Why it sucks to be a Security Researcher
Egor Homakov

A “security researcher” isn’t really a career. It’s an avocation in which you can get money via bug bounties and write up interesting findings so you can give talks in conferences and get your name out there. Very few people manage to do that full time as their only employment, rather it’s something they do to get noticed or build up a resume. No wonder that it becomes boring after a time. Doing coding challenges full time would get equally boring. Unless you are a rock star (like Homakov!) you don’t assume that this will pay the bills, it is just something you do to prove your chops.

A career would be something like product security engineer, where you play a role in the design and approval of features. Here you can drive some coding standards and care about almost exploitable things. You can also drive the SDLC, train QA champions to use security tools and catch simple things, as well as coordinate third party reviews in addition to your own reviews. Many different things you can work on here. But you have to sit in a lot of meetings with product owners and deal with the messy nature of development. Also expect to spend time on code reviews and sign off work. Some people don’t like auditing someone else’s code, other’s love it.

Alternately you can work as a penetration tester for one of the consulting firms, and issue long assessment reports for compliance purposes or the occasional client who really is worried about security. In this case, they usually don’t care about almost exploitable things, they care about the assessment report. Some people get really tired of this because it is repetitive but others like the challenge of bug finding and constantly working on different code bases.

Or you can work for a government or company that has a real red team and try to hack into your employer’s (or others’) infrastructure, in which case you don’t care all that much about things like XSS or CSRF, you care about getting a shell somehow. Almost exploitable isn’t an issue here, either. Not many jobs here, but they can be elite.

Or you can go on the vendor side and sell products. Most of them are awful but some are cool. It can be very rewarding and fun to build things.

Good luck to all of the above — just know your endgame.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.