Best Way to Start Your Own Security Consulting/ Penetration Testing Company

[morganlefay]

Thanks Galdron your comments are always a pleasure.

Yeah...hes a pretty funny guy....we do like to joke around a bit here

I am interested for those Taco flavoured kisses myself

Mr NetSecExpert...you are taking things way to personally.....and you cannot do that in business

A couple of years ago I was pitted against our new VP in a heated board meeting...how he wanted to bring in an external consulting team to take over the network operations...he was a misogynist......some how thought that there was no way that a women could run a business network

He didnt do his home work...he was arrogant and uniformed.......while these consultants spouted off all the documentation and great things they would do for our company....every thing they presented ...I provided documentation for the existing setup, procedures AUPs, existing security measures etc.

Everything he\they were proposing was already in place...and had been since I was called in to fix the network...4 years prior......because...get this...the company he brought in was replaced by me....they had set it up and badly at that.

All the big guys already knew that.....but the new VP just assumed that I was incompetent because of my gender.

He had no idea about what he was spouting off about.........he knew the buzz words.....

I didnt take it personally.....I stood my ground, provided the documentation......and won.

That VP is no longer here..............

My point is...do your homework, dont take things so personally........and by all means...if you think you can compete out there.......best of luck to you.


MLF

[Lv4]

Originally posted here by NetSecExpert
Obviously I must know what I'm talking about if I can use buzzwords in the right context. correct. Who's to say that you or anyone else have anymore knowledge than I have. I'm not saying I know everything, but I know I have a good grasp on the security industry.

marketing people can use buzzwords too, but the hell if I would hire one to protect my network. Just because you (not saying /you/ specifically) can read a trade rag and pick up the gist of what is being said doesn't make you a security engineer or pentester.

Honestly, 5 years of experience in this field isn't enough to make me want to hire you. I'm going to want to see some pedigree, and some honest to god security research done on your side.

I can hire a monkey to run automated security tests, what I pay top dollar for is someone that can prove they don't /need/ those automated tests to find and exploit a vulnerability. Also you had better be able to find 0-day and unknown exploits if you want people to pay that much money for you.

Now I have a question on your code review side of things. How, exactly, are you going to review my code for buffer overflows, sql injections, etc if you are not a programmer? You going to run an automated code checker? I can do that myself (and I do already). You better have some good coders on your team that are familiar with the stuff I code in... besides you code checker won't run against my RPG stuff to begin with so it is going to be all manual

I'm not trying to come down hard on you and I really don't think the other members are either, but you do need to realize that this isn't a small undertaking. You also need to learn to take criticism better and stop lashing out. I attack my vendors on a regular basis, especially if they don't live up to expectations. If you attack me back then you had better believe I'm going to spread the word that you aren't a good company and have bad customer service... and this is a small industry.


The easiest way to success in this business is to get a job as a pentester for another company. Do that for a couple or three years to learn the business, then start freelancing. After that hire some more pentesters/coders, contract out some more that do niche work (like RPG), and then start building a customer base.

But, that's just the way I see things working in this security world


Oh on the cert thing. I research EVERY cert someone claims to have when I'm shopping for pentesters. They had better be current and legit. If not I spread the word on that too. Just a heads up. Yes, certs /do/ matter to the hiring companies.