Security consulting - who the heck would pay for it?

Express the business side of your digital lives. Share your experiences and/or your comments regarding a business or organization.

No advertising.

Moderator: General Moderators

Re: Security consulting - who the heck would pay for it?

Postby social_experiment » Thu Sep 29, 2011 5:36 pm

JeremyG wrote: I don't see anything ethically wrong with either spamming (whether it's effective is another question) or unauthorized pentesting as long as you are scrupulous about not using any information so acquired. (Might want to look into any legal aspects first, of course.) It's ballsy and it's arguably rude, but it's not the same as criminal hacking because the intent is entirely different.

Most laws regarding computer crimes don't seem to care about the intent, the more pertinent issue is that an illegal access was made.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
 
Posts: 2768
Joined: Sun Feb 15, 2009 12:08 pm
Location: .za

Re: Security consulting - who the heck would pay for it?

Postby Mordred » Fri Sep 30, 2011 1:58 am

social_experiment wrote:Most laws regarding computer crimes don't seem to care about the intent, the more pertinent issue is that an illegal access was made.

I think this is true for my local laws as well.
On the other hand there are cases where it's so painfully obvious that the site has a vulnerability, one could email them:
"Hi, I am Patrick O' UNION SELECT username, password FROM login, from the old and traditional Irish clan UNION SELECT username, password FROM login. I noticed a problem with your site... "

I *have* disclosed problems to some site owners and so far two things happen: full on ignore or "thanks, we'll fix it".
Things need not have happened to be true. Tales and dreams are the shadow-truths that will endure when mere facts are dust and ashes, and forgot.
Image
My security blog. (not updated lately)
The Unexpected SQL Injection (article) (.txt, cause the .html version is broken)
Password hashing howto (and how not to) (article)
Salt strengths (article)
User avatar
Mordred
DevNet Resident
 
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Security consulting - who the heck would pay for it?

Postby social_experiment » Fri Sep 30, 2011 4:39 am

Mordred wrote:I *have* disclosed problems to some site owners and so far two things happen: full on ignore or "thanks, we'll fix it".

I think the email route is the safest option but looks like site owners rarely appreciate it enough to properly thank you properly. If history is anything to go by, you'd probably have to comprise their site, get access to some data and maybe somewhere down the line they will employ you.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
 
Posts: 2768
Joined: Sun Feb 15, 2009 12:08 pm
Location: .za

Re: Security consulting - who the heck would pay for it?

Postby Eric! » Fri Sep 30, 2011 7:13 pm

Most companies don't hire unknown security consultants. They are paranoid that way, in fact a little wary of programmer who knows the "black arts" coming in and "fixing" their problems. Especially if you are working remotely and not attached to any "brick-and-mortar" company.

I would suggest you start by going to a consulting house and doing some work through them. Once they get to know you and you get some big names/jobs on your resume then you can go solo.

On the other hand I get SEO spam almost constantly, so I would assume this approach must generate some business. Unfortunately most security is done in-house and even in small companies they just rely on the designers who always say, "Sure it's secure. Tight as a drum. No one can get past my code." I once did a job for a friend's company just as a favor. He asked me to double check their site as everyone in house was telling him how good it was. They had no SSL, no throttling on their login, exposed session data, etc. etc. Of course they didn't want to pay me to fix it though (and I don't normally do any security type stuff anyway). They were embarrassed and fixed it themselves.

Oh, and I HIGHLY recommend you don't PEN-TEST a site without permission just to get a job from them. This will automatically ruin their trust, your reputation and could get you into legal trouble. Sometimes companies are open to discussion about allowing you to test their site, but I would make sure you have some kind of arrangement that they pay you something for the results otherwise they will say thanks and pass it off to their software guys to fix.
Eric!
DevNet Resident
 
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Security consulting - who the heck would pay for it?

Postby Eric! » Sun Oct 02, 2011 6:42 pm

I had another thought that I know has worked for people. You could give talks at conventions about certain security problems and demonstrate how devastating a simple and common weak programming technique can be. Now you don't want to go to hacker conventions, but general business conventions about e-commerce or on-line sales where they don't normally hear about this kind of stuff but after seeing an impressive dog-and-pony show they might take you up on auditing their systems or refer you to other people in their company about doing work.

Having a published book also helps, especially in getting in the door as a presenter.

(BTW - Your database insertion = classic).
Eric!
DevNet Resident
 
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Security consulting - who the heck would pay for it?

Postby greyhoundcode » Mon Oct 10, 2011 10:24 am

Eric! wrote:You could give talks at conventions ... Now you don't want to go to hacker conventions, but general business conventions about e-commerce or on-line sales where they don't normally hear about this kind of stuff

This approach has generated business for me - not in the context of security work, I hasten to add - and I've found joining Chambers of Commerce and similar bodies on is a good way to deliver these kinds of talk. Much of the horse work of promoting and organizing the talk itself (making a room available, emailing members and all that stuff) is then taken care of.
User avatar
greyhoundcode
Forum Regular
 
Posts: 611
Joined: Mon Feb 11, 2008 5:22 am

Previous

Return to The Enterprise

Who is online

Users browsing this forum: No registered users and 1 guest