Facebook is hiring an Offensive Security Engineer, and not the sort inclined to disparage the length of your keys or your choice of encryption algorithm.
"Facebook's Security team is looking for an offensive security engineer that can deliver technical leadership for our offensive security team and execute tactical, offensive assessments across our environments," a recent company job posting says.
Facebook isn't looking join the dark side, subverting systems and launching denial of service attacks through a botnet. Nor is it aiming to retaliate against attackers, a model pursued and abandoned a decade ago by Blue Security.
Rather, it's looking for an individual versed in attack techniques: a penetration tester.
While this isn't a new development at Facebook – the social network has had a "red team" tasked with penetration testing for years – it appears to be at Microsoft, at least in its Windows and Devices group.
Microsoft in September posted a job "seeking top-notch talent to lead a new team focused on offensive security research in the Windows and Devices group at Microsoft."
Facebook and Microsoft declined to comment.
Apple is also looking to fill at least three positions that involve penetration testing.
Joyce Brocaglia, CEO of cybersecurity recruiting firm Alta Associates, in a phone interview with The Register, said her firm has recently been retained to perform multiple personnel searches for companies looking to hire senior security executives and to build security operations centers. She said that there's growing interest in hiring security engineers versed in penetration testing.
"We absolutely see that happening more often," Brocaglia said. "A lot of companies in the past had been outsourcing that function and are now bringing it inside." Brocaglia said not only are companies looking for security engineers capable of penetration testing, but they want people skilled enough to build their own tools.
Asked about possible reasons for the interest in staff hackers, Brocaglia suggested that some of it is cyclical and that outsourcing is just less appealing at the moment.
Alan Paller, founder and director of research for the SANS Institute, in an email to The Register said that the initial surge in internal penetration testing began about ten years ago and was focused on testing applications for internal and external use, to minimize flaws.
Firms complemented internal efforts with external application testers, Paller said, noting that most of the time, systems and network penetration testing was handled by outside firms and represented a source of business for security consulting companies.
"But the confidence that people had in the completeness of outside system and network penetration testing has been lessened," Paller said. "Part of that is due to the increased skill set that many companies are developing for their internal staff, recognizing that to do good defense you have to understand offense."
Another reason to hire security personnel with an affinity for offense, Paller suggested, is that putting security staff through hacking courses isn't worth the money. "Both for cost savings and for privacy, [companies] like doing internal penetration testing," he said, adding that the exception is when senior leadership or auditors require security testing conducted by outsiders. ®