|
Have we got any software security peeps around? I’ve always been interested in it (decompiling, pen testing, etc) and I’m considering making a pivot to it because I’d like to get involved in more meaningful things. I’d be grateful to hear any takes on the topic, required reading, learning resources etc.
|
#
?
Jul 21, 2023 11:00
|
|
|
|
| # ? May 27, 2024 23:01 |
|
|
Actions also has some bizzarre and annoying inconsistencies when you get to trying to make things reusable, and the write/test loop sucks (as do most ci). Things like the allowed types for parameters of Actions are slightly different to those of sub-actions or whatever they’re called and how they’re invoked is badly documented. Secrets and Environments are super fiddly with sub-actions for reasons that make sense for public repos but just completely suck when you’re entirely inside a locked org account.
|
|
#
?
Jul 21, 2023 11:19
|
|
|
We're using GitHub actions to build firmware in a docker and deploy it to a bunch of local Raspis where it gets loaded into actual hardware and tested. The tests are all functional now but we're adding in power tests very soon. We're also doing the more standard stuff like running unit tests on code, generating releases, pushing libraries to pypi. I don't know where all that falls on the spectrum of devops work, but it's been super handy to us, and chat gpt is great at translating a sequence into yml.
|
|
#
?
Jul 21, 2023 11:37
|
|
|
Artemis J Brassnuts posted:Have we got any software security peeps around? I’ve always been interested in it (decompiling, pen testing, etc) and I’m considering making a pivot to it because I’d like to get involved in more meaningful things. I’d be grateful to hear any takes on the topic, required reading, learning resources etc. I did some blue team stuff for a while. I found it exhausting because I would repeatedly spend my time working with the worst teams who would say things like "well do we have to encrypt that (SSNs)? It will take too long to make that change." And they'd spend weeks ignoring me and trying to get an exception and complain we're making them late. From talking to various pen testers it takes a very specific mindset to do that. Since you try 10000 things with the expectation that 9999 of them will fail.
|
|
#
?
Jul 21, 2023 11:40
|
|
|
Sign posted:From talking to various pen testers it takes a very specific mindset to do that. Since you try 10000 things with the expectation that 9999 of them will fail.
|
|
#
?
Jul 21, 2023 12:12
|
|
|
Sign posted:you try 10000 things with the expectation that 9999 of them will fail. Stop talking about my dating life
|
|
#
?
Jul 21, 2023 12:27
|
|
|
Artemis J Brassnuts posted:Have we got any software security peeps around? I’ve always been interested in it (decompiling, pen testing, etc) and I’m considering making a pivot to it because I’d like to get involved in more meaningful things. I’d be grateful to hear any takes on the topic, required reading, learning resources etc. Sign posted:I did some blue team stuff for a while. I found it exhausting because I would repeatedly spend my time working with the worst teams who would say things like "well do we have to encrypt that (SSNs)? It will take too long to make that change." And they'd spend weeks ignoring me and trying to get an exception and complain we're making them late. InfoSec is certainly interesting. There's innovative technology & techniques, lots of drama, many war stories. But from a job-satisfaction POV it can be disheartening because InfoSec groups are constantly having to cajole unwilling users who just see them as irritating friction. And it's worse in a company where InfoSec have no real teeth to enforce recommendations.
|
|
#
?
Jul 21, 2023 15:30
|
|
|
minato posted:it can be disheartening because InfoSec groups are constantly having to cajole unwilling users who just see them as irritating friction. And it's worse in a company where InfoSec have no real teeth to enforce recommendations.
|
|
#
?
Jul 21, 2023 15:38
|
|
|
Artemis J Brassnuts posted:Have we got any software security peeps around? I’ve always been interested in it (decompiling, pen testing, etc) and I’m considering making a pivot to it because I’d like to get involved in more meaningful things. I’d be grateful to hear any takes on the topic, required reading, learning resources etc. I spent a lot of time studying compilers, disassembled binaries, device drivers, OS/kernel implementation and theory, and static analysis techniques being used in linters like clang-tidy. I used tools like IDA Pro (though Ghidra is what everyone is using now) and the Firmware Analysis Toolkit. I instrumented QEMU to provide more information about software being run under emulation so that I could "taint" (mark) data originating from untrusted sources and track it as it propagated throughout the system. I combined QEMU and the AFL fuzzer to find new vulnerabilities. I researched commercial products, downloaded their firmware updates, unpacked them, and examined library versions and directory structure. You really need to be a fan of this sort of thing to do it for a living. Some people are real fanboys of this stuff and came in to work all excited about the newest CVE they read about the night before. Those people will be your "annoying" co-workers. I focused less on that and more on reading the papers being published at security research conferences (which I enjoyed, since these were often new approaches to the problem). If you're trying to find new vulnerabilities, you'll spend a lot of time banging your head against the wall trying different techniques in an attempt to find something that may not even be there. If you're trying to pentest, then much of your day-to-day is learning the tools and techniques and running through a scripted suite of them one-by-one using something like Metasploit. Overall, I would recommend against this line of work. It isn't as meaningful as you would think, and it is often a ton of work for what you get out of it. Even if you find something, real-world budget and schedule issues can cause your recommendations to be ignored. Try picking up a book on Ghidra or Metasploit to get a feel for the topic area.
|
|
#
?
Jul 21, 2023 17:23
|
|
|
Artemis J Brassnuts posted:Yeah, the places to at I’m currently looking at are AI places that are focused on selling ai that is branded as safe / responsible so hopefully they’ll have some sway. That’s a fair warning if I can’t land a job in one of those places, though. Added to make accurate to what I've seen so far in the space. Lots of places really really wanting to LOOK safe/ responsible, want to have that reputation to help close deals... but God help you if you find any fundamental problem in something the c suite wants done. Ie, make sure the role is what you think, and not: "your job is to tell us all the reasons why this predetermined path we have planned is safe and responsible now go get us plausible deniability for when it blows up on us."
|
|
#
?
Jul 21, 2023 18:03
|
|
|
That’s lots of good stuff to think about, thanks!
|
|
#
?
Jul 21, 2023 22:26
|
|
|
jemand posted:Added to make accurate to what I've seen so far in the space. Lots of places really really wanting to LOOK safe/ responsible, want to have that reputation to help close deals... but God help you if you find any fundamental problem in something the c suite wants done. This just gives me flashbacks to a decade of incident management, and that was at companies that actually mostly gave a poo poo about it.
|
|
#
?
Jul 22, 2023 01:30
|
|
|
ryanrs posted:I advance to the next round, the full day of interviews. I did 5 interviews on Tuesday, and received this update from the recruiter today: the recruiter posted:Happy Friday! I wanted to give you a quick update before the weekend is out - feedback is coming back somewhat positive. So that's good, I guess? But lol at "somewhat positive".
|
|
#
?
Jul 22, 2023 03:03
|
|
|
Always take what the recruiter says with a grain of salt. On one occasion after speaking to a startups cofounders, a recruiter told me they “couldn’t have been more impressed with me” and I still didn’t get the job. What’s more important (imo, I am not a recruiter) is how fast they say it. If they respond slow, they’re either not interested or disorganized, and neither are a good sign.
|
|
#
?
Jul 22, 2023 10:06
|
|
|
I have 0 insight here but if it was me I'd take "somewhat positive" to mean you're in the running but not their first choice candidate.
|
|
#
?
Jul 22, 2023 20:28
|
|
|
Yeah, I'm kinda wondering if they're just stringing me along for 2 weeks in case the other guy falls through while waiting for the big boss to show up.
|
|
#
?
Jul 22, 2023 22:16
|
|
|
Artemis J Brassnuts posted:Always take what the recruiter says with a grain of salt. On one occasion after speaking to a startups cofounders, a recruiter told me they “couldn’t have been more impressed with me” and I still didn’t get the job. I once had an internal recruiter tell me that they really liked me but the team was dealing with some deadlines so they didn't have time to do a debrief yet. I didn't get the job in the end, I assume they were waiting for another candidate that they liked more than me to sign and they were just keeping me in reserve.
|
|
#
?
Jul 22, 2023 22:53
|
|
|
I've found trying to divine the truth behind recruiter statements to be both unproductive and bad for my mental health. Just keep applying to new positions until you have an offer you want to accept. Worst case, you get two great offers and can leverage them against each other to get an even better compensation package.
|
|
#
?
Jul 22, 2023 22:58
|
|
|
Yeah, getting emotionally invested in a particular opening is a bad idea, especially right now. Way too much competition for jobs, the odds are against any specific one panning out.
|
|
#
?
Jul 22, 2023 23:10
|
|
|
Ensign Expendable posted:I once had an internal recruiter tell me that they really liked me but the team was dealing with some deadlines so they didn't have time to do a debrief yet. I didn't get the job in the end, I assume they were waiting for another candidate that they liked more than me to sign and they were just keeping me in reserve.
|
|
#
?
Jul 22, 2023 23:47
|
|
|
FMguru posted:Yeah, whenever you start getting delays and mixed signals after a seemingly successful interview, it's because you aren't the first choice. They're currently offering/negotiating with their first choice, and they're stringing you along as a backup in case they can't come to terms with their first choice. Just shrug and keep on applying and interviewing. The one that's annoying is after a coding test. Because either they don't like you for it, or the person they have reviewing it just keeps pushing it off.
|
|
#
?
Jul 23, 2023 01:15
|
|
|
There is enough to hiring beyond "are you the best person for the job" that you really shouldn't put any weight on one job. How is the company's internal budget and strategy? Does the posting match what they really want? Can the people in the hiring chain make a decision? I just had a phone screen get pushed by 1.5 weeks due to a conflict and vacation, which is sure, maybe. If the reschedule gets pushed off its definitely a no thanks.
|
|
#
?
Jul 23, 2023 01:21
|
|
|
Hello, The company I'm working for (mortgage/finance industry) has offered buyouts for everyone/all avenues of business not just engineers. I'd get ~20 weeks of pay, PTO, stock RSUs accelerated, keep health insurance for a bit, and have my last day in August. Reasons I'd want to take it.
Reasons I wouldn't.
I'm not looking for anyone to decide for me, just if anyone has a better idea of the market or has experienced a buyout before. Argh.
|
|
#
?
Jul 24, 2023 13:39
|
|
|
moctopus posted:Hello, What guarantee of continued employment or favorable terms of leaving do you have if you don't take the buyout? The job market is still sorting itself out since the layoffs a bit ago. It's not impossible to get a job, but it isn't as easy as it was 2-3 years ago.
|
|
#
?
Jul 24, 2023 14:08
|
|
|
leper khan posted:What guarantee of continued employment or favorable terms of leaving do you have if you don't take the buyout? None. And they aren't saying what percentage of workforce they want gone or specifics about positions. They have said this is the most generous package they will offer though. Getting the package isn't even a guarantee, you have to apply.
|
|
#
?
Jul 24, 2023 14:18
|
|
|
Sounds like you’re gonna be job hunting no matter what.
|
|
#
?
Jul 24, 2023 14:22
|
|
|
Can you maybe get an offer from somewhere else before you decide?
|
|
#
?
Jul 24, 2023 14:23
|
|
|
I can try, but the decision to apply is due Wednesday.
|
|
#
?
Jul 24, 2023 14:24
|
|
|
20 weeks of pay plus the RSUs getting accelerated and you'll probably be fine, maybe even get to double dip that with the new salary. The job market isn't what it was back in 2021, but it isn't impossible. It sounds as others said you might want to be looking regardless.moctopus posted:Getting the package isn't even a guarantee, you have to apply. This would make me antsy to be honest. If it isn't a total bullshit trap where nobody gets the buyout, you'd think an engineer with 10 years at the company would meet whatever qualifications they want for the buyout, but you never know unless they publish that stuff. Personally I'd apply for it and start looking for a new job. As for your skill set C# and Angular is a very common skill set, there's plenty of jobs with that exact combination as the primary requirements. You could also easily branch to Java since they are very similar languages. Don't be afraid to jump stacks when looking at jobs, in fact it's nice to have at least one switch on there imo. Remote is the only more difficult part, if you've been remote since prior to COVID I'd say it's actually still better than it was back then, but you still face the problem that decent remote jobs tend to get a very large pool of applicants compared to others.
|
|
#
?
Jul 24, 2023 14:40
|
|
|
moctopus posted:Reasons I wouldn't. Look at your financial picture and figure out how long your savings + buyout + any unemployment will last. I'd also suggest reaching out to local people in your network and asking if you can get a cup of coffee to talk about your job search. Practicing talking about yourself and getting feedback on how you're presenting your job history and projects will help your interviewing skills in a way posting will not. Plus, putting yourself as a job seeker front and center in their minds will help them think of you if they run across any opportunities.
|
|
#
?
Jul 24, 2023 15:00
|
|
|
20 weeks is a very generous package, C#/Angular is a marketable skillset, and since RSU's are involved, I'm going to assume it's a known company where 10 years in place is not going to be a drag. 10 years also means that you're probably underpaid from market rate by a good bit. There's no guarantees, but most devs I've talked to with my 2 open positions (mobile), have been on the market for < 4 weeks and have multiple interviews/offers on the table. Won out in one multiple-offer scenario, find out today if we win the other. IC market is still churning pretty well for 5+ YOE. Biggest risk is if you're on the older side for a goon. Age is a protected class, yes, but that doesn't make it any easier for someone 50+ to land an IC role.
|
|
#
?
Jul 24, 2023 15:19
|
|
|
Not gonna lie, I kinda like the thought of working in C#.
|
|
#
?
Jul 24, 2023 15:35
|
|
|
When I interviewed with a name-brand fintech a few years back, I ended up doing my interview in C# even though I hadn't programmed in it for a solid 7-8 years by that point. It's just really good at concisely dealing with certain kinds of problems The company I work for now also does a lot of C#, and I haven't touched it once here 
|
|
#
?
Jul 24, 2023 15:49
|
|
|
C# is my favorite language. I work in Go now and I miss C# constantly when I run into dumb Go BS.
|
|
#
?
Jul 24, 2023 16:08
|
|
|
Thank you everyone for responding. Just typing it out and reading the responses kind of makes me feel better I think. I'm beginning to lean towards taking the offer.wilderthanmild posted:This would make me antsy to be honest. If it isn't a total bullshit trap where nobody gets the buyout, you'd think an engineer with 10 years at the company would meet whatever qualifications they want for the buyout, but you never know unless they publish that stuff. Personally I'd apply for it and start looking for a new job. I think this has more to do with them not wanting to lose absolutely-mission-critical-can't-be-replaced type people. Although it would still be crummy to deny anyone for any reason. Coco13 posted:Look at your financial picture and figure out how long your savings + buyout + any unemployment will last. I'd also suggest reaching out to local people in your network and asking if you can get a cup of coffee to talk about your job search. Practicing talking about yourself and getting feedback on how you're presenting your job history and projects will help your interviewing skills in a way posting will not. Plus, putting yourself as a job seeker front and center in their minds will help them think of you if they run across any opportunities. They are also including covering the cost of 3 months of cost for "career transition services" which is supposed to help you with things like interviews/resumes. I could probably survive comfortably for 6+ months. kayakyakr posted:20 weeks is a very generous package, C#/Angular is a marketable skillset, and since RSU's are involved, I'm going to assume it's a known company where 10 years in place is not going to be a drag. 10 years also means that you're probably underpaid from market rate by a good bit. I'm pretty sure I am. Last time I posted in here was about that and it was pretty eye opening. kayakyakr posted:Biggest risk is if you're on the older side for a goon. Age is a protected class, yes, but that doesn't make it any easier for someone 50+ to land an IC role. I'm 37 which I think isn't too bad. Pollyanna posted:Not gonna lie, I kinda like the thought of working in C#. It's a dream. The only language I like more is F#.
|
|
#
?
Jul 24, 2023 16:08
|
|
|
moctopus posted:I'm pretty sure I am. Last time I posted in here was about that and it was pretty eye opening. FWIW I looked at your previous post and yes. I am in a very similar market(Cleveland) and I'm pretty sure you can get at least a 20% bump with minimal effort, more if you're willing to look hard and maybe as much as a 100% bump if you get a job with an out of state employer who doesn't care to adjust salaries regionally. That last one is pretty rare though, especially lately.
|
|
#
?
Jul 24, 2023 16:27
|
|
|
20% minimum effort, doubleish if you move to even a marginal figgieland, 2.5x if you move and try hard actually getting the job is kinda bad compared to 2 years ago where they were handing out jobs at the job tree for any toucher, but its also not as bad as 6 months ago even bob dobbs is dead fucked around with this message at 16:37 on Jul 24, 2023 |
|
#
?
Jul 24, 2023 16:31
|
|
|
Pollyanna posted:Not gonna lie, I kinda like the thought of working thats hosed up pollyanna
|
|
#
?
Jul 24, 2023 18:04
|
|
|
Pollyanna posted:Not gonna lie, I kinda like the thought of working in C#. As a Python dev there's some parts I like a lot better, but boy there's some parts I miss about C#; I'd have zero concerns about working with it again.
|
|
#
?
Jul 24, 2023 18:27
|
|
|
|
| # ? May 27, 2024 23:01 |
|
|
Achmed Jones posted:thats hosed up pollyanna Oh gently caress you’re right 
|
|
#
?
Jul 24, 2023 18:40
|
|