Location: NYC
Remote: Preferred, but I'm willing to commute anywhere within a few hours if hybrid, less for always on-site.
Willing to relocate: No.
Technologies:
- penetration testing, architecture review, and code review of web and mobile applications across hundreds of projects and dozens of companies (from startups to FAANG and other Big Tech)
- various programming languages
- project and account management
Résumé/CV: (removed address and phone as this is a public forum) - https://hn-resume.nyc3.digitaloceanspaces.com/hn_resume.pdf
Email: hn_resume@blacksheepwall.com
While I am interested in being hired, I'm also very interested if anyone has constructive feedback for me about why they wouldn't hire me (no need to be gentle). I've only applied to a handful of jobs so far, and none have given me interviews or feedback, so I'm not sure why I don't appear appealing for roles I think I'm more than qualified for like Senior Security Engineer (Manager).
This really rings true. Just think of all the nonsense you have to deal with in the name of "security." Mandatory password change intervals. Insane rules for constructing passwords. Completely undocumented password requirements that you just have to figure out by trial and error. Complicated error messages full of security jargon. "Secret Questions" that you can't remember the answers to. And on the other side of the coin, the security of these systems themselves is like a sieve. So many data breaches, information disclosures, they are in the news almost daily. I often wonder how they get away with it all.
Well, the good news is that everything you listed is known as a bad idea to both end users and people who understand security (which is, sadly, not most people who implement security policies).
Using 4 or more dictionary words provides excellent password security and you can do the same for all of your security answers too. There's a variety of free and paid for password managers that solve the issue of trying to remember all your secrets (great for backing up 2FA secrets too).
I'm not sure what you mean by "complicated error messages" but I assume it's errors that they expect the user to fix themselves, otherwise they could return a generic nonspecific error and a unique ID for you to provide when you contact support to get help. While it sucks to get jargon spammed, I feel like pretty standard human ineptitude at explaining an error rather than anything specific to security. I also think it's how many people feel about any error message that contains computer jargon (PC LOAD LETTER!?!?).
> I often wonder how they get away with it all.
My thinking (and experience...) is that most organizations are failing at a lot of things at any given time, even if the business overall is successful. Security is just one of those things. I wouldn't be surprised at a small elite organization not following that trend, but any sufficiently large organization is going to have incompetent people doing incompetent things.