AV software is written to pass the tests of AV software reviewers. This is subtly but importantly different from "written to accurately detect and block malware"; in particular, it's extremely difficult for a reviewer to test an AV's ability to block completely novel malware (unless they're a malware author themselves or connected with someone who is). So, people tend to set the AV software to scanning a folder full of known samples and judging the software on how many it detected (this is a nice, easy metric: you can make bar graphs out of it!) - in this situation, if chucking in a signature for C:\windows\SL gives you an easy extra malware detection at the cost of a false positive (that no reviewer's going to spot anyway), it's a no brainer.

Anti-virus software is essentially useless against attackers writing their own code anyway (evading a few signatures is not that hard).

Of course, these guys are not even trying.

Isn't the whole "security industry" a prank gone bad?

There are a whole lot of charlatans in the field. Certifications and credentials are often a good tip-off.

Not everything is useless. Code auditing is not necessarily useless; looking at the physical security of smart cards is not necessarily useless (but it looks like they could use some tougher certifications); pentesting/social engineering can have its uses.

That said, "security appliances" and other magical solutions tend to be rather imperfect. tptacek (of http://insecure.org/stf/secnet_ids/secnet_ids.pdf) may have something to say about that, too.

Everyone I've met who's been working in the "IT Security Industry" have been exceptionally coy about what they test for and how. After a few drinks I've managed to get out that they're testing for "XSS, and SQL injection, you know things like that".

It stinks of proprietary crap and I wonder what it would look like if they took a more OSS approach? When you can't even talk about XSS testing without a bit of prodding as if it's something exceptional it really makes me wonder what on earth these guys are selling.

I've never done anything with them, but e.g. http://www.rootlabs.com/engineer-job.html sounded a lot more interesting than what you describe. On the open-source front, you find stuff like Metasploit, nmap, Snort, previously Nessus (forked as OpenVAS), web stuff like Nikto, etc.

Don't forget that lots of "programmers" are barely-skilled and working on VBA macros - one label can cover a wide range of skill.

I've met some guys who were pretty fit in encryption topics / key management etc on whole corporations. And it actually works, so you rarely hear about that. Quite some skills are needed to master that actually.