Re: Career Progression

[Andrew Simmons <andrews () mis-cds com>]

rick_list () darwinsweb net wrote:

> Once we got funding at work I started taking any class that they'd pay
> for.  A few Hacking Exposed classes by Foundstone, a CSI Application
> Assessment blah blah blah class (which really sucked) and a secure
> application class put on by @stake.  Now, at work, we've had overall
> funding cut (all pen test/app assessments to be outsourced) and our
> training budget is $0.  So I won't be getting anymore training classes
> this year.

Training? I've heard of that... (c) The Reg. I even remember working 
somewhere that paid for me to go on soul crushing Oracle App training 
courses, waaay back in the mid 90s. They seemed to think they were doing me 
a favour - which is when I decided I had to get the hell out of Logica :)

Having said that I now work for a security firm and, well, let's just say I 
haven't had any training.


> this IDS crap that I got involved in by accident.  Plus the fact that
> we're paying 20G for two guys for 1 week, per application, to do what I
> used to do for my crappy annual salary.  I could use 10k a week and work
> 7 or 8 weeks out of the year.  I'm OK with that.  ;)


hell, me too! But I'd make a lousy sales droid (what with looking like 
Shaggy on a bad day & not liking the idea of pretending to be friends with 
people for money) and without someone to bring me bits of paper with 
networks to attack, I'd be back on the street pretty fast.

Granted I'm at the lower end of the professional pentesting pay scale for 
the UK, but I wouldn't see $10K in a month let alone week. Which is not to 
say that I don't envy those of you in small boutique setups or who have 
profit-sharing or whatnot... but I got into this so I wouldn't feel like 
going postal every morning, not for the money.


> Oh yeah, back to my question:  Any suggestions, comments quips on what I
> should be focusing on now and how to get where I want to be?  I just


Sounds like you're in a similar place to me - I know what I need to know 
next - C and systems programming (got Perl, got tons of experience with 
OSes, apps, servers, networks, firewalls et al.) The next step I aspire to 
is being able to do some original research & publish something useful - ie, 
not XSS or '../' in some sourceforge webserver.

I think a CS background is what you and I both miss, and my impression is 
that most if not all the well-known exploit developer /researcher types DO 
have a formal CS background.


\a

--
Andrew Simmons
Penetration Tester | Security Consultant
MIS Corporate Defence Solutions, Ltd.
Hermitage Court, Hermitage Lane, Maidstone, Kent ME16 9NT
Tel: 01622 723432 / Mobile: 07739 834833

The information contained in this message or any of its attachments may be privileged and confidential and intended for 
the exclusive use of the intended recipient.  If you are not the intended recipient any disclosure, reproduction, 
distribution or other dissemination or use of this
communications is strictly prohibited.   The views expressed in this e-mail
are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd.  Any prices quoted are only 
valid if followed up by a formal written quote.  If you have received this transmission in error, please contact our 
Security Manager on +44 (01622) 723410.

This email is intended for the recipient only and contains confidential information, some or all of which may be 
legally privileged. If you are not the intended recipient, you must not use, save, disclose, distribute, copy, print or 
rely on this email or any information contained within it. Please notify the sender by return and delete it from your 
computer. Thank you.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave