Starting Your Own Company…..

Viewing 20 reply threads
  • Author
    Posts
    • #7953
      S3curityM0nkey
      Participant

      As anyone who has been hanging around on this forum for a while will know one of the most common questions is “How do I get into the industry?” and as always the users on the forum will go out of their way to give helpful advice.

      I have a slightly different question.

      It seems to me that a few of the guys (and girls) on forum work for themselves or as consultants in the industry.

      I want to hear from a few of you as to the challenges you faced while starting up your company.

      How did you get your first client? I imagine its hard to convince someone to let you perform a pentest on their network when you have no rep in the industry.

      Has it been worth it?

      What advice would you give to someone on the forum who is thinking of starting up there own company or working as a consultant?

    • #50434
      dynamik
      Participant

      @SecurityMonkey wrote:

      I imagine its hard to convince someone to let you perform a pentest on their network when you have no rep in the industry.

      That scenario should never come up. You shouldn’t start a business (at least in this industry) unless you have extensive subject-matter expertise.

      If this is something you’re considering in the future, I highly recommend you read these two books:
      http://www.amazon.com/Million-Dollar-Consulting-Alan-Weiss/dp/0071622101/ref=sr_1_1?ie=UTF8&qid=1349907953&sr=8-1&keywords=million+dollar+consulting
      http://www.amazon.com/Start-Your-Business-Fifth-Edition/dp/1599183870/ref=sr_1_1?ie=UTF8&qid=1349907966&sr=8-1&keywords=small+business

      Something else to keep in mind is that if you run your own business, you will probably spend more time on business activities than whatever services you provide. Legal work, accounting, marketing, sales, etc. are going to take a significant amount of time. Don’t start a business unless you want to run a business or have the resources to contract all those services out.

      Disclaimer: I’m currently employed elsewhere, but I’ve run my own business for a stint and have done consulting on the side during some of my previous positions.

    • #50435
      S3curityM0nkey
      Participant

      Good advice ajohnson. I have run a company as well and know how much work is involved in getting it off the ground and then keeping it going!

    • #50436
      rattis
      Participant

      I read this one back in the day (After being let go from a large telco company).
      http://www.amazon.com/From-Serf-Surfer-Becoming-Consultant/dp/0782126618

      There was another one, even older, that I read. I don’t remember what it was called. It was written by an electrical engineer who went in to photography consulting if I remember right.

    • #50437
      Seen
      Participant

      I actually decided to start my own web pentesting company last month.  For the past 2 years, I’ve been doing consulting work for various start-ups while looking for a full-time job.  2 months ago I did a pentest on my friend’s website and got a nice amount of money for it (despite the fact that I offered to do it for free).  As a result, I decided to try and see if I could make any money doing pentesting for other sites.  However, I’m having trouble finding that second client.

      Besides using word-of-mouth with my friends, for the past 3 weeks I’ve been looking for sites that have obvious security holes (like a login system without HTTPS) and sending out e-mails.  I’ve gotten responses from 2 websites, both of which basically said, “We know and we don’t care.”

      This past week, in addition to searching for those kinds of sites, I’ve been attempting to find freelance security jobs, but I haven’t found anything useful.  If anyone has any advice, please let me know.

      On the bright side, most of my interviews involve me going through 3-5 phone interviews, then flying out to the company before getting rejected.  So not finding clients is a lot less frustrating, and a lot less work, than not finding a job!

    • #50438
      sternone
      Participant

      Starting your own business is a great thing to do.

      you have basically 2 types of Entrepreneurs:

      The ones that start a business to make a living
      The ones that start a business to become the next billionaire (so they think)

      I assure you, being a pentester will maximum be the first one.

      The second ones usually blow up within a year or 2,3 max. I’m not investing in those business anymore, I lost too much money so far with several failures.

      The first type of business is still a good business. The book advise on the million dollar consultant is a good book.

      I have actually a friend who is a very senior consultant in IT, call it a top Java specialist, used to be with Sun but is on his own the last 4 years and he is invoicing his personal consulting services for more than 1 Million $ a year. We don’t see him very often. He’s all over the world. So it is possible. I would never want his life. Never. He’s actually not living. He’s consulting.

      I would say if possible start small with a minimum of investment. If possible do it as a side job. The best consultants who work on payroll and who want to become independent still can work for their previous boss usually. that’s my experience.

      Good luck. You will need it. Just remember my words: start small, low cost and invoice your customers quickly.  ;D

    • #50439
      prats84
      Participant

      @SecurityMonkey wrote:

      What advice would you give to someone on the forum who is thinking of starting up there own company or working as a consultant?

      Apart from the being good at the skills you are offering, one major think is marketing. Security being a tough competition, as many skilled people offering their service, marketing is a Big Must. There must be something to make you stand out shining from the competition.
      I would spend majority of my capital ‘initially’ in marketing, because only when you sell u earn and u learn.

      Start with ‘FREE’ we all love it when its free. Look at everything around as case study,

      Metasploit- Started as free (still community version is free) but then added certain Pro products which make a ‘buck’

      SecurityTube- Started as providing infosec education at no cost and still does provide a huge set of topics for free. Once successful started infosec certifications at a low price, again making a buck.

      All those guys might have not started the project to make money initially but we all know how over the years some of free products have developed into industry must haves.

      Always plan long term and always innovate.

      Just my 2cents.

    • #50440
      dynamik
      Participant

      @Seen wrote:

      If anyone has any advice, please let me know.

      What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don’t just knock on doors and ask for work.

      @prats84 wrote:

      Security being a tough competition, as many skilled people offering their service, marketing is a Big Must. There must be something to make you stand out shining from the competition.

      Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There’s an abundance of charlatans passing off copy-pasted Nessus reports as “penetration tests.” I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.

      A lot of organizations are having these services performed to satisfy a compliance check box. How are you going to position your quality services against others’ that cost a fraction of what you charge when the customer doesn’t care about quality? I think there’s a huge gap between the amount of work available and the amount of legitimately skilled practitioners.  

    • #50441
      Seen
      Participant

      @ajohnson wrote:

      What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don’t just knock on doors and ask for work.

      ‘m not actually trying to be part of the security community.  I’m trying to go after small businesses and start-ups that have no idea they need security.  Sites that don’t use HTTPS and send credit card numbers in plaintext for example.  There’s definitely a market for that, but I’m trying to figure out how to market to people who don’t have any idea of the security risks.

    • #50442
      dynamik
      Participant

      @Seen wrote:

      @ajohnson wrote:

      What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don’t just knock on doors and ask for work.

      ‘m not actually trying to be part of the security community.  I’m trying to go after small businesses and start-ups that have no idea they need security.  Sites that don’t use HTTPS and send credit card numbers in plaintext for example.  There’s definitely a market for that, but I’m trying to figure out how to market to people who don’t have any idea of the security risks.

      The same concept applies. Join the local Chamber of Commerce and/or find other events where you can interact with local business owners.

    • #50443
      rattis
      Participant

      @Seen wrote:

      @ajohnson wrote:

      What are you doing to get your name out there? Are there any local ISSA, ISACA, OWASP, etc. meetings you could speak at? Focus on establishing a solid reputation; don’t just knock on doors and ask for work.

      ‘m not actually trying to be part of the security community.  I’m trying to go after small businesses and start-ups that have no idea they need security.  Sites that don’t use HTTPS and send credit card numbers in plaintext for example.  There’s definitely a market for that, but I’m trying to figure out how to market to people who don’t have any idea of the security risks.

      You need to think of it from their perspective. How many people do you think contact them on a regular basis for these “Services”.

      If they’re doing anything PII (HIPAA, CreditCard, Banking, etc) and not doing HTTPS, and you and show it without “being evil” (BE ETHICAL), then you might want to let the agency that is concerned with that know (the ones you report to with violations).

      As for ISACA, ISSA, etc, you’re gutting yourself from the word go. Not everyone that goes to them know everything, and some are looking for help from other people. #misec is made up of several skilled people (100 or so of us), and we all have our specialties. We  also leverage the others in the community for help. You may meet someone that needs or wants a web app pen test, but doesn’t have the skill in house and willing to hire you if you have the references to back you up.

    • #50444
      sternone
      Participant

      This is a fun niche in the IT industry.

      What many don’t understand is that it’s absolutely not easy to find a job. I think it’s easier to make a buck to provide training to people than to actually make a living doing pentesting on a daily basis.

      I have customers who need pentesters. I do this because of my customers question.

      There is no way my customers are going to trust somebody else to sneak around and provide some report about it. That’s the whole thing in this industry. TRUST is everything. That’s where the power is.

    • #50445
      S3curityM0nkey
      Participant

      @sternone wrote:

      What many don’t understand is that it’s absolutely not easy to find a job.

      I agree! It’s so hard….  :'(

    • #50446
      prats84
      Participant

      @ajohnson wrote:

      Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There’s an abundance of charlatans passing off copy-pasted Nessus reports as “penetration tests.” I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.

      Strongly agree with you. Its not just limited to Penetration Testing but also to the Infosec education being offered.

    • #50447
      S3curityM0nkey
      Participant

      @prats84 wrote:

      @ajohnson wrote:

      Actually, one of the most significant problems is the amount of unskilled people that are offering these services. There’s an abundance of charlatans passing off copy-pasted Nessus reports as “penetration tests.” I even saw one assessment where the consultants made a huge deal out of two systems that were in fact their own systems that they included in the scan on accident.

      I would not limit this to just Infosec… I have found that a lot of the IT guys I have worked with claim to have this cert and that training but in the real world they don’t have a clue! Training in Inforsec and IT has become such a HUGE money spinner that every man and his dog wants a part of it.

      Strongly agree with you. Its not just limited to Penetration Testing but also to the Infosec education being offered.

    • #50448
      sh4d0wmanPP
      Participant

      If you live in a non-English speaking country it might be worth to setup pentest or other infosec training sessions (for a fee) in the native language. I notice many people, in both my homecountry and the country I live now, prefer to have study material in their native language.

      If your classes are decent students might even want to try to obtain formal certifications later on (e.g. Offensive Security / eLearn Security) Those are all very hands-on and easier to accomplish for non-native speakers than multiple choice exams.

      Personally I think that English communication skills are mandatory in the IT industry. So many software and documentation are written in it. Trying to troubleshoot an issue with localized software can be a pain in the …  😉

      The problem I currently am facing is a total lack of interest in infosec where I reside righ now. I will try to setup a small training facility and try to give free awareness classes at government, educational institutes and businesses. Hopefully over time this will lead to training demand and finally pentesting demand. It is a long way to go … The positive thing is: I am the only company dedicated to infosec haha

    • #50449
      jjwinter
      Participant

      I plan to shoe-horn pentesting into services I already offer, once I have the knowledge. I’ve been running a my own one-man computer networking and repair business for ten years, so the clients are there, well sort of.

      As has been mentioned before, the problem is that most customers don’t care about real security. They just want to check the box to be in compliance with all those “annoying computer laws”.  They think there is no obvious benefit to spending the money, its just a cost. 

    • #50450
      sternone
      Participant

      @sh4d0wmanPP wrote:

      The problem I currently am facing is a total lack of interest in infosec where I reside righ now. I will try to setup a small training facility and try to give free awareness classes at government, educational institutes and businesses. Hopefully over time this will lead to training demand and finally pentesting demand. It is a long way to go … The positive thing is: I am the only company dedicated to infosec haha

      And once it is important for them they will just ask their normal IT people to add it as an ‘extra’ task, or they will just ask their current IT outsourcing companies to provide them this service.

      As I posted in other threads. In the future, programmers will be much more programming ‘secure’ and Operating Systems will catch the problems with the installed applications, same for the webserver software. It’s not going to be a fix in 6 months, but in a couple of years I see this happening. I already see a much bigger awerness with programmers than couple of years ago.

      Which is a good thing. But the funny thing is. When we try to spread the word to be more infosec oriented, we’re killing our own industry 🙂 So I would absolutely put infosec as an ‘extra’ skill. Just don’t make it your ‘only’ skill.

    • #50451
      dynamik
      Participant

      @sternone wrote:

      And once it is important for them they will just ask their normal IT people to add it as an ‘extra’ task, or they will just ask their current IT outsourcing companies to provide them this service.

      As I posted in other threads. In the future, programmers will be much more programming ‘secure’ and Operating Systems will catch the problems with the installed applications, same for the webserver software. It’s not going to be a fix in 6 months, but in a couple of years I see this happening. I already see a much bigger awerness with programmers than couple of years ago.

      Which is a good thing. But the funny thing is. When we try to spread the word to be more infosec oriented, we’re killing our own industry 🙂 So I would absolutely put infosec as an ‘extra’ skill. Just don’t make it your ‘only’ skill.

      I disagree with the latter points entirely. What OS/programming protection mechanisms are you referring to?

      Compiler buffer overflow protection? That’s been in GCC since 1997 and Visual Studio since 2003. Even in VS2012, this only detects some buffer overflow conditions: http://msdn.microsoft.com/en-us/library/8dbf701c.aspx and there are always people that disable these safeguards.

      DEP and ASLR? Check out the Corelan tutorials and course and/or the OffSec CTP and AWE courses. These make things more difficult, but they aren’t complete solutions. There are utilities (i.e. mona.py) that automate a lot of the tedious, time-consuming work involved.

      UAC? Users either disable it because it’s annoying, and there’s various ways to circumvent it already. I saw a new technique was released just a few days ago, and it’s still on the front page Exploit-DB.

      AV? Not even worth discussing.

      And that’s only “traditional” exploitation. From Windows 3.1, it’s taken 20+ years to get to a point where things can be described as “not completely broken” (at best). Do you follow Exploit-DB or lists such as Bugtraq? Vulnerabilities and exploits are hardly slowing down. Look at the recent Java problems, and there are regularly issues with Acrobat Reader and Flash, as well as a plethora of other third-party software.

      There are also many other attack vectors that aren’t even close to being remedied. Few organizations have controls such as NAC or DIA/DHCP Snooping that will prevent basic ARP Poisoning attacks. Windows hashes are still thoroughly broken: http://passing-the-hash.blogspot.com/ And now it looks like the password hints can be grabbed along with the hashes, so Windows 8 actually makes cracking hashes easier: http://blog.spiderlabs.com/2012/08/all-your-password-hints-are-belong-to-us.html The list goes on and on.

      Additionally, those protections don’t do anything for logic flaws. Say a program runs as root/administrator and can issue system commands. If I find a way to execute arbitrary commands, none of those controls are going to prevent me from doing something like adding a new admin user. Blank SA and xp_cmdshell is a perfect example of this, and I’ve seen that on about a quarter of my engagements this year. The same thing goes with obtaining Tomcat Manager access (roughly the same frequency too).

      You are also completely disregarding legacy systems and applications. These aren’t going to be off of anyone’s network in a couple years. I believe every internal penetration test I’ve done this year has had Windows 2000, and about a third of them have still had Windows NT4. Any issue that is present today could linger on for another 5, 10, 15, or more years. I’ve also seen instances where critical applications are stuck on unsupported OSes because the source code has been lost, and there’s no way to move on unless they recode from scratch. Ouch.

      I think mobile and web applications are exploding and vastly outpacing security oversight. These are also introducing new vulnerabilities and attack vectors that aren’t nearly as well understood as traditional operating systems and thick-client applications.

      The barrier to entry for those technologies is now lower than ever too. Pretty much anyone can get a web or mobile application going with minimal effort. Even if some novice developers have an interest in security, it’ll take them years before they understand it thoroughly. Most won’t care at all and will just focus on getting their app to work the way they want it to.

      In general, the developers I’ve worked with (well into the triple-digits) are far from what you’re describing. I meet many that can’t even have a high-level conversation about buffer overflows, SQLi, XSS, etc. That’s not to say they’re not good at what they do. They could run circles around me when it comes to enterprise software architecture, algorithms, etc.; they just don’t intrinsically care about security.

      Oh, and those blank SA and Tomcat manager systems? Usually developers. Thanks for not standing up an isolated/host-only VM to test on. I also love the fact that you have to run as administrator in order to code, and by “code,” I mean install unapproved software with weak configurations. Secure code aside, I regularly see developers weaken the internal security posture. 

      The security-conscious developers that have the knowledge and resources to code in a secure manner are a ridiculously small minority. The best applications I’ve seen are from small teams that have a very focused niche. They do one thing, and they do it well. On the other hand, I still regularly find SQLi, XSS, LFI, etc. in large, complex applications.

      However, simply having “awareness” of vulnerabilities and exploitation is far from sufficient. Unless developers are willing to train, educate themselves, and stay current, it’s not ultimately going to be effective. That’s a lot of work for something that rarely factors into their annual performance reviews.

      More importantly, getting developers on-board isn’t even the primary hurdle. Management still dictates the process. If they’re given deadlines that do not allow them to follow a proper SDLC or incorporate secure coding practices, security functional testing, etc., it’s simply not going to happen. I’ve seen places with huge development teams that couldn’t even run a quarterly fortify scan, let alone analyze it and actually correct the deficiencies. Until there’s an organizational/management shift in priorities and perspective, this situation just isn’t going to improve.

      In conclusion, there’s simply no way everything is going to be magically secure in a couple years. Or 5. Or 10. Or the foreseeable future. If such magic bullet technologies were on the horizon, there would be a mass exodus of infosec professionals. No one would be willing to invest the time and money into increasing their knowledge and skills if they were going to be worthless in the near future. Instead, there is an insatiable demand for qualified workers, and many organizations are having a great deal of difficulty filling just one or two open positions.  Everyone I know and have worked with feels like they’re scrambling to keep up and there is no end in sight.

    • #50452
      hayabusa
      Participant

      ^^what he said^^

      I think ajohnson put it perfectly, and his last paragraph rings true with my clientelle and coworkers, as well.

    • #50453
      jjwinter
      Participant

      Yup. What he said he said.

Viewing 20 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?