Dailydave mailing list archives
Consulting companies are not recruiting companies
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 25 Feb 2004 22:35:20 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ~ def getcwd(self): ~ """ ~ documentation goes here ~ """ ~ request=self.compile(""" ~ #import "local","sendint" as "sendint" ~ //start of code ~ void main() ~ { ~ int i; ~ i=1; ~ sendint(i); ~ } ~ """) ~ self.sendrequest(request) ~ fd=self.readint() ~ return fd That's just a mock-up of the real thing, but it compiles and works. MOSDEF is about a year behind schedule, but as various parts of it come together, it becomes more and more useful. If you're new to this list, you probably won't understand why having a C compiler written in Python is so cool, but just got with us here for a sec. *** Lately I've been thinking a lot about how consulting companies work, and why people hire them. 1. It's hard to find people for certain jobs. Sometimes the job is boring, but still requires a highly experienced and skilled worker. Sometimes the job is in a boring location, and no one with skills wants to move there full time. 2. It's good to have workforce flexibility. It's easy to fire consultants. 3. Sometimes you only need people for a short period of time (project-based consulting). 4. Sometimes what you need is something that is only offered by a consulting firm (certification, a wide view of your industry, etc) I think something we're seeing in the industry is that large companies - - basically all large companies - have realized they are in the software business, and that software security is not something they have to outsource. They need the workers there full-time, and they have no plans to fire them. Alternatively, one of the price pressures on "penetration-testing" is largely that people have teams in-house now, running Nessus/Foundstone/Qualys full time. However, people with actual skill at doing software security (and I don't think you can train someone to have security skills - no developer ever got good at software security. It's just never happened. You either have it or you don't.) are very hard to find. This leaves management with two options: 1. Hire below-skilled people and hope they clue-up 2. Hire consultants So there is a high pressure on consulting firms to become expensive recruitment firms. On the other end, consulting firms are finding it very hard to meet their margins: 1. Consulting doing software security QA is a bursty kind of income. You appear only at the end of a project and it's hard to drag that out into an upsell 2. Consulting with a "product" to back you up (say, specialized CANVAS training) eventually becomes something that people want to resell and do for themselves. I would say that right now, no one has a good "how to write exploits" class other than Immunity just because only Immunity can give away copies of CANVAS for people to learn to write exploits with. But eventually, this is going to change. Likewise, when you build a code-assessment product, people want to just buy that from you and use it themselves. It's basically impossible for a security consulting company to differentiate themself based on product or "processes". So consulting companies eye the long-term, easy to sell, body-filler jobs with envy. They want to inject themselves into a big companies environment as a one-stop-shop for software security, even at the cost of having their best people be hired away from them. *** My solution, for Immunity, is that I want Immunity to bring something other than a warm body who can do the job. I want Immunity consultants to have that wider view of the industry - to never need training because Immunity trains them internally, and to have experience that may not exactly be relavant today, but will become relavant as our clients change their business. This means having people billing only three weeks instead of four, but I think it makes more money in the long run. What do you guys think? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAPWl4zOrqAtg8JS8RAu9oAKCsWWFFyy0dZK9EFDOUXWMwYAHhOgCgkjc2 SsXn2JVWhexkYrRw5dymV5g= =yE+Z -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 25)
- Re: Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 26)
- Re[2]: Consulting companies are not recruiting companies Halvar Flake (Feb 26)
- Re: Consulting companies are not recruiting companies Dave Aitel (Feb 25)
- Re: Consulting companies are not recruiting companies Matt Hargett (Feb 25)
- RE: Consulting companies are not recruiting companies Mike Bailey (Feb 25)
- Re: Consulting companies are not recruiting companies Daniele Muscetta (Feb 26)
- Re: Consulting companies are not recruiting companies ken_i_m (Feb 26)
- Re: Consulting companies are not recruiting companies Daniele Muscetta (Feb 26)
- Re: Consulting companies are not recruiting companies Matt Hargett (Feb 26)
- Re: Consulting companies are not recruiting companies ken_i_m (Feb 26)
- Re: Consulting companies are not recruiting companies Rodney Thayer (Feb 25)