Penetration Testing – Demand Continues To Outweigh Supply

This topic contains 12 replies, has 9 voices, and was last updated by  WCNA 8 years, 5 months ago.

  • Author
    Posts
  • #5990
     Data_Raid 
    Participant

    Barclay Simpson has released a market report for 2011 which mentions that the demand for pentesters outweighs the supply. The report also mentions various roles and the salaries associated with those roles. The PDF can be downloaded from:

    http://www.barclaysimpson.com/document_uploaded/BS_InfoSec_2011.pdf

    In 2010 the demand for penetration testers further outweighed the supply of available practitioners. The shortage was highest for CHECK Team Leaders followed by CHECK Team Members, and then unqualified but highly skilled penetration testers.

    With the introduction of the CREST scheme in 2008 it was anticipated that the gap between supply and demand for CHECK Team Leaders would reduce. It did not.

  • #37475
     caissyd 
    Participant

    What is this CHECK thing? Is this a UK certification of some sort? I tried to Google it but only find Check Point and unrelevant stuff…

  • #37476
     caissyd 
    Participant

    Ok, I just found it at http://www.cesg.gov.uk/products_services/iacs/check/index.shtml

    The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by CESG. Therefore, HMG and CNI customers can be assured that they will receive a high quality service if the work is carried out under the Terms & Conditions of CHECK.

    Related to CREST…

  • #37477
     RoleReversal 
    Participant

    H1t M0nk3y,

    If you’re looking for more info; @digininja just sat, passed and reviewed the Check Team Member exam here

  • #37478
     tturner 
    Participant

    Check out http://nbise.org/ in the US. They are finishing a beta round of testing for Crest.

  • #37479
     Lubinski 
    Participant

    I think the demand for “actual” pentester’s is high, there are tons of companies and people out there touting pentesting abilities but they are nothing more than “audit” pentesters and they just check the box.

  • #37480
     dynamik 
    Participant

    @lubinski wrote:

    I think the demand for “actual” pentester’s is high, there are tons of companies and people out there touting pentesting abilities but they are nothing more than “audit” pentesters and they just check the box.

    Or worse, repacking automated vuln scans into a pretty report and labeling it a pen test. Not only does that create confusion amongst prospective customers in regards to what a pen test actually is, but it makes skilled penetration testers’ prices seem obscene by comparison.

  • #37481
     hayabusa 
    Participant

    I fully agree.  Had a LARGE customer, yesterday, call me to ask a question, because their employer hired a yahoo (not associated with Yahoo, just the slang term he used) firm to ‘audit / scan’ them.  The results and remediation recommendations were so out of line, based solely on some automated test tool, that my contact was in tears, from laughing so hard!  He then begged me to have a detailed look at the remaining findings for him, just to offer friendly advice, and weed out the garbage.  Fortunately for him, I do want to build some referral business, so this time I took a look, free of charge, and ‘off the record.’

  • #37482
     WCNA 
    Participant

    repacking automated vuln scans into a pretty report

    😀

    I saw PCI compliance going for $45 the other day. Needless to say that had to be an automated scan.

  • #37483
     dynamik 
    Participant

    At the company I previously worked for, one of our customers would have an external penetration test done every month. They alternated between us and another company each month. The customer became LIVID that he could not schedule his tests with us at the drop of a hat and have the results a day or two later. We tried to explain that the manual testing may take a day or two in itself, and then there’s the report writing, QA reviews, etc. He responded with, “They can do. Why it can’t you?”

  • #37484
     WCNA 
    Participant

    People are funny. Some companies won’t bat an eye at dropping 30k for a pentest, usually because the results of a failure would be so damaging (look what happened to HBGary). But to someone whose livelihood doesn’t depend on the web, they think our services are vastly overpriced, they think 1k is too much. Now we have pentesting companies racing to the bottom to deliver automated tests as cheaply as possible, giving people a false sense of security.

    I was watching a video from one of the links I saw on this site talking about, given the hundreds of vulnerabilities coming out everyday, it’s only a matter of time before you get hacked (the video was focusing on mitigating damages, monitoring outbound connections, running browsers and email in VMs, etc.).

    A cheap, automated pentest only scratches the surface and doesn’t even begin to deal with the big picture view or how to focus on the things that matter most in securing your company.

    BTW, the video was the “Special Webcast: How to Avoid Being Compromised? Featuring Dr. Eric Cole” at SANS.

  • #37485
     rattis 
    Participant

    @wcna wrote:

    Now we have pentesting companies racing to the bottom to deliver automated tests as cheaply as possible, giving people a false sense of security.

    (…)

    A cheap, automated pentest only scratches the surface and doesn’t even begin to deal with the big picture view or how to focus on the things that matter most in securing your company.

    One of the LinkedIn lists I’m on there is a thread about “a job posting in Colorado’s Division of Labor website for a “senior Security Engineer I,” BS + 4 yr exp. $8 hr.”

    I’ve seen things like that in Michigan too. On the Michigan Talent Bank (state ran unemployment center’s site).  Not security, but for Network Engineers and the like.

  • #37486
     WCNA 
    Participant

    That’s bound to make all those recent college grads furious as they look at their 40k student loan. $8/hr is ridiculous and downright insulting.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?