HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 35 guests online
 
Advertisement

You are here: Home arrow Resourcesarrow Career Centralarrow Penetration Testing – Demand Continues To Outweigh Supply
EH-Net
May 23, 2013, 04:55:54 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Penetration Testing – Demand Continues To Outweigh Supply  (Read 11969 times)
0 Members and 1 Guest are viewing this topic.
Data_Raid
Full Member
***
Offline Offline

Posts: 165



View Profile
« on: January 21, 2011, 03:14:34 AM »
Barclay Simpson has released a market report for 2011 which mentions that the demand for pentesters outweighs the supply. The report also mentions various roles and the salaries associated with those roles. The PDF can be downloaded from:

http://www.barclaysimpson.com/document_uploaded/BS_InfoSec_2011.pdf

Quote
In 2010 the demand for penetration testers further outweighed the supply of available practitioners. The shortage was highest for CHECK Team Leaders followed by CHECK Team Members, and then unqualified but highly skilled penetration testers.

With the introduction of the CREST scheme in 2008 it was anticipated that the gap between supply and demand for CHECK Team Leaders would reduce. It did not.
Logged
All men by nature desire knowledge.

Aristotle
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 865



View Profile
« Reply #1 on: January 21, 2011, 08:26:22 AM »
What is this CHECK thing? Is this a UK certification of some sort? I tried to Google it but only find Check Point and unrelevant stuff...
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 865



View Profile
« Reply #2 on: January 21, 2011, 08:28:42 AM »
Ok, I just found it at http://www.cesg.gov.uk/products_services/iacs/check/index.shtml

Quote
The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by CESG. Therefore, HMG and CNI customers can be assured that they will receive a high quality service if the work is carried out under the Terms & Conditions of CHECK.

Related to CREST...
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #3 on: January 21, 2011, 08:32:41 AM »
H1t M0nk3y,

If you're looking for more info; @digininja just sat, passed and reviewed the Check Team Member exam here
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
tturner
Sr. Member
****
Offline Offline

Posts: 432


View Profile WWW
« Reply #4 on: January 21, 2011, 12:32:47 PM »
Check out http://nbise.org/ in the US. They are finishing a beta round of testing for Crest.
Logged
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, OPSE, CSWAE, CSTP, VCP

WIP: OSWP, GSSP-JAVA, GXPN

Udacity on hold, again. I suck.

http://sentinel24.com/blog  @tonylturner http://bsidesorlando.org
Lubinski
Newbie
*
Offline Offline

Posts: 26


View Profile
« Reply #5 on: January 23, 2011, 08:57:28 AM »
I think the demand for "actual" pentester's is high, there are tons of companies and people out there touting pentesting abilities but they are nothing more than "audit" pentesters and they just check the box.
Logged
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #6 on: March 11, 2011, 10:15:07 PM »
Quote from: Lubinski on January 23, 2011, 08:57:28 AM
I think the demand for "actual" pentester's is high, there are tons of companies and people out there touting pentesting abilities but they are nothing more than "audit" pentesters and they just check the box.

Or worse, repacking automated vuln scans into a pretty report and labeling it a pen test. Not only does that create confusion amongst prospective customers in regards to what a pen test actually is, but it makes skilled penetration testers' prices seem obscene by comparison.
« Last Edit: March 12, 2011, 09:07:34 AM by dynamik » Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
hayabusa
Hero Member
*****
Offline Offline

Posts: 1633



View Profile
« Reply #7 on: March 12, 2011, 06:44:00 AM »
I fully agree.  Had a LARGE customer, yesterday, call me to ask a question, because their employer hired a yahoo (not associated with Yahoo, just the slang term he used) firm to 'audit / scan' them.  The results and remediation recommendations were so out of line, based solely on some automated test tool, that my contact was in tears, from laughing so hard!  He then begged me to have a detailed look at the remaining findings for him, just to offer friendly advice, and weed out the garbage.  Fortunately for him, I do want to build some referral business, so this time I took a look, free of charge, and 'off the record.'
Logged
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH
WCNA
Full Member
***
Offline Offline

Posts: 187



View Profile
« Reply #8 on: March 13, 2011, 02:21:33 PM »
Quote
repacking automated vuln scans into a pretty report

 Cheesy

I saw PCI compliance going for $45 the other day. Needless to say that had to be an automated scan.
Logged
ISC2 Associate, WCNA, CWNA, OSCP, Network+
ajohnson
Recruiters
Hero Member
*
Offline Offline

Posts: 1057


aka dynamik


View Profile WWW
« Reply #9 on: March 13, 2011, 03:04:06 PM »
At the company I previously worked for, one of our customers would have an external penetration test done every month. They alternated between us and another company each month. The customer became LIVID that he could not schedule his tests with us at the drop of a hat and have the results a day or two later. We tried to explain that the manual testing may take a day or two in itself, and then there's the report writing, QA reviews, etc. He responded with, "They can do. Why it can't you?"
Logged
WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.
WCNA
Full Member
***
Offline Offline

Posts: 187



View Profile
« Reply #10 on: March 13, 2011, 09:40:44 PM »
People are funny. Some companies won't bat an eye at dropping 30k for a pentest, usually because the results of a failure would be so damaging (look what happened to HBGary). But to someone whose livelihood doesn't depend on the web, they think our services are vastly overpriced, they think 1k is too much. Now we have pentesting companies racing to the bottom to deliver automated tests as cheaply as possible, giving people a false sense of security.

 I was watching a video from one of the links I saw on this site talking about, given the hundreds of vulnerabilities coming out everyday, it's only a matter of time before you get hacked (the video was focusing on mitigating damages, monitoring outbound connections, running browsers and email in VMs, etc.).

A cheap, automated pentest only scratches the surface and doesn't even begin to deal with the big picture view or how to focus on the things that matter most in securing your company.


BTW, the video was the "Special Webcast: How to Avoid Being Compromised? Featuring Dr. Eric Cole" at SANS.
« Last Edit: March 13, 2011, 09:52:11 PM by WCNA » Logged
ISC2 Associate, WCNA, CWNA, OSCP, Network+
chrisj
Hero Member
*****
Offline Offline

Posts: 1163


View Profile WWW
« Reply #11 on: March 14, 2011, 09:30:01 AM »
Quote from: WCNA on March 13, 2011, 09:40:44 PM
Now we have pentesting companies racing to the bottom to deliver automated tests as cheaply as possible, giving people a false sense of security.

(...)

A cheap, automated pentest only scratches the surface and doesn't even begin to deal with the big picture view or how to focus on the things that matter most in securing your company.


One of the LinkedIn lists I'm on there is a thread about "a job posting in Colorado's Division of Labor website for a "senior Security Engineer I," BS + 4 yr exp. $8 hr."

I've seen things like that in Michigan too. On the Michigan Talent Bank (state ran unemployment center's site).  Not security, but for Network Engineers and the like.
Logged
OSWP, Sec+
WCNA
Full Member
***
Offline Offline

Posts: 187



View Profile
« Reply #12 on: March 14, 2011, 10:19:57 AM »
That's bound to make all those recent college grads furious as they look at their 40k student loan. $8/hr is ridiculous and downright insulting.
Logged
ISC2 Associate, WCNA, CWNA, OSCP, Network+
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.092 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.