United Airlines earned some press last week when it announced a new bug bounty program that will offer free airline miles to white hat hackers who find bugs in the airline's website and mobile apps. While this will-hack-for-airline-miles program is cute, it also highlights a trend we're seeing in security work.
A shortage in qualified InfoSec personnel and an abundance of mobile apps and systems that need pen-testing means that IT professionals can capitalize on this growing market.
Looking for New Sources of Revenue? Get into InfoSec and Pen Testing
Software and pen testing can be a nice source of revenue for IT consultants because a single person can often do the work. Given how many IT consultants run one-person operations, security work could be a practical way for you to add new revenue.
If you're not already in the InfoSec game, don't worry – there are some easy ways to catch up. In response to the lack of software and pen testers, there's been an explosion of training and courses for IT professionals looking to add this skill. Here are a few helpful resources:
- Stack Exchange has this helpful comment thread discussing how to get into web app testing, where to start, and which courses are helpful.
- If you're looking to jump into pen testing, the InfoSec Institute offers a 10-day penetration testing course.
- You can also check out SANS Institute's pen testing syllabus to learn more about its course offerings.
A Word of Warning for IT Pros: Don't Hack on the Tarmac
Let's go back to the new bug bounty program that United Airlines is offering. There's a funny story behind it.
Forbes reports that a well-intentioned white hacker was sitting on his flight when he logged onto the plane's WiFi and found that it had vulnerabilities. Naturally, he thought he should tweet this information to United Airlines.
The airline freaked out a little bit. Well, that's an understatement:
- United freaked out a lot.
- After the flight landed, the IT guy was escorted from plane and his laptop was seized.
- United was concerned that hackers would be able to break into the airplane's network and potentially cause planes to crash.
The story is amusing, but it also highlights some of the tricky situations ethical hackers can find themselves in. United Airline's new program only pays bounties for bugs that hackers discover in its web apps and website, not its in-flight WiFi.
Risk Management Tips: Before You Begin InfoSec Work
This story highlights two things you should know before you rush into InfoSec work:
- Your clients may set limits on which services they allow you to test. If you go beyond the scope of your work, you could find yourself in a messy situation. While you might not be detained by airport security, you could aggravate a client and lose their business.
- Any time you offer a new service, check with your IT Errors and Omissions Insurance agent. Your Professional Liability Insurance may need to be updated to cover these new services. If you don't have E&O, now would be a good time to get covered for lawsuits over problems with your security testing work.
Follow our blog for more posts with IT sales tips and new opportunities for IT consultants.
