship and mastery I am chasing— nor do I think I am alone in this. Coach Wooden (arguably the best basketball coach in history) often recounted that if you wanted to win in the game, you needed to do the work before. Unsurprisingly he was a stickler for detail, proper practice, and preparation. He’d teach his new players how to put on socks and tie their shoes (he didn’t want their feet to blister due to poor shoeing)! No one was above this, no one was below it. Not you, not me, no one.

Stack the deck by taking the time up front to prepare yourself and your studio. Or don’t, time doesn’t care either way.

* this is mostly a joke, no one can escape the awesomeness of vim