From: IRM (irm@iinet.net.au)
Date: Wed Aug 29 2007 - 05:12:54 EDT
Hi all,
I had a thought and want to share with you all especially looking for
feedback and suggestion. What do you guys think about penetration tester
market?
Most of you would be agreed that penetration testing market has became
commodity. Moreover as a penetration tester, I agree that automated
penetration testing tools like Core IMPACT, etc can never replace us as we
still need to verify all the findings and identify false positive. Nothing
wrong with those automated tools, I think really it's a great tool!
A decent penetration tester would typically have a broad range of IT skills
from Operating System, Network to Programming. I also need to mention that
these broad range of skills are not something that you could gain by working
for 2-3 years, I believe that a good penetration tester could gain these
broad ranges of skill in at least 5 years? Maybe more or less depending the
person I guess. So I would expect for a company to hire these kind of
penetration testers they need to spend a little bit of cash for their wages.
To sum up, I think a penetration tester or ethical hacker has highly
technical skills.
At the end of the day, Business is business. Who cares if you possess highly
technical skills? The business and its people especially the C-executive
level are only interested
Whether your highly technical skill can bring more revenue or money to them?
Right?
It is interesting that the top major reason why business now days
considering pen testing on its agenda is because of compliance and as part
of risk management agenda rather than security wise they need it or fear of
someone can break in. So I strongly believe COMPLIANCE is still the main
reason for any vulnerability testing activities in the company.
Now the question, I really want to know what is your thought on where the
penetration testing market is going? Will the penetration tester job
description will change over time because of the evolution of automated
tools?
Do you think it's worth the effort to train and keep people in the company
for doing pen testing? What I mean by this is say
- an average skill penetration testing costs say 60k/year + 20k of automated
tools = 80k/year -> can deliver quality say 70%
VS
- someone with highly skilled that cost to the organization 150k whilst can
deliver quality say 90%
If at the end COMPLIANCE is still the main driving for penetration testing.
Should we say Quality is the 2nd priority?
The reason why I asked this question is because I notice that Virus Analyst
position only available if you are working in the Anti-virus Vendor such as
Mcafee, Symantec, etc While Big organization usually employ Anti-virus
administrators as opposed to Virus Analyst? I strongly believe the reason
for this is because Anti-virus market has matured and people are more and
more relying on Anti-virus Software. Has anti-virus software solved the
problem? No of course, since there still many new viruses coming out every
second. I am not sure this is the correct analogy or not but I hope you get
the point.
Please advise and suggestions are all welcome.
Cheers,
Paul
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:04 EDT