[publicprivacy]

Thank you all for your perspective, and suggestions.

I was on a bad psychedelic trip, accompanied with some other issues at the time and ending up making threatening statements to a very high level official, but no battery occurred whatsoever. Thank goodness, or I would probably not be writing this message

[gnfargbl]

The challenge here is your choice of specialism. Security is fundamentally a trust-based business and the industry is pretty wary of anyone with a perceived black mark against them. The reasons for this are mainly liability ("if this guy does something wrong and he already has a record, how will we look?") and reputation ("what will our government customers think about us if we hire this person?").

Could/would you consider a sideways step to something less directly security based? For instance there might be data engineering roles that might suit.

[jstarfish]

My experience is different. I'm not a felon but I come across them in the workplace fairly often as an internal investigator. We have infosec personnel working for us with nonviolent sex offender convictions who also maintain security clearances (defense contractor). Life does not end with a conviction; don't wear a sandwich board broadcasting it but honesty goes a long way. It's the lies that I'll eventually hang you with.

Go west if you can. If you're on the east coast it's hell. The "liability" concerns are (IME) a pervasive east-coast racist myth from the 60s, but it's a real threat. The same justification was used to expand routine drug screening from forklift operators and truck drivers to keyboard jockeys. Equifax did drug testing of white-collar employees and did not hire criminals; so much for their liability and reputation following the worst data breach in history. It's all bullshit; both justifications are veiled cause to not hire blacks.

Mind your co-workers inclined to cyberstalk everyone around them and using your skeletons to raise PR hell to advance their own career. We've unfortunately thrown employees under the bus due to public outcry. Social "justice" in action! (What was the prison sentence for, if not justice...?)

[gnfargbl]

There's some decent but counterintuitive advice in here, OP: have you tried applying to a job with a clearance requirement? That way your past gets (should get) evaluated within a defined decision making framework, instead of by a spooked recruiter using their lizard brain.

[pyuser583]

The point of security is to remove trust as a requirement.

Poster could say, “you don’t need to trust me, that’s the point of {insert product or service}”.

[gnfargbl]

OP is doing "SecOps" which is incident response and security automation. The service includes him as a moving part.

[x0x0]

You could also consider working as a consultant or external pen tester. When we hired our pen testers, we did not run background checks on them, not least because they have no access to customer data so it's much less of a concern.

[zamadatix]

If the people you're paying to find weaknesses in the security system are assuredly never going to find a way to access internal data then how did you conclude you needed a pen tester in the first place? I mean, it's probably the right conclusion but only precisely because they'd find a way to access things they shouldn't be able to.

[debo_]

It's relatively common to have pen testers attack a cloned environment w/ sanitized data. This is especially true in cases where your policies (or those you've agreed to from customers) require you to present evidence that you are having a pen test done every X years.

[red-iron-pine]

access to live data for testing is also a compliance question -- as in, don't do it, and why are you doing it?

why are you not using cloned or dummy data?

[x0x0]

We spin up a clone of prod and point them at that.

Certainly if a weakness is found in the clone it's also present in prod, but that's what contracts are for. And we also review logs to make sure.

edit: a clone of prod w/ only test data in it, not prod data.

[randomdata]

How do you know what you are looking for in the logs?

If you have the foresight to be able to recognize a malicious action from the logs, why not have the software block those actions from the start?

[x0x0]

We log all accesses and flows. So eg if our pentesters found a vulnerability in an endpoint, we can retrieve every post against that endpoint and (1) verify the pentesters didn't exploit it against prod, and (2) verify that it hasn't been exploited by anyone else.

[randomdata]

Of course, that only works if the vulnerability is reported. There is no reason for the malicious actor to report the vulnerability they have chosen to exploit.

What percentage of the vulnerabilities discovered are independently discovered by multiple pen testers?

[mkii]

It could have been for a service that was not in production yet, and in an isolated environment.

[runjake]

You said in your post it was not drug-related, but here you say it was a bad psychedelic trip. Which is true?

[publicprivacy]

I meant drug sales, thank you I updated

[alumnumn]

“Gotcha! No hire!”

[foooobaba]

You should try to petition your state governor office to get the felony removed. It is a long time consuming process and will likely need help from a lawyer, but I have friends that have successfully gotten their felony removed after several years of diligently trying again, and of course good behavior in the mean time. It may never happen, but might as well give it a shot, it can’t hurt.