Re: Starting a Pen-Testing Career




2) What is an average day of work like for you?

As someone on the end of reading security audit reports, can you:

1 - write high-level management reports, with scare stories to generate more
work?

2 - can you write down all the issues their own tech team tell you are
issues, and present this as your own work?

3 - can you state the bleeding obvious in an important-looking document -
'you need to patch your systems, have firewalls & IDS, do more monitoring,
QA your software, run up-to-date AV, limit admin accts, enforce password
policy, limit physical access, review security logs....'. (Since every firm
is always just one step behind in some area, you will always find an 'in').
If they are fully up-to-date and compliant, can you scare them with 0-day
exploits and more consultancy costs.

4 - can you steer someone else's cleverly written vulnerability scanner, and
produce reams of pdf reports which justifies your pointless exercise and
substantial contract fee

If so, go work for a big audit firm and keep reselling the above and keep
creaming the profits, whilst knowing in your heart you've never written a
line of exploit code or had an original idea on security yourself.

erewhon
alt.hacker


.



Relevant Pages

  • Re: Starting a Pen-Testing Career
    ... As someone on the end of reading security audit reports, ... - write high-level management reports, with scare stories to generate more ...
    (alt.computer.security)
  • Re: Pentester convicted..
    ... and thus politely forcing them take responsibility for the protection of privacy of the data they carry. ... and ignored the first 2 reports. ... A security pro notices a flaw, checks to make sure he is not on crack ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • Some over-classified al Qaeda files left on a train in England.
    ... The two reports were assessments made by the government's Joint ... According to the BBC's security correspondent, Frank Gardner, ... intelligence assessment on al-Qaeda is so sensitive that every ... Police are investigating a "serious" security breach after a civil ...
    (sci.military.naval)
  • RE: The Linksys WRT54G "security problem" doesnt exist
    ... several security lists and Internet news outlets, ... Just because no one else ever reports a problem does not mean it does not ... to my amendments and that he planned a follow-up to clarify. ... I *know* what I saw on the original units, but like I told Maggie, just one ...
    (Bugtraq)
  • In Asia Security Monitor
    ... HOMELAND SECURITY, THAI STYLE; ... government to resort to a new homeland defense tactic: ... The International Herald Tribune reports that government-run schools ... teachers, who are considered high-profile members of the community, ...
    (soc.culture.cambodia)