Dailydave mailing list archives
Re: Consulting companies are not recruiting companies
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 25 Feb 2004 22:59:31 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodney Thayer wrote: | At 10:35 PM 2/25/2004 -0500, Dave Aitel wrote: | |> no developer ever got good at software security. It's just never |> happened. | | | If you feel like "insulting" me (I mean that in a gentle | hypothetical manner, sir) you should consider the implications of | your statement. I suspect some of your customers are developers, | or former developers. | Of course - that's why they hired a consultant! :> I still think the people you have developing your code are not the same kind of people you want reviewing it. I've seen maybe one developer make the switch in mindset that it takes to get good at finding bugs. |> I would say that right now, no one has a good "how to write |> exploits" class other than Immunity just because only Immunity |> can give away copies of CANVAS for people to learn to write |> exploits with. | | | Regardless of the quality of your exploits, your training, or your | tools, this doesn't scale. It's not like all exploits come from | students of yours or else are beamed in by aliens. There have to | be other training sources that work. For example, I suspect there | are good exploit writer training facilities in the northeast | suburbs of Beirut. As far as most beginners feel, they are in fact, beamed in by aliens. We're not talking an advanced exploit development class taught by Horizon, Noir, and LSD (etc etc) here. We're just talking something that gets someone with very little programming experience into writing basic Windows stack overflows. It's that first one that's the hardest. To do this, you need a pure-python framework that lets students concentrate on one aspect of the job at a time. What doesn't scale are the instructors... | |> So consulting companies eye the long-term, easy to sell, |> body-filler jobs with envy. They want to inject themselves into a |> big companies environment as a one-stop-shop for software |> security, even at the cost of having their best people be hired |> away from them. | | | You need to define your terms. If you mean the quasi-hacker | whore-houses, perhaps, yes, but there are other "consulting | companies" and "consultants" who don't work that way. | Right - I'm talking the information security space. I think that people once wanted to outsource all of IT security, and the trend is now the other way. |> My solution, for Immunity, is that I want Immunity to bring |> something other than a warm body who can do the job. I want |> Immunity consultants to have that wider view of the industry - to |> never need training because Immunity trains them internally, and |> to have experience that may not exactly be relavant today, but |> will become relavant as our clients change their business. This |> means having people billing only three weeks instead of four, but |> I think it makes more money in the long run. |> |> What do you guys think? | | | | (pissing away a week this month at RSA, on his own nickel, because | it's useful in developing a wider view of the industry.) Why isn't your (and everyone else's) company paying for this? I find the reluctance of companies to pay for conferences weird. It's not like they really cost that much. They'll happily buy software that's 50K per seat, but then not spend 5K to train their person on why they bought it in the first place. I keep seeing people going to BlackHat on their own dollar - it's odd. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAPW8jzOrqAtg8JS8RAodXAKC0xS2+pljXoi7k488svlrdBaqA8QCfUJLP iLKfjXbrOUEN6o7NcgXzO/8= =okaz -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 25)
- Re: Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 26)
- Re[2]: Consulting companies are not recruiting companies Halvar Flake (Feb 26)
- Re: Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Matt Hargett (Feb 25)
- RE: Consulting companies are not recruiting companies Mike Bailey (Feb 25)
- Re: Consulting companies are not recruiting companies Daniele Muscetta (Feb 26)
- Re: Consulting companies are not recruiting companies ken_i_m (Feb 26)
- Re: Consulting companies are not recruiting companies Daniele Muscetta (Feb 26)
- Re: Consulting companies are not recruiting companies Matt Hargett (Feb 26)
- Re: Consulting companies are not recruiting companies ken_i_m (Feb 26)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 25)