Ask HN: How to be an independent security consultant?

[notastartup]

So I've been wanting to switch from software development into pen testing and security consulting. I want to get some practical skillset enough to consult local tech companies. In general, need some materials which I can follow and learn as well as some guidance.

To become a software developer the path is pretty clear, you learn the language, build some stuff on your own, and take on real world projects. I find that this is a bit of a different path.

[tptacek]

Going from zero to independent consultant in appsec is going to be difficult. There's a lot of work that needs to be done, more than all the serious firms can handle, but every good project has multiple bidders. For any project you'd actually want to work on, you're not going to be competitive as a fledgeling indie consultant going up against Accuvant, NCC, IOA, and Leviathan.

My advice is, take a job with a consulting firm to learn the ropes. Then decide whether you want to sink several years of your life getting a new consultancy off the ground. I didn't reliably match my FT salary after starting Matasano for several years.

In any case, if you're looking for things you can do to make yourself marketable as a security consultant:

* (Easiest, but least-bang-for-buck): file bugs, particularly for companies with bug bounties that will credit you. Don't look for bugs in companies that don't offer public permission to test, though.

* Go looking for a vulnerability in a framework, programming language, or major library. By the time you find one, you'll have expertise in that technology, which you can (a) add to your bio and (b) use as lead-gen for work.

* Find a pattern of vulnerabilities. If those vulnerabilities aren't novel, design some countermeasure that fixes them all. If they are novel, you can stop there. Now put together a talk and submit at security conferences. In rough order of prestige, and certainly having left several out: Black Hat USA, CanSec, CCC, Black Hat Anywhere But USA, DefCon, Recon, Toorcon, RSA, Derbycon, OWASP.

[dpeck]

I'll echo/amplify that last point, not that tptacek needs echoing here or in the infosec community. If you're able to do some real research and put together a paper then do it. It just gets better with age.

Its very nice to hear people say that something you put out years before has influenced their work, or given them a good starting point. I'd wager that if you've spoken at a couple of those top conferences you'll have little trouble finding any work you'd want.