From 5,000 down to 3,000.
I have been given a handful of leads in my quest to find bugfinders who publicly disclose vulnerabilities in mailing lists or public notices and also have operational experience (either present or previous) and responsibility for patching more than 5,000 desktops or laptops. The most promising so far has come from Security Curve. I suspect this one will turn out to be accurate, so we have at least one. All other leads so far appear to have misunderstood my criteria, which I will restate below. In addition, I am lowering the bar to 3,000 desktops in the hopes of finding a few more people.
Requirements:
1) Currently or in the past has publicly announced, posted, or otherwise made available information about specific vulnerabilities.
2) Prior to or concurrent with any vulnerability announcement, the person must have had some direct level of responsibility for protecting systems, including patching them.
Note: you don’t qualify if you simply worked in a company with greater than 3,000 desktops/laptops – you must actually have had to apply the patches or coordinate the patch process.
One commenter in my previous post appears to be in crisis about this exercise. I take no offense to his obvious superiority complex, because people in his position tend to get emotional in times like these. I am surprised he feels like we have no right to understand the backgrounds of the people who are providing this information.
While I thought this was a fairly simple request in the hopes of learning more about the backgrounds of bugfinders, it might be more significant than I originally thought.
Update: We have Two (probably)! After reviewing the information provided to me in emails, I realized that there is one other person who likely qualifies. I had previously neglected him because the other candidates offered do not appear to qualify.
This “lowering the bar” stuff is also disingenuous. You already know that you don’t need to “lower the bar”; you’ve said this only to convey the impression that it’s hard to find vulnerability researchers in operational security positions, even though you know this not to be true.
I’d like to ask your readers: what attracts you to posts overtly designed to mislead you?
@Thomas -
No, it’s not disingenuous at all. I have been given leads that don’t satisfy my requirements and I am trying to make them easier. To date, I know of one person who likely satisfies the criteria.
I actually expect this to be very hard to do, especially given that the leads I was given completely misconstrued what I was looking for.
Given the difficulty, I haven’t really spent much time on it. My request is still a fairly recent one, and I was not expecting to update folks so soon. You seemed to want a speedy conclusion, so I made the reqts lighter.
There is too much smoke and mirrors in the security world, and I don’t like pseudo-security through obscurity. I think we should all come clean about our interests here and let the data go where it may.
I want to be clear, though – simply having worked for a company with greater than 3,000 endpoints does not qualify someone for this recognition.
You’ve already conceded the names, employers, and roles of multiple people fitting these qualifications, based on a single email exchange, and yet you persist in implying like these people are “hard to find”. When challenged, you play semantic games and beg the question, implying that there’s confusion about the type of person you’re asking about.
Just saying that you’re not being disingenuous doesn’t make it so.
@Thomas -
You are right that I had one addition. Other than that, it might be useful for you to consult with friends who have operational experience to understand what I mean.
If you have specific information about researchers, please let me know. Other than that, you are simply trolling my blog.
So, how many people are there who fit the criteria at 3,000 and 5,000 PCs for which they’re responsible? How many people are responsible for patching, say, 300 or 500 PCs?
I suspect you’re taking the very narrow end of a power distribution.
In stark contrast to yours, every comment I’ve made so far (save this one, hopefully my last) has added information to this thread.
You still haven’t corrected your original post, where you assert that you believe no enterprise operational vulnerability researchers exist, despite the fact that you know that not to be true. And, obviously, you persist in implying that these people are hard to find, despite the fact that there is no evidence to suggest that they are.
@Adam -
This is an interesting point. The Bureau of Labor & Statistics here (http://www.bls.gov/news.release/cewfs.nr0.htm) says that companies w/ 1k or more employees make up 37.4% of total employment. I would take a swag that 3k and above might make up 20% of total. Assuming that the ratio of admins per desktops is similar regardless of whether the companies are small or large means that we can carry across that 20%.
I have two so far. How many researchers do you think they are? I really haven’t thought much about this proportion and what it might mean.
What do you think?
The ratio of support staff to desktops is pretty clearly not the same regardless of the gross number of desktops. It’s common in the SMB space for that support number to be “zero” (outsourced) or “one” (common to all IT infrastructure). In heterogenous small businesses the next common tier of staffing is one person dedicated to each functional area, such as Unix, Telecom, or Database.
Fully built-out teams for functional areas is an enterprise-ism (1000+ employees). Dedicated security staff is an enterprise-ism; dedicated security *teams* is a large-enterprise-ism.
You’ve done enough “thinking” about this topic to assert that there are no such people as operational vulnerability researchers in the Fortune 500, but perhaps not enough to look past BLS stats to find any report on how enterprises staff IT.
@Thomas -
The desktops per admin are consistent enough to be useful in this regard. That leaves the percentage of employees as determining factors. (Though Adam brought up in a private email that I assume a 1:1 relationship between desktops and employees and this may be erroneous). The BLS is the most reliable source of information I know of to get this number.
Your attempt at describing IT organizations is admirable albeit weak. The department/job title doesn’t matter – functional responsibility does. (Btw, security folks rarely actually patch systems – that’s why I am fairly liberal with my qualifications).
I said zero and we are at five. You said “hundreds” and we are at five. You are off by at least 195; I am off by 5 so far. Come see me when I have 101. It should really be easy, given that you think there are so many.
I fit your request. Before going to work in the ISS Xforce I ha 6 years in operational roles ranging from a few hundred solaris and windows machines to being responsible for security of 60,000 plus machines on a large college campus in the southeast. In addition to my operational roles as sysadmin and security adin I was pitched by every security vendor several times and can recite most of their sales pitches for you after 5 beers.
I also find vulnerabilities.