
Ask HN: Is security consulting a good market/career path? - anewuser
I&#x27;ve always been interested in security consulting (for instance, working for a company like Matasano). I&#x27;m curious what the market is like for security consultants&#x2F;penetration testers. Is it profitable? Easy to find jobs (assuming you&#x27;re decent at what you do)?
======
patio11
_Is it profitable?_

It's difficult to not be profitable in a services business. Is the question
"Is it lucrative?" Application security is a lucrative specialization when one
is doing it towards the high end. There also exist a bunch of folks who
specialize in running off-the-shelf software and emailing the PDFed reports
that software produces. Consultants who charge peanuts exist, but they're
monkeys. Don't be a monkey; don't work for peanuts. (If you need a rough
indication of rates I'd say "Similar to Rails development at the medium-to-
high end of sophistication; similar to white-hot specialties like e.g. iOS
developers with a strong portfolio or marketing engineers at the very high
specialized end where one is doing e.g. cryptosystem review, embedded devices,
etc." If you need further color on the weekly rates implied by that sentence:
$8k is a fairly standard Rails journeyman weekly rate; there exist consultants
in those white-hot specialities who charge north of $20k a week.)

 _Easy to find jobs (assuming you 're decent at what you do)?_

Contingent on one having the inclination and execution ability required to run
a consultancy, which is something which comes much more easily to some
technologists than to others, it is straightforward to get gigs as an appsec
consultant. You go to people with applications and convince them to buy
application security assessments and remediation from you. If this strikes you
as being a straightforward problem, you will not experience difficulty finding
work. If you're mystified as to how one would go about identifying software
companies and finding someone inside them who can purchase application
security assessments, it will be harder. (This is not directed at you
personally but rather at a portion of the would-be consultants I've met over
the years.)

As to career path: I would strongly, strongly suggest that application
security consultants should have and maintain strong coding chops. If one does
this -- and, incredibly to me, there appears to be a large swathe of the
security industry which does not feel like they need to be able to actually
write software -- one will never lack for professional opportunities.

~~~
nullundefined
What about a non-business owner? How about an application security consultant
working with a business such as Matasano? How do those salaries compare?

