|
|
|
|
|
|
by mkhpalm
3217 days ago
|
|
|
I got started for personal entertainment in darker corners of the internet. That ultimately evolved into me writing some of the tools people used in the industry. Eventually that developed into some SaaS products and 2 companies that we ended up selling. My advice to you if you are just getting started in the infosec world is... don't do it! Short of the increased attention to encryption and various better authz/authn standards... the newer crowd doesn't want to hear anything about the vulnerabilities in their code. 9 times out of 10 the only reason they'll resort to testing anything is to cross off a corp checkbox somewhere. Keep in mind that nobody likes policy and you'll be associated with their hatred for it. |
|
|
Can confirm.
The way it usually works is that Company X has N dollars allocated for security. Company X (or rather, a person or a team at Company X, with his/her/their own internal and external priorities and motivations) buys a service - recurring automated tests/assessments/pentests &c. This is where the usual corporate bullsh*t kicks in. If they want to show that they've done a good job in securing something, they buy a pentest over a short duration for a minor thing and then they claim "<trusted security vendor Y> said we were secure". If they want more money, they obtain data to show that. The infosec companies has a "customer is always right" mind-set. It's business.
You can probably get good cash just for telling people to use TLS. Green padlocks and all that.
EDIT: also, to differentiate infosec from regular security, don't forget to prepend "cyber" to everything.