> Perhaps my perceptions of the business are a bit naive, I suppose. And
> perhaps I was too quick to judge by your own response.
>
> So this is one of those rare occasions on the 'net that anyone will see
> an apology in these types of discussions -- Sorry for jumping to my own
> assumptions. I suppose we all know where they lead.
>
> So. Perhaps a corporate pen-tester is not the job I'd like to go into,
> and I have been mislead.

Not necessarily - I paint a picture based on corporate requirements, and
their need for audit reports and legal compliance. My concern was that as
someone such as yourself with a deeper interest in the subject matter, with
a talent for coding and understanding of the nature of code exploits, that
this type of job would not provide the type of challenge and interest you
appear to be looking for.

As an 'in' to the security market, perhaps it would not be such a bad thing
to go thro this excercise of working for such an audit firm. This would give
you access to a wide range of IT environments, allow you to develop your
management report writing and board presentation skills, and give you access
to IT professionals with a range of backgrounds and skills, and see how good
firms do it well, and how bad ones fuck it up.

As with all jobs, the job you hope it will be is not necessarily the one it
actually is.

Get some training. Get certified. Apply for the jobs.

Then when you get to the interview, ask the questions - what will the job
entail, how much training is provided to keep abreast of technololgies and
their vulnerabilites, how to you perform the audits, what reports do you
produce, who is your client base. This will give you a clear picture of what
you are getting yourself into.

Don't be surprised if the corporate audit firms are closer to how I describe
them than you may hope.

> I suppose then, I would rephrase my question.
> I like security; I like breaking into networks, and also finding out
> how others have broken into mine. I'm a pretty damn good programmer,
> and understand low level languages. What _would_ be the career that
> would best facilitate that? Perhaps a network forensics consultant?
> Something along those lines? Perhaps a vulnerability researcher?

Very possibly. As a coder, you could also advertise your skills reviewing
other people code to ensure it is not susceptible to exploit - a very
important QA function.

You could work for a firm which writes anti-virus, anti-malware, or content
filterting software - or at their sharp end of exploit / virus analysis and
patch management.

All vendors need QA and security patches.

> Any direction here would be wonderful.

Take on board a range of perspectives. You may have to take a leap of faith
and learn the pro's and con's of each career prospect. At worse your CV
looks stronger for the experience.

> Thanks, and again, my apologies.

No apologies required. I offer merely one perspective (that of my own).

Opinions are like ass-holes. Everyone's got one :)

erewhon
alt.hacker