Saturday, July 19, 2014

Heading back to Bahrain for my 3rd Trip

Heading out Monday July 21st to Bahrain for another 45 days of excitement in Bahrain. My company was renting an apartment since last year, but they let the lease lapse, so I will be staying in the Marriott for the stays. Which is fine with me, I like getting the points, and plus it has free breakfast. I guess they are expecting for me to look for another apartment to rent, not sure why the last person who was there did not do this, since he works on the project full time (or is supposed to).
No sure what I will be working on this time around, since I have not been involved with this project since last year when I was there. Have had little information given to me from the director of this project, and the employees assigned to the director of this project have been little help giving me information.
Did not really want to head back, but my boss sort of gave me a "you do not really have an option" speech. I was supposed to heading to Defcon during this time frame and told him I would prefer to that that then to Bahrain. I was then told that was not a good reason to not go on the trip, and something like "I cannot justify you going to training instead of this trip" or something similar to that. This did not really make me happy, and they originally wanted me to go for 90 days, but I had to do military duty so I could only squeeze in the 45 days to go (well that is what I told them). Not like they could really argue about me not being able to go, since it is the federal government and all.
I was surprised that they were expecting me to cover this time frame for the project, but it seems that one of the two people they hired does not want to go back over there anymore. I was a little pissed about that, and think they need to fire him since he was specifically hired to do this project. Sure that will not happen, since they have him doing training for Alien Vault software occasionally.
This is partly one reason I started researching penetration testing companies. Have found a few I like, but not sure if I will be looking for a new place to work just yet. Need to see if they are expecting me to make more trips back to Bahrain. I already told my director that I would not be heading back over already, so to not even ask me about it.

Tuesday, July 1, 2014

Pentesting Companies - Praetorian

I have been researching a few pentesting companies over the past few months, just to compare my current employer to others. I am happy at my current employer, I enjoy what I do, and most of the people I work with. I am just curious what other companies do for their employees, and what they require from them.
Through my research I noticed that many of them give fairly good benefits, and seem to have a relaxed work environment.
I was surprised that several require their employees to speak at conferences, write white-papers, and do research. While I am not against any of this, I am wondering how they would have time to accomplish any of this. I am booked solid usually weeks on end, with maybe a  day or less of down time a month. Many also require 25% or more travel, which I am not opposed to either, but I generally do most of my assessments remotely. I have complained to my boss that we do not travel to customers enough. I prefer to do some face-to-face conversations with my customers to get a better understanding of their needs. Plus it makes it easier to social engineer information from someone.
I was fairly impressed with Praetorian who is head quarters are in Austin, TX. They seem to have some very skilled and knowledgable consultants, who are involved in the security community and open-source projects. They seem to be involved with the local college (University of Texas), having career expos at UT. They also have some small puzzles that you can try to work. I will have to try these when I get some spare time.
A Job Posting for a "Senior Security Consultant (Software)"
Qualifications: Successful candidates should have:
  1. 2-5 years of information security experience
  2. 1-2 years of consulting experience
  3. Strong understanding of software and application security
  4. Experience with languages such as C, C++, Java, .NET, Ruby, and Python
  5. Strong oral and written communication skills
  6. Involvement in software community via OWASP, WASC, and/or open source development highly desirable
  7. Track record speaking at major security conferences such as OWASP Appsec, SANS Appsec, and Blackhat highly desirable
  8. Ability to travel 10% of the time
  9. Minimum 4-Year Bachelor of Science Degree in Computer Science, Engineering, or equivalent from a "top ten" institution.
While the travel is a lot less than many of the other companies, they require a person who is good a public speaking at large conferences and is involved in the security community.
Well I guess if  I wanted to go and work for them, I need to start speaking at conferences and get more involved in the security community. Not really going back to college to get a degree from a "Top Ten" institution unless some one else is willing to pay for it.