.

Penetration Testing – Demand Continues To Outweigh Supply

<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Fri Jan 21, 2011 4:14 am

Penetration Testing – Demand Continues To Outweigh Supply

Barclay Simpson has released a market report for 2011 which mentions that the demand for pentesters outweighs the supply. The report also mentions various roles and the salaries associated with those roles. The PDF can be downloaded from:

http://www.barclaysimpson.com/document_ ... c_2011.pdf

In 2010 the demand for penetration testers further outweighed the supply of available practitioners. The shortage was highest for CHECK Team Leaders followed by CHECK Team Members, and then unqualified but highly skilled penetration testers.

With the introduction of the CREST scheme in 2008 it was anticipated that the gap between supply and demand for CHECK Team Leaders would reduce. It did not.
All men by nature desire knowledge.

Aristotle
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Jan 21, 2011 9:26 am

Re: Penetration Testing – Demand Continues To Outweigh Supply

What is this CHECK thing? Is this a UK certification of some sort? I tried to Google it but only find Check Point and unrelevant stuff...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Jan 21, 2011 9:28 am

Re: Penetration Testing – Demand Continues To Outweigh Supply

Ok, I just found it at http://www.cesg.gov.uk/products_services/iacs/check/index.shtml

The IT Health Check Service, or CHECK, was developed to enhance the availability and quality of the IT health check services that are provided to government in line with HMG policy. Companies belonging to CHECK are measured against high standards set by CESG. Therefore, HMG and CNI customers can be assured that they will receive a high quality service if the work is carried out under the Terms & Conditions of CHECK.


Related to CREST...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Jan 21, 2011 9:32 am

Re: Penetration Testing – Demand Continues To Outweigh Supply

H1t M0nk3y,

If you're looking for more info; @digininja just sat, passed and reviewed the Check Team Member exam here
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Jan 21, 2011 1:32 pm

Re: Penetration Testing – Demand Continues To Outweigh Supply

Check out http://nbise.org/ in the US. They are finishing a beta round of testing for Crest.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

Lubinski

Newbie
Newbie

Posts: 26

Joined: Fri Dec 03, 2010 1:34 pm

Post Sun Jan 23, 2011 9:57 am

Re: Penetration Testing – Demand Continues To Outweigh Supply

I think the demand for "actual" pentester's is high, there are tons of companies and people out there touting pentesting abilities but they are nothing more than "audit" pentesters and they just check the box.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Mar 11, 2011 11:15 pm

Re: Penetration Testing – Demand Continues To Outweigh Supply

Lubinski wrote:I think the demand for "actual" pentester's is high, there are tons of companies and people out there touting pentesting abilities but they are nothing more than "audit" pentesters and they just check the box.


Or worse, repacking automated vuln scans into a pretty report and labeling it a pen test. Not only does that create confusion amongst prospective customers in regards to what a pen test actually is, but it makes skilled penetration testers' prices seem obscene by comparison.
Last edited by dynamik on Sat Mar 12, 2011 10:07 am, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Mar 12, 2011 7:44 am

Re: Penetration Testing – Demand Continues To Outweigh Supply

I fully agree.  Had a LARGE customer, yesterday, call me to ask a question, because their employer hired a yahoo (not associated with Yahoo, just the slang term he used) firm to 'audit / scan' them.  The results and remediation recommendations were so out of line, based solely on some automated test tool, that my contact was in tears, from laughing so hard!  He then begged me to have a detailed look at the remaining findings for him, just to offer friendly advice, and weed out the garbage.  Fortunately for him, I do want to build some referral business, so this time I took a look, free of charge, and 'off the record.'
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Sun Mar 13, 2011 2:21 pm

Re: Penetration Testing – Demand Continues To Outweigh Supply

repacking automated vuln scans into a pretty report


:D

I saw PCI compliance going for $45 the other day. Needless to say that had to be an automated scan.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Mar 13, 2011 3:04 pm

Re: Penetration Testing – Demand Continues To Outweigh Supply

At the company I previously worked for, one of our customers would have an external penetration test done every month. They alternated between us and another company each month. The customer became LIVID that he could not schedule his tests with us at the drop of a hat and have the results a day or two later. We tried to explain that the manual testing may take a day or two in itself, and then there's the report writing, QA reviews, etc. He responded with, "They can do. Why it can't you?"
The day you stop learning is the day you start becoming obsolete.
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Sun Mar 13, 2011 9:40 pm

Re: Penetration Testing – Demand Continues To Outweigh Supply

People are funny. Some companies won't bat an eye at dropping 30k for a pentest, usually because the results of a failure would be so damaging (look what happened to HBGary). But to someone whose livelihood doesn't depend on the web, they think our services are vastly overpriced, they think 1k is too much. Now we have pentesting companies racing to the bottom to deliver automated tests as cheaply as possible, giving people a false sense of security.

I was watching a video from one of the links I saw on this site talking about, given the hundreds of vulnerabilities coming out everyday, it's only a matter of time before you get hacked (the video was focusing on mitigating damages, monitoring outbound connections, running browsers and email in VMs, etc.).

A cheap, automated pentest only scratches the surface and doesn't even begin to deal with the big picture view or how to focus on the things that matter most in securing your company.


BTW, the video was the "Special Webcast: How to Avoid Being Compromised? Featuring Dr. Eric Cole" at SANS.
Last edited by WCNA on Sun Mar 13, 2011 9:52 pm, edited 1 time in total.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon Mar 14, 2011 9:30 am

Re: Penetration Testing – Demand Continues To Outweigh Supply

WCNA wrote:Now we have pentesting companies racing to the bottom to deliver automated tests as cheaply as possible, giving people a false sense of security.

(...)

A cheap, automated pentest only scratches the surface and doesn't even begin to deal with the big picture view or how to focus on the things that matter most in securing your company.



One of the LinkedIn lists I'm on there is a thread about "a job posting in Colorado's Division of Labor website for a "senior Security Engineer I," BS + 4 yr exp. $8 hr."

I've seen things like that in Michigan too. On the Michigan Talent Bank (state ran unemployment center's site).  Not security, but for Network Engineers and the like.
OSWP, Sec+
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Mon Mar 14, 2011 10:19 am

Re: Penetration Testing – Demand Continues To Outweigh Supply

That's bound to make all those recent college grads furious as they look at their 40k student loan. $8/hr is ridiculous and downright insulting.
ISC2 Associate, WCNA, CWNA, OSCP, Network+

Return to Career Central

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software