Hacker News new | ask | show | jobs
by ohm 1267 days ago
Computer security jobs. Performing code review or web application testing.
1 comments
whycombagator 1267 days ago
Care to expand? How does a SWE break into that line of work? What companies and what is the pay like?
link
ohm 1267 days ago
Usually good consulting companies would hire former SWE that wants to switch to security. During interviews, basic security questions are asked, most are covered under security+ certification. But companies might skip asking them and instead ask SWE code related security questions instead. Such as how to prevent OWASP top 10 vulnerabilities. Most of the major ones are covered here https://cheatsheetseries.owasp.org/Glossary.html

Code review job would involve running commercial tool such as checkmarx or fortify and then reporting on issues that tool finds.

For web application testing these two sites are a good start. https://portswigger.net/training and https://www.pentesterlab.com/pro Most web app testing is performed using this guide https://owasp.org/www-project-web-security-testing-guide/ Hands on is the best way to learn web app testing.

Companies give you 24-48 hours to test vulnerable web app. After you send them report with findings if they like they have final interview round.

Some of the better companies are ncc group, bishop fox, nettitude, google certified security companies and others. You can find them as sponsors on security meetups like bsides.

Some of the more technical ones are https://cure53.de/#publications. You can read their reports. Also https://www.trailofbits.com/

As for pay it’s decent but the ceiling is lower than SWE. Entry level positions usually make below 100, senior low 100, manager mid 100 and more senior positions are around 200. After that it’s harder to move up.

Lastly the job itself can get pretty boring at times. Code review is something most people try to avoid. It’s useful when combined with web app testing to perform greybox testing.

Web app testing can be boring as well, when testing multiple web apps in a row that were tested multiple times and not finding anything decent.

What makes up for all of that is excitement from testing newly developed or older web apps with lots of vulns, performing network pentesting and developing new tools for different projects.

It’s a great feeling when you publish a new tool and lots of people start using it and appreciate your work.

link
anon50118810 1266 days ago
Could you please talk a little more about the ease of hiring for these positions? For example it looks like Bishop Fox has around 400 employees, and on their careers page at https://bishopfox.com/careers they're hiring basic "Penetration Testers" in Mexico and "Senior Penetration Testers" in the U.S. Nettitude has fewer employees and at https://www.nettitude.com/us/careers/ has a posting for "Junior Penetration Tester / Security Consultant" with a start date of September 2023 and a 7 month training course.

I'm sure these are great jobs but they don't really strike me as fallback options, meaning places where developers who are struggling elsewhere could apply and count on finding something. How many entry level testers in the U.S. do they hire each year, would you say?

link