Location: NYC
Remote: Preferred, but I'm willing to commute anywhere within a few hours if hybrid, less for always on-site.
Willing to relocate: No.
Technologies:
- penetration testing, architecture review, and code review of web and mobile applications across hundreds of projects and dozens of companies (from startups to FAANG and other Big Tech)
- various programming languages
- project and account management
Résumé/CV: (removed address and phone as this is a public forum) - https://hn-resume.nyc3.digitaloceanspaces.com/hn_resume.pdf
Email: [email protected]
I have ~8.5 years of experience as a security consultant and I would prefer to do more defensive/blue team work, but I'm fine doing offensive work or more consulting again. I'd also prefer to manage people because I enjoy it and I think I'm pretty good at it, but I don't mind being a pure IC.
Well, the good news is that everything you listed is known as a bad idea to both end users and people who understand security (which is, sadly, not most people who implement security policies).
Using 4 or more dictionary words provides excellent password security and you can do the same for all of your security answers too. There's a variety of free and paid for password managers that solve the issue of trying to remember all your secrets (great for backing up 2FA secrets too).
I'm not sure what you mean by "complicated error messages" but I assume it's errors that they expect the user to fix themselves, otherwise they could return a generic nonspecific error and a unique ID for you to provide when you contact support to get help. While it sucks to get jargon spammed, I feel like pretty standard human ineptitude at explaining an error rather than anything specific to security. I also think it's how many people feel about any error message that contains computer jargon (PC LOAD LETTER!?!?).
> I often wonder how they get away with it all.
My thinking (and experience...) is that most organizations are failing at a lot of things at any given time, even if the business overall is successful. Security is just one of those things. I wouldn't be surprised at a small elite organization not following that trend, but any sufficiently large organization is going to have incompetent people doing incompetent things.