[tptacek]

What you're doing now is re-answering a question I posed upthread without addressing the question I just asked.

Yes, of course, every enterprise product company in the world --- in security, disaster response, configuration management, issue tracking, document management, what-have-you, every single one --- sells to FedGov. They all have special teams to do it. And FedGov has special requirements; for instance, Common Criteria certification.

Now: can you answer my actual question? How on earth did you feel you'd be able to defend your statement that most commercial security work is thinly-veiled NSA work? That's not just not true, it's almost literally the opposite of true.

Is your answer "there's this East Coast sector of the security industry that sees itself as the whole security industry that is almost entirely thinly-veiled NSA work"? If so: can you name 3 companies in that East Coast security sector? I've worked in security for just about 20 years now and can name many, many East Coast companies, and very few of them have ever done work for NSA, or, for that matter, done work that would be interesting to NSA.

[Kalium]

"Most" was never my contention. I used "much", which implies a significant amount (dollar-wise, true) without contending a majority.

[tptacek]

And I said virtually none of it is, rebutting your claim, which I think is farcical. Can you defend it with specifics?

[Kalium]

Leidos, ManTech, and Endgame (provided you're willing to allow Atlanta) come to mind. All do substantial amounts of security work. Mandiant, too, though they're now owned by FireEye.

[tptacek]

Two giant government contractors that happen to have small security teams, and one tiny boutique firm. The funny thing is you didn't mention Raytheon or Lockheed, both of which have teams that I suspect are larger than the three teams you mentioned put together. All of them are dwarfed by the commercial security industry. Most of them are backwaters nobody in the field thinks about when they think about security.

[Kalium]

This is an embarrassing admission: I couldn't remember how to spell Raytheon.

I do know that the people in those fields tend to think of themselves as "the security industry". They also don't generally work on material that the more private-sector-focused industry cares about or gets exposed to, like how to secure a network when you have brain-damaged political network policies.

I'll have to keep a tally at the next DEFCON.

[tptacek]

I think you need to be more careful about how you word this.

It is a true but very uninteresting statement to say that "most government contracting work is thinly veiled government work".

Obviously, you don't feel like that's what you're saying. But to defend the statement that much of security in general is thinly veiled USG work, you cite SAIC, ManTech, and (now) Raytheon. Giant government contractors.

The security industry as a whole is enormous. It includes big chunks of Cisco, IBM, EMC, Symantec, Intel, and HP, and literally hundreds of companies the likes of Duo, Cloudflare, Accuvant, and Lookout.

The clear implication of your comment upthread is that most commercial security work is not only done for the USG, but is offensive work done for NSA. That's why you compared it to HackerOne and called their rates a "sick joke". Not only would that statement still not be true if most commercial offensive work was done by NSA (government rates on vulnerabilities are not as lucrative as extragovernmental rates are), but it is itself not true at all. Ironically, the numbers get even worse for your argument when we narrow the security industry down to offensive work.

I might lose an argument about how much bogus "defensive" security product stuff gets sold through GSA teams to NSA and DoD in general. But most of my experience --- apart from the four years I spent working for what was at the time Sandvine's biggest competitor, where we never once had a discussion about selling to NSA --- is on the offensive side. Virtually none of the commercial offensive security work that is done is done to benefit NSA.