Penetration Testing mailing list archives
Re: Contract Rates??
From: Paul Melson <pmelson () gmail com>
Date: Mon, 5 Oct 2009 07:35:24 -0400
On Fri, Oct 2, 2009 at 3:07 PM, Richard Lee <richard () snowshoefox com> wrote:
1. Economic state of US 2. China outpaces all other countries in network attacks that target both client-side and perimeter. That means they have much more real world experience across the board. (Brief article: http://features.csmonitor.com/innovation/2009/10/01/state-of-the-internet-most-attacks-from-china-s-korea-is-fastest/)
To Richard, Despite the rough US (and global) economy, PCI has injected a pen-testing requirement into industry to the point that it's becoming part of the contracting and business validation landscape even where it's not actually mandated. We've seen a 20-50% increase in the cost of pen-testing services across the board since 2005 with no dip in 2009. So I think this is unrelated. Additionally, the Akamai report doesn't mean China the people or China the government, it means China the IP address ranges. There is a huge problem with attribution in this space. I don't think anyone can say with certainty that China is the brains behind most of the network attacks and malware that we see on the Internet today. In fact, as far as the malware goes, the forensics continue to point to much of the malware infrastructure (exploits, dropper packs, bots/C&C) being written by English-speaking people.
3. Larger number of foreign, well educated and skilled computer scientists are entering an already crowded software market.
I think this probably is true, but I don't think, even now, that security is the crowded end of the pool.
4. The few US trained network security specialists lost the monopoly on network penetration years ago and the economic slowdown makes it obvious.
There are multiple points of regulation in the US that restrict the use of foreign-based service providers and consultants, especially in the area of security. If anything, the recent increase in cybersecurity spending in the defense sector has created very high demand for US-based consultants that can pass background checks and achieve clearance.
5. Chinese experience in network penetration has put their penetration systems through more iterations. My guess is that the level of their penetration software and skill sets are advanced enough to cut costs immensely.
Microsoft's own research indicates that China and the former Sovient Union have some of the highest malware infection rates (victim, not attacker) in the world. That seems to indicate that their IT security practices and capabilities are relatively immature, though it doesn't address pen-testing capabilities directly.
A year ago, both pen tester and architect contract rates were in the $75 to $150 per hour range, and some pen tester rates were even higher. Can anyone explain what is going on here? The one observation I will add is that most of the low rates seem to be coming from either off-shore companies, or the on-shore face of an off-shore company. Are they simply bidding on and winning a bunch of contracts by low-balling the rate, and then struggling to find people to staff the jobs?
To Jon, I suspect this is exactly the case. Which is probably why you're seeing the large volume of contacts made, because they're not finding many takers.
Finally, I will add that there are still organizations looking for contractors at reasonable rates, but they seem to have become a small minority.
That's contrary to what I'm hearing. Though right now, federal government is the hot sector for security. There's something of a bubble in the private sector from the PCI compliance deadline a year ago, but it doesn't seem to be a very big one. But combined with the economic downturn in the US and there's not a lot of new hiring in this space. I've talked to a number of colleagues that have had to choose this year between the security consulting they want to do and the services PCI has forced them to outsource because of budget constraints. Once their money comes back online, I think we'll see more growth in private sector security consulting. Based on my own experience, though, senior security engineers aren't falling from the sky. You still have to recruit them. There's just not enough unemployment among US-based security pros to make $40/hr a sustainable contract rate, except maybe for a little extra side work. PaulM ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Contract Rates?? Jon Kibler (Oct 02)
- Re: Contract Rates?? Robert Portvliet (Oct 04)
- Re: Contract Rates?? ChromeSilver (Oct 04)
- Re: Contract Rates?? Chris Brenton (Oct 04)
- Re: Contract Rates?? Eric Milam (Oct 04)
- Re: Contract Rates?? Richard Lee (Oct 04)
- Re: Contract Rates?? Paul Melson (Oct 05)
- Re: Contract Rates?? craig . wilson (Oct 04)
- Re: Contract Rates?? Terry M (Oct 05)
- Re: Contract Rates?? Stephen Mullins (Oct 05)
- Re: Contract Rates?? Ivan . (Oct 09)