Everyone I've met who's been working in the "IT Security Industry" have been exceptionally coy about what they test for and how. After a few drinks I've managed to get out that they're testing for "XSS, and SQL injection, you know things like that".
It stinks of proprietary crap and I wonder what it would look like if they took a more OSS approach? When you can't even talk about XSS testing without a bit of prodding as if it's something exceptional it really makes me wonder what on earth these guys are selling.
I've never done anything with them, but e.g. http://www.rootlabs.com/engineer-job.html sounded a lot more interesting than what you describe. On the open-source front, you find stuff like Metasploit, nmap, Snort, previously Nessus (forked as OpenVAS), web stuff like Nikto, etc.
Don't forget that lots of "programmers" are barely-skilled and working on VBA macros - one label can cover a wide range of skill.
I've met some guys who were pretty fit in encryption topics / key management etc on whole corporations. And it actually works, so you rarely hear about that. Quite some skills are needed to master that actually.
It stinks of proprietary crap and I wonder what it would look like if they took a more OSS approach? When you can't even talk about XSS testing without a bit of prodding as if it's something exceptional it really makes me wonder what on earth these guys are selling.