From: Paul Melson (pmelson@gmail.com)
Date: Fri Aug 17 2007 - 10:21:36 EDT
> So it doesn't stipulate in my contract that I can't do other penetration
testing jobs on the side for extra
> cash. Infact I have been contacted once in the past for penetration
testing weekend night work. I turned them
> down because it required some travel towards the end of the contract and
the pay wasn't there.
If the company you work for sells pen-test services (even if you don't
perform them), you should seek written permission from at least your manager
before going any further. Many companies - especially consultants & service
providers - view side work as theft, especially if it's work they could have
charged for. Contract or no, you risk being fired from your day job if this
is the case. And in this day and age, it's unusual (and sloppy) for a
consulting company to not include a non-compete of some kind, and depending
on your locality, these can hold up quite well in court leaving you
unemployed AND in serious debt to your now-former employer.
If the company you work for does not provide services like these, you may
still want to obtain permission, especially if you are using tools that your
employer purchased for you to use on their behalf in order to perform your
side work. Bottom line, any moonlighting you do should be with your
employer's blessing.
> So has anyone else done this on the side of a normal job done penetration
testing for short contracts. Please
> penetrate xyz systems or web application whatever?
> How did you find the work?
There are certain verticals where full time security staff and/or expensive
consultants just don't make good business sense, but security is still
crucial. There are lots of opportunities there, you just have to make the
contacts and build a reputation.
> What did you do about the contract and the legal situation it presents?
It depends on the situation. If you are working directly for the client,
then it is a good idea to put together a statement of work with scope,
pricing, and delivery time frame as well as a non-disclosure agreement. I'm
happy to say that I've never had to provide any of these to a judge in order
to defend my actions or get payment. So far so good.
If you're subcontracting, then the company billing the customer should
handle all of this, but you may want to double-check, especially the NDA.
> Was it worth your time?
Sure, but more important than was it worth my time is can you figure out
before you start whether or not it will be worth your time? Figure out what
your time is worth to you (but be realistic - you're probably not worth
$500/hr to anybody) and then use that to scope and price your projects. You
have the luxury of a full-time job that pays the bills, and so you should be
ready to turn away work that's not going to be rewarding both personally and
financially.
> Main question is how can you get your hands on tests like this on a
regular basis?
>
> I would love to start my own Pen test company but I have no clue how to go
about finding clients and getting
> enough clients to present a decent income.
That's a whole separate issue, right? Growing a business out of
moonlighting work will probably take a while, and will be based heavily on
your reputation and your ability to network and make contacts
person-to-person.
> I mean I have seen a lot of contracts and based on host count whatever for
pricing. Also based on Engineer's
> experience you know whatever 250 an hour for this test. Scheduled for 40
hours of work or as low as 90 an hour
> for 120 hours of work. Whatever but any ideas, suggestions, or work that
allows me to work from home doing pen
> testing is appreciated from anyone else who has experience here.
Also, never discuss bill rates publicly. Once you discuss what you charge
publicly, you can count on your customers wanting to pay you less than that
all the time.
Good luck!
PaulM
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:02 EDT