I will start a new topic, where you can share with others problems and the eventual solutions you encounter during your work.

I will start with something very recent. I am working as an analyst, and one of my responsibilities (initiated by myself) is to do vulnerabilities scans, and eventually penetration testing.

It has been few month now since I am asking for permission to install Backtrack, on a VM, in the internal network. This it will help me to do other scans than Nessus, I can use Metasploit, Dradis... you get it.

My boss didn't want to take the responsibility to approve it, so it forwarded my request to a senior architect. Every week I kept asking for an answer.
Yesterday he told me that they will not approve it because Backtrack is not supported. 
I told him that there is no need to support, because being a VM on my laptop, if it breaks, I will restore it or I will install another version.
But, he explained that they don't want to approve because I will be the only one in the company that will know how to use it, and if I will leave they will not be able to continue my work.

Imagine my frustration. I studied for so long, I am even doing OSCP paid by them, and now they do not accept it.

I know that there are other options. They will be happy with a commercial distribution, even if it isn't as good as Backtrack. They want something based on Red Hat, but I don’t like the idea.
I prefer Backtrack because it is very easy to use, you have all the tools in one place, and it is very easy to update.

Unfortunately this isn't the only initiative denied by him (them) so I am becoming very unhappy at work. I even started to think about leaving.

I don't know which the best solution is, but I am tired to try to be creative and to be denied because he doesn't have an open mind.

 

Reality is... Get over it And I don't mean this in a spiteful/mean manner. You have to take a different approach to the way you're looking at this.
 Their concerns (managers_ are valid although they may not seem to make sense to you. You asked for an application suite (bunch of tools bundled in one) that you would be the only one capable of running. Even though the tools may be free to use for the most part, there still is the cost of them having to train someone else on using them if you leave.

So while you will see it as: "everything is open source so its easy to use" they will see it from a cost benefit perspective. "What would it cost me to train existing individuals to use this... What would it cost for support when you need someone on the phone RIGHT NOW..."

You were wrong to go over your bosses head 1) because of the chain of command (and no I'm not in the military) and 2) your approach is wrong

When approaching management, you ALWAYS need to remember that business comes first and even though you may have an alternative solution, your presentation was non-existent. To overcome this, you should have shown them some financial benefits to choosing Backtrack versus a pay for play model.

Now what *I WOULD HAVE DONE* is gone out and done the research on say 5 enterprise tools. Put together your own RFI/RFP using those tools and show them the cost benefit of training existing and or new staff to use Backtrack versus the other options.

E.g.

GFI Languard cost benefit versus Backtrack(Open Source Tools)
Core Impact cost benefit versus Backtrack(Open Source Tools)
Immunity Canvas cost benefit versus Backtrack(Open Source Tools)

Each commercial tool has a cost which dwarf the cost of training say 3 employees via OSCP + using Backtrack and other open source tools. Make it a business case for them and be factual with your information. Not biased by "I want to use this.... Well you won't give it to me, I'll ask someone else"

You need to remember that your manager also answers to someone and if you think about this from his perspective, why would he want the headache of trying to understand something - which may be simple to you - or not being able to call a support line and have them fix the issues.

Right now, I love FOSS, I love BSD, Linux, etc., but the reality is, I'd prefer say SAP or MS Office since I can always call and bitch and moan at 3AM without having to spend say 3-4 hours digging out via Google, jumping on IRC, etc.


You need to always remember that a business' objective is to make money. This is their first and primary goal. What you've done is nothing more than offer an opinion without allowing them to understand anything associated with what you want to do. You also confuse creativity and innovations. Your bosses don't need to be creative, they need to meet the goals set for them by THEIR managers. Present it to you boss from a business perspective. What are the costs, what are the risks and what are the benefits.

I've done this for years on end and almost always end up getting my way at the end of the day. HOWEVER (big however here...), I ALWAYS, ALWAYS, ALWAYS put together a good fight. This includes prices, research, what the herd says, etc., this way no one can call it a biased opinion:

Research indicates other similar companies have done X and saved Y amount of money.

I'm not coming down at all, giving you constructive criticism here... All you've done is complained about not getting what you wanted, but you haven't actually fought for what you want now have you

Hi,

I can understand your frustration. I have been through that phase as well. The way I approached the situation was to break all your work into phases. Start with the simplest thing that you know they cannot say no to. Get it working, document it well enough so that they get the confidence that there is now a process where the tool fits in and there is enough documentation for someone else to start using it. Generate reports and show the benefits from the tools/processes you implement.

It takes time and you need to have patience. Eventually you may either get your tools or you may get the budget to buy commercial versions with the support.

Cheers,
Salil

I've been going through the same frustrations as you, alucian.  I just recently realized what sil mentioned, about making it a business case.  I'm still working through the best way to go about doing this with the people I work with - finding what information works best to persuade them in a certain direction (sort of like social engineering a bit, eh? ) - and I'm very appreciative to sil for sharing his experiences in all this!

Hello,

They paid for it because I asked for it, I made a business case, and, most important, because the company has a budget for training and nobody uses it (Peter's principle at it's best).

Now, after months of fighting, we will introduce Backtrack in the internal network, in order to identify the false positives in the Nessus reports.

But I am so fed up with this fighting, I am so upset that I have to beg to do my work, that I am looking for another job. My boss knows it (the HR found my resume on monster) and I told him the real reasons for leaving. He didn't care very much, and he said that I am wrong, and they are right

I will even have an interview for a vulnerability analyst position. Even if I will not be accepted (they are asking more security experience than I have), the good news is that I have the confirmation that I am on the right path, and working my ass and doing a lot of sacrifices to study will pay back.
For example, now is Sunday 2.20 pm, and I am at the office because I want to study. I sacrificed a Sunday afternoon with my wife and kids, but I know that someday I will be rewarded for this. (even if my boss tells my that technical skills are not enough, I need to have a positive attitude and to integrate in the company's culture )

Good luck with your fight!