Re: Consulting companies are not recruiting companies

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rodney Thayer wrote:

| At 10:35 PM 2/25/2004 -0500, Dave Aitel wrote:
|
|> no developer ever got good at software security. It's just never
|> happened.
|
|
| If you feel like "insulting" me (I mean that in a gentle
| hypothetical manner, sir) you should consider the implications of
| your statement.  I suspect some of your customers are developers,
| or former developers.
|
Of course - that's why they hired a consultant! :> I still think the
people you have developing your code are not the same kind of people
you want reviewing it. I've seen maybe one developer make the switch
in mindset that it takes to get good at finding bugs.

|> I would say that right now, no one has a good "how to write
|> exploits" class other than Immunity just because only Immunity
|> can give away copies of CANVAS for people to learn to write
|> exploits with.
|
|
| Regardless of the quality of your exploits, your training, or your
| tools, this doesn't scale.  It's not like all exploits come from
| students of yours or else are beamed in by aliens.  There have to
| be other training sources that work.  For example, I suspect there
| are good exploit writer training facilities in the northeast
| suburbs of Beirut.

As far as most beginners feel, they are in fact, beamed in by aliens.
We're not talking an advanced exploit development class taught by
Horizon,  Noir, and LSD (etc etc) here. We're just talking something
that gets someone with very little programming experience into writing
basic Windows stack overflows. It's that first one that's the hardest.
To do this, you need a pure-python framework that lets students
concentrate on one aspect of the job at a time. What doesn't scale are
the instructors...


|
|> So consulting companies eye the long-term, easy to sell,
|> body-filler jobs with envy. They want to inject themselves into a
|> big companies environment as a one-stop-shop for software
|> security, even at the cost of having their best people be hired
|> away from them.
|
|
| You need to define your terms.  If you mean the quasi-hacker
| whore-houses, perhaps, yes, but there are other "consulting
| companies" and "consultants" who don't work that way.
|
Right - I'm talking the information security space. I think that
people once wanted to outsource all of IT security, and the trend is
now the other way.

|> My solution, for Immunity, is that I want Immunity to bring
|> something other than a warm body who can do the job. I want
|> Immunity consultants to have that wider view of the industry - to
|> never need training because Immunity trains them internally, and
|> to have experience that may not exactly be relavant today, but
|> will become relavant as our clients change their business. This
|> means having people billing only three weeks instead of four, but
|> I think it makes more money in the long run.
|>
|> What do you guys think?
|
|
|
| (pissing away a week this month at RSA, on his own nickel, because
| it's useful in developing a wider view of the industry.)


Why isn't your (and everyone else's) company paying for this? I find
the reluctance of companies to pay for conferences weird. It's not
like they really cost that much. They'll happily buy software that's
50K per seat, but then not spend 5K to train their person on why they
bought it in the first place. I keep seeing people going to BlackHat
on their own dollar - it's odd.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAPW8jzOrqAtg8JS8RAodXAKC0xS2+pljXoi7k488svlrdBaqA8QCfUJLP
iLKfjXbrOUEN6o7NcgXzO/8=
=okaz
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave