Monday, 14 May 2012

Hiring pentesters... from the other side

Someone suggested that I should write from the other side of the hiring process... and I think it's a pretty cool idea :)

Just as a side note before starting, I was really interested and surprised by the Hungry Academy. If someone wants to start something similar, I will be really happy to help ;)

Now back to our subject...

Every time I run an interview, there is the moment when you ask people if they have any questions...
Maybe it's because interviewees know really well the company (meh...), talked with someone else before, or just don't want to give a bad impression, but I'm often surprised by the (lack) of (interesting/important) questions.

In the current market (especially in Australia), good pentesters can now choose who they work for (compared to few years ago)... IT security is currently starving for (good) pentesters...

These are some of the questions that in my opinion are really important and that most interviewees should ask:
  • how many engagements have you rejected in the last six months? And why did you reject them? 
  • how long is the average engagement? What is the longest? What is the shortest?
  • how much research time will be provided? will this research time be included in a written agreement?
  • OS running? (I'm old now and have really bad habits: Linux + wmii)
  • How many/Which conferences are allowed?
  • How many/What training can be done/followed? Do you run internal trainings?
  • Main programming language used for internal tools? and why?
  • What do you use for reporting? (I used to write reports with OpenOffice...)
  • What's your biggest weakness? (for one time this question can be asked to interviewers)
  • What's your biggest strength? (for one time this question can be asked to interviewers)
Some of these questions may seem silly, but as you get older you don't want to work in some conditions...

As a second site note, I started working on another project: PNTSTR... an easy way to run the first interview round without wasting too much time. 

No comments: