Dailydave mailing list archives
Re: Consulting companies are not recruiting companies
From: Rodney Thayer <rodney () canola-jones com>
Date: Wed, 25 Feb 2004 19:47:26 -0800
At 10:35 PM 2/25/2004 -0500, Dave Aitel wrote:
no developer ever got good at software security. It's just never happened.
If you feel like "insulting" me (I mean that in a gentle hypothetical manner, sir) you should consider the implications of your statement. I suspect some of your customers are developers, or former developers.
I would say that right now, no one has a good "how to write exploits" class other than Immunity just because only Immunity can give away copies of CANVAS for people to learn to write exploits with.
Regardless of the quality of your exploits, your training, or your tools, this doesn't scale. It's not like all exploits come from students of yours or else are beamed in by aliens. There have to be other training sources that work. For example, I suspect there are good exploit writer training facilities in the northeast suburbs of Beirut.
So consulting companies eye the long-term, easy to sell, body-filler jobs with envy. They want to inject themselves into a big companies environment as a one-stop-shop for software security, even at the cost of having their best people be hired away from them.
You need to define your terms. If you mean the quasi-hacker whore-houses, perhaps, yes, but there are other "consulting companies" and "consultants" who don't work that way.
My solution, for Immunity, is that I want Immunity to bring something other than a warm body who can do the job. I want Immunity consultants to have that wider view of the industry - to never need training because Immunity trains them internally, and to have experience that may not exactly be relavant today, but will become relavant as our clients change their business. This means having people billing only three weeks instead of four, but I think it makes more money in the long run. What do you guys think?
I think your strategy is sound and is in fact equivalent to strategies other folkus use. ...rodney (pissing away a week this month at RSA, on his own nickel, because it's useful in developing a wider view of the industry.) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 25)
- Re: Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 26)
- Re[2]: Consulting companies are not recruiting companies Halvar Flake (Feb 26)
- Re: Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Matt Hargett (Feb 25)
- RE: Consulting companies are not recruiting companies Mike Bailey (Feb 25)
- Re: Consulting companies are not recruiting companies Daniele Muscetta (Feb 26)
- Re: Consulting companies are not recruiting companies ken_i_m (Feb 26)
- Re: Consulting companies are not recruiting companies Daniele Muscetta (Feb 26)
- Re: Consulting companies are not recruiting companies Matt Hargett (Feb 26)
- Re: Consulting companies are not recruiting companies ken_i_m (Feb 26)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 25)