Penetration Testing mailing list archives
RE: Penetration Testing Side work?
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 17 Aug 2007 10:21:36 -0400
So it doesn't stipulate in my contract that I can't do other penetration
testing jobs on the side for extra
cash. Infact I have been contacted once in the past for penetration
testing weekend night work. I turned them
down because it required some travel towards the end of the contract and
the pay wasn't there. If the company you work for sells pen-test services (even if you don't perform them), you should seek written permission from at least your manager before going any further. Many companies - especially consultants & service providers - view side work as theft, especially if it's work they could have charged for. Contract or no, you risk being fired from your day job if this is the case. And in this day and age, it's unusual (and sloppy) for a consulting company to not include a non-compete of some kind, and depending on your locality, these can hold up quite well in court leaving you unemployed AND in serious debt to your now-former employer. If the company you work for does not provide services like these, you may still want to obtain permission, especially if you are using tools that your employer purchased for you to use on their behalf in order to perform your side work. Bottom line, any moonlighting you do should be with your employer's blessing.
So has anyone else done this on the side of a normal job done penetration
testing for short contracts. Please
penetrate xyz systems or web application whatever? How did you find the work?
There are certain verticals where full time security staff and/or expensive consultants just don't make good business sense, but security is still crucial. There are lots of opportunities there, you just have to make the contacts and build a reputation.
What did you do about the contract and the legal situation it presents?
It depends on the situation. If you are working directly for the client, then it is a good idea to put together a statement of work with scope, pricing, and delivery time frame as well as a non-disclosure agreement. I'm happy to say that I've never had to provide any of these to a judge in order to defend my actions or get payment. So far so good. If you're subcontracting, then the company billing the customer should handle all of this, but you may want to double-check, especially the NDA.
Was it worth your time?
Sure, but more important than was it worth my time is can you figure out before you start whether or not it will be worth your time? Figure out what your time is worth to you (but be realistic - you're probably not worth $500/hr to anybody) and then use that to scope and price your projects. You have the luxury of a full-time job that pays the bills, and so you should be ready to turn away work that's not going to be rewarding both personally and financially.
Main question is how can you get your hands on tests like this on a
regular basis?
I would love to start my own Pen test company but I have no clue how to go
about finding clients and getting
enough clients to present a decent income.
That's a whole separate issue, right? Growing a business out of moonlighting work will probably take a while, and will be based heavily on your reputation and your ability to network and make contacts person-to-person.
I mean I have seen a lot of contracts and based on host count whatever for
pricing. Also based on Engineer's
experience you know whatever 250 an hour for this test. Scheduled for 40
hours of work or as low as 90 an hour
for 120 hours of work. Whatever but any ideas, suggestions, or work that
allows me to work from home doing pen
testing is appreciated from anyone else who has experience here.
Also, never discuss bill rates publicly. Once you discuss what you charge publicly, you can count on your customers wanting to pay you less than that all the time. Good luck! PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Penetration Testing Side work? tenbatsui (Aug 16)
- RE: Penetration Testing Side work? Paul Melson (Aug 17)