[sillysaurus3]

Just to clarify for everyone: Be careful switching your career to netsec/pentesting. If that's your thing, great. But you're likely to be a "lifer" because no one will want to hire you anymore for webdev.

It's not quite as clear-cut as that, but if you're out of the game for N years, it's really hard to get back into it. Especially when you're not younger than 30. Ageism is a real thing.

[the_cyber_pass]

As someone who has tried a couple times to jump the other way I can attest to this. Completely stonewalled for full stack developer positions.

I have found exploits by knowing the quirks of all sorts of libraries and I have to be able to understand how things work on a deep level. But because a lot of the job is tracing other peoples work and finding gaps in their logic, you don't have as much 'dev' time in the traditional sense. Most of your coding turns into ways to prep your exploit. Your life gets wrapped up chasing obscure malloc bugs or strange chrome behavior rather than contributing in normal developer ways and companies don't recognize this as transferable. I'm only a little bit bitter about it, but I love my work. I just hope the pay stays solid and I don't end up in a dead end job later in life.

Also it's really hard to be good in this industry. It is almost entirely driven by the top 1% of people and as someone who is not in that demographic it feels like a constant struggle to keep up.

[user5994461]

By your text, you're a random senior developer. It shouldn't be too hard to get a position, as long as you live in one of the active tech locations.

It looks like you and the parent poster are facing the usual company that is looking to hire a cheap 20 year old web dev with little experience. Not a good fit for you.

[Eridrus]

I've heard a lot of managers complaining that it was hard to find security people who could code well, so while getting a generic web dev job may be hard due to bias, it should be relatively easy to get a security engineering position where you write security-related code, as long as you're good at the writing code part.

[sillysaurus3]

Sure, but that still makes you a security lifer.

[bostik]

To echo a sibling - that's not a bad thing. But let's add some context.

Security is one of the few fields that can truly benefit from a holistic approach. Really good QA people who can code and work directly with both marketing and engineering can lay the same claim to their field.

Once you have enough experience in development AND security, it's easy to add product life-cycle[0] considerations into the mix. When you get that far, you're expanding into architecture and workflow engineering. And this is where it gets interesting...

If you end up being responsible for security matters as part of engineering workflow, you will find yourself also deeply involved in compliance. People who have solid background in development, work on architecture or product life-cycle, focus on practical security, care about engineering workflow -- and can tie all this together to satisfy compliance requirements are rare. Very rare.

Not to mention employable.

The ability to meet ever-changing compliance requirements WHILE maintaining sanity, engineering workflow and development velocity is already in high demand. It can be very satisfying too, because you end up covering architecture, production systems, development and business needs, all together. The approach has to be holistic, because nothing else works.

The common wisdom is that security is a process. It's also a mindset. And a mindset can be taught...

0: Magic acronym is "PDLC" - Product Development Life Cycle

[Eridrus]

I didn't really find it that difficult to move from security consulting/research/code audits => dev/researcher at security vendors => machine learning engineer.

So I don't know how we decide whose anecdote wins here :p

[sillysaurus3]

Simple. If you value your career as a dev, you won't become a pentester. :) There's no upside except intellectually. Being a dev pays more and gives you more options going forward.

That's a harsh way to frame it, but it's also accurate. (I'm speaking from experience FWIW.)

In other words, you could have become an ML engineer anyway. No reason to risk it by becoming a pentester.

[raesene9]

One thing to note is Dev paying more than security is a bit geographically dependent.

I know dev salaries in the US are very high, but in other countries (e.g. the UK) security posts can pay pretty well relative to many development posts.

In terms of options, there's a fair number of options available after pentesting, although most of them revolve around security in one guise or another. On top of the obvious moves into IT/Infosec management, there are new fields in security which open up alongside tech.

Recently there's been an expansion with fields like malware analysis, blue teaming, incident response and red teaming showing quite good expansion.

Within "pentesting" there's areas like IoT, Automotive, maritime etc which can offer moves for people wanting to move on from more trad. pentest roles.

[Eridrus]

I found security to be more financially rewarding than dev work (in the US) by asking developers at places I worked how much they were paid.

I wouldn't really recommend being a pentester either, but there is plenty of need for people who understand security and can code to write software.

It seems like you're having a tough time, and maybe ageism is a factor here, but none of what you're saying really meshes with my experience.

[raesene9]

You say that like it's a bad thing!

[dguido]

I don't think I agree with this, at all. It depends on what you do in security.

If you work as a pentester or network security staff, then you might be trading a career in software development for a career in operations. In that career, it's more likely that you will be challenged _use_ tools, build processes, or fight political battles for consensus, rather than build software.

On the other hand, there are many firms that hire primarily for security engineering and focus on building software. Any skills you have in software development will stay current, and your work in security would make you a better, and more desirable, software engineer.

Anecdotally, I can name many people who have made the jump from security engineering to positions like VP of Engineering, CTO, or simply software engineering.

[sillysaurus3]

See the sibling comment. Both stories are common, but I think my story is far more common. We don't have data so it's impossible to know, but of course you'd see a lot of people go from security engineering to VP or CTO -- those are the winners. Survivorship bias is a nasty beast.

[dguido]

I've only seen people make poor choices and limit their own careers. It's nothing inherent in the field of security that forces people to let their dev skills atrophy while turning into script kiddies or non-technical managers. You should be aware of what you are doing when entering ANY new field.

Obviously, if you enter a job where you have to "fight for dev time" as the sibling comment you refer to mentions, then your skills as a dev will suffer. That's not a good career path if you think you might want to return to software development one day. Find a job in security engineering, of which there are many, where you have to fight to take breaks from coding instead.

I think people have a confirmation bias that the security industry is made entirely of "netsec/pentesting" jobs since the news cycle is driven by hype from bug hunters, consultants, and vendor FUD. There are enormous numbers of people working on designing and building new security tools, capabilities, and research. Do that.

Finally, I'd like to say that if my own company wound down tomorrow, I am confident that every single one of my ~30 engineers could find a job in software engineering in an instant.

[the_cyber_pass]

Coming from someone who holds your company in high regard and loved your companies work in the CGC I really have to disagree. You can be neither a script kiddie or a non-technical manager and still have webdev shops view you with suspicion for much the same reason node shops might see someone who has a lot of Java on their resume as someone who may not be a good fit because of 'technical baggage.' We can say that someone just needs to 'git gud' but I do think it's important to acknowledge that many times their are biases that get placed which are not always 100% rational.

Edit: Also I do believe your claim about all 30 of your engineers being able to find work elsewhere. You have to admit the average employee you have probably isn't reflective of anywhere near the average of the industry or even the enthusiast community.

[dguido]

That sucks, and I'm sorry to hear that. I guess we can both agree that firms with such immature views probably don't deserve your resume to begin with.

[the_cyber_pass]

Happens and I wont pass judgement. The IoT explosion has been the best thing to happen for me in years career wise and now I get to combine the best of both worlds.