Like who? I have better than an IT background, I have a degree in software engineering and a couple of years experience and have never been seriously considered for an infosec position.
I'm a "software engineer", but I know a plenty of other "software engineers" who know less about TCP/IP than IT people I know. What about being a SWE makes you feel more suited for the job?
In my experience knowing about TCP/IP is not required depending on the individual's background (say, graphics driver developer). It just turns out most good hackers tend to be curious and either learn it very quickly or already know it.
We like software engineers because they can synthesize complex software architectures, whereas someone with only networking knowledge will be at a much larger knowledge deficit on most software focused assessments.
Infosec has trended toward application focused security for many years now.
This is part of the problem with hiring in InfoSec. I was turned down years ago for a role as a junior because I didn't know enough about some very specific, foundational technology. I joined a consultancy and within a year I was speaking at those same conferences that I met that would-be employer.
In an hour you can go over only a finite amount of knowledge, I was asked about aspects of technology I knew very little about because I hadn't tried anything in that space (FWIW it was a segment of networking). To pass over candidates based on a minuet lack of detailed knowledge - to me is crazy.
It's like interviewing a builder and asking them if they know where the majority of local maple wood comes from. Who cares, and if you need to know - Google it! Great, now you know more than you ever needed about the local maple industry!
If I was a fully funded academic, I'd agree with you. But the reality is I trade my time for money - to maximize the latter, appearing as a "leader" in my field requires I give talks to both technical and business tracks. The former might pay my bills (if they're a successful tech startup), the latter definitely will.
Conferences are great for networking and entertaining. They're not great for learning new stuff, there's much better media out there. I'm not sure what your gripes are with it.
I could pick some random piece of intrinsic tech you know nothing to devalue you quite easily. I work with TCP at a protocol level every. single. day. and I don't doubt that a decent mid-level SWE could pick it up in a less than a week, and be making clever modifications in less than a month. Standards aren't hard. Code isn't hard. Willingness to ask questions is hard. Knowing when you need to stop and think is hard. Dealing with people, in a way that respects their perspective and experience, is hard, and is the primary talent of any engineer, software or otherwise.
This is precisely why we have tuned our hiring process to find people with no infosec experience but a strong technology background. If you come in understanding, fundamentally how computers work (at a systems level) and a genuine interest in information security there limited barriers.
Most organizations are not equipped to hire for one-of roles on dev teams involving information security.
It's hard for me to say why without more information. There is an interesting middle ground you can work as a software engineer for a company working on security products so it might be easier to switch later.
I've found that tech companies have harder interview loops for infosec than in software engineering. For software engineering, know your college algorithms and you'll have a decent shot.
For infosec, the hiring bar is entirely random. Know your algorithms as those questions are all still fair game, know an enormous and entirely random amount of security trivia as infosec has interviewers with incredible ego, be able to solve CTF challenge problems under extreme pressure in 30 minutes, be able to review code in all programming languages for security defects, etc. I recently had an interview for a IoT penetration testing role (requiring C and Python) at a large tech company. The first phone screen was an engineer on an unrelated team asking me Java OWASP Top 10 style questions. What on earth???
Apparently CTFs (which do nothing except teach you how to get better at CTFs) are the new hiring bar. God only knows what's next.
So don't feel bad. Keep interviewing and you'll get lucky. Luck has far more to do with it than anything else at the moment.
If there is any point whatsoever to IT certifications it is to act as a minimum level legitimizer for those willing to acknowledge a lack of experience. Claiming certs have no value is to claim knowledge has no value.
> is to act as a minimum level legitimizer for those willing to acknowledge a lack of experience
True, but there are a lot of bullshit certifications out there that either 1.) vastly over project the actual knowledge people glean from it (CISSP and friends) or 2.) are unrecognized to the point that they're useless.
The certs aren't bullshit, it's how they are used by companies that makes them appear to be bullshit.
What logically follows from my grandparent post is that people who can demonstrate vast experience shouldn't be asked to hold beginner certs. But companies do this all the time. It perpetuates a false impression that a beginner cert is actually aligned with advanced knowledge, which sets up people to complain about "bullshit certs" on internet forums.
> Claiming certs have no value is to claim knowledge has no value.
No it isn’t, because it’s not intended to be literal. Instead, it’s shorthand for saying, “certifications have approximately negligible positive utility compared to learning alternatives, and net negative utility after time and monetary investments are considered compared to alternatives.”
It’s like functions in the local versus global scale: for the most part, a certification is has an imperceptible impact on overall career trajectory. To abuse terminology a bit, of available opportunities with similar time and monetary costs, certifications are not among the those capable of changing the global scale of your career.
I’ve been responsible for making hiring decisions in infosec positions. I consider certifications like CISSP to be a weakly negative signal in an inexperienced candidate and no signal either way in an experienced candidate. It’s useless to say that certain things have value if their value is absolutely dominated by similarly accessible alternatives. I know more than a handful of people who have started successful infosec careers with no certification or degree because they invested in themselves in more meaningful ways that the really well paying companies care about.
SANS certifications are the only ones I think hold any actual water. People tout the CISSP like it teaches you anything but the very basics and use that to call themselves professionals, which is a huge red flag in hiring.
OSCP has practical, hands-on experience in which you get 24 hours to pop a certain amount of boxes. You also write a pentesting report afterwards which contributes a certain number of points. Then they pass/fail you.
They have a lab environment and a curriculum, and I think a forum and video tutorials for you to practice with before you actually pony up for the exam.
It is one of the widely well-regarded certs because it doesn't simply test knowledge, but your ability to do a practical thing that infosec companies are looking for.
From what I've read (I don't have this cert) you need to cover a lot of knowledge bases to actually pass it anyway, chief among those is enumerating networks and vulns.
Some of the other certs are treated like software engineering certs (that is, not really well regarded except in cases of consultancy body shops needing simple qualifications for their clients)
> the excessive profanity is unprofessional and distracting
I strongly disagree. Most security shops I've been in are made up of people who are blunt and speak exactly like that. You absolutely do need to be able to conduct yourself professionally in a professional setting, but when giving advice to folks I tend to use the most informal language I have, which sometimes means this level of profanity.
This...is actually 100% true. One of the biggest struggles I've personally had in security is to not be super jaded and cynical. Helps immensely to not be in an organization that tolerates (or even rewards) shoddy security practices (at least that's how I solved it).
I do agree. That's actually part of why I called out the language: maintaining balance (as well as not cussing in front of the wrong people) are critical skills for security professionals and sorely lacking in many would-be candidates.
His educational advice was good but the attitude he shares via diction is unhelpful at best especially to folks who do not _yet_ have an awesome job in infosec.
This is along the lines of the advice I also give people, it generally boils down to a few things:
- Be hungry - I'm willing to spend hours with someone who's hungry and just lacks knowledge or a mentor
- Be humble - Always underplay what you know, especially in a market where people wildly overestimate their skillset being humble sets you aside
- Do open source stuff - It's a great indicator not only that you're willing to fail publicly and be ok with it, but it's also a great way to show your progression as an engineer. It also shows you can deal with occasional asshats on the internet (hopefully).
- Differentiate yourself somehow - Being knowledgeable about IT is only one of those ways (though probably the best IMO), if you can have security skills and a sense for business, or security skills and hardcore networking experience (think Cisco certification), etc you'll almost automatically shoot to the top of any stack of resumes.
This is overall great advice for anyone on any field. Being hungry, humble, an active member of the community and developing your own niche is great advice.
I'm a EE working in the chip industry who's got an understanding of mostly how everything electronic works. Do you think this industry pays higher than SV?
There's many roles, on average I'd say on average in the US, InfoSec pays higher than Software Engineering roles - however worldwide I'd say there's many more engineering roles, and much more roles that pay higher salaries.
In saying that, the top-tier InfoSec guys get paid buckets, and buckets of money - usually through non-traditional means (ie bug hunters making $2-3M/yr on private bounties). That's 1% of the 1% though.
Can you make your question a little bit more specific?
This reads a bit like a troll from my perspective, but I could be wrong.
First of all, it's 2018. Don't pay for a cert unless you are trying to get into an industry you know nothing about really fast, in which case you will be hired by idiots or abusive exploitative companies (or governments). Studying certs is a good way to identify the processes/requirements of infosec, but paying for one is like paying for a certificate that says you learned how to cook. If someone talks to you about cooking they can tell if you have ever actually done it.
Second, forget working your way up, IT, tic tac toe. There's so much more to know that this really doesn't begin to explain. You want to know how technology is managed in a business, which is IT, but then there's the software dev and product dev and project management and admin, etc. Then you'll want to actually know how to not only develop software, but how to do it so it's secure. And then you'll want to know how to find software that isn't secure, and exploit it. And then you'll want to know how to prevent it. That is a metric shit ton of information. Experience and talking to people who know can help speed this up, and you can skip a lot of it for specific positions, but this certainly is more demanding than becoming a DBA.
Third, 2600 meetings are a great way to waste your time. I should know. I started one when I was 16. Conferences are great ways to network and find people hiring, and cheap if you can get a ticket to a "real" con and not a trade show for people expensing their trip to Vegas. But stay away from unprofessional egotists full of the lore of the elite hacker. And generally just stay off of IRC. There's so many snobby douchebags still holding on to their little cliques, it's generally a soul crushing waste of time to court them. Talk to people who work on teams at real companies, or know people who do.
Infosec is one of those jobs where you basically just have to learn what the processes are and have a firm grasp of all the concepts, and know the latest tools and trends, and you can get a job. (Come to think of it, that's every tech job...) So besides knowing the ins and outs of how businesses interact with technology (regulations, standards & practices) you also need to know how security firms do business (procedures, positions, services, etc).
But, yeah, don't go this route if you want a real career. Learn it from the bottom up by studying it like it was a job maintaining nuclear reactors, but keeping in mind it's basically just monkeys running tools and generating reports.
I'm the author of the blog post. I assure you it's not a troll or satire. Certifications have a stigma; However there are still industry standards that still hold weight. GCIH, GCIA, SANs, OSCP are all well respected.
Second. I am for the most part speaking to how I got into the field. You DO NOT by any stretch of imagination need to know secure coding, how to find exploits in code, etc. Sure if you want to gun straight for a senior role it would help but if you don't have corporate experience it's not going to get you in the door any faster than working your way up.
Third. I'm not even sure what to say to that. You come off as one of those egotistics you speak of. Maybe your 2600 meeting in your area are not good. That's not to say they all are the same. Stay off irc? Again not all channels are the same.
Last paragraph you basically spell out what the certifications I mention literally do for you. Learn the processes, trends, latests tools, etc. I think you're the one trying to troll.
41 comments
[ 1.4 ms ] story [ 101 ms ] threadWe like software engineers because they can synthesize complex software architectures, whereas someone with only networking knowledge will be at a much larger knowledge deficit on most software focused assessments.
Infosec has trended toward application focused security for many years now.
In an hour you can go over only a finite amount of knowledge, I was asked about aspects of technology I knew very little about because I hadn't tried anything in that space (FWIW it was a segment of networking). To pass over candidates based on a minuet lack of detailed knowledge - to me is crazy.
It's like interviewing a builder and asking them if they know where the majority of local maple wood comes from. Who cares, and if you need to know - Google it! Great, now you know more than you ever needed about the local maple industry!
YMMV, sample size 1, etc
Conferences are great for networking and entertaining. They're not great for learning new stuff, there's much better media out there. I'm not sure what your gripes are with it.
Most organizations are not equipped to hire for one-of roles on dev teams involving information security.
For infosec, the hiring bar is entirely random. Know your algorithms as those questions are all still fair game, know an enormous and entirely random amount of security trivia as infosec has interviewers with incredible ego, be able to solve CTF challenge problems under extreme pressure in 30 minutes, be able to review code in all programming languages for security defects, etc. I recently had an interview for a IoT penetration testing role (requiring C and Python) at a large tech company. The first phone screen was an engineer on an unrelated team asking me Java OWASP Top 10 style questions. What on earth???
Apparently CTFs (which do nothing except teach you how to get better at CTFs) are the new hiring bar. God only knows what's next.
So don't feel bad. Keep interviewing and you'll get lucky. Luck has far more to do with it than anything else at the moment.
True, but there are a lot of bullshit certifications out there that either 1.) vastly over project the actual knowledge people glean from it (CISSP and friends) or 2.) are unrecognized to the point that they're useless.
What logically follows from my grandparent post is that people who can demonstrate vast experience shouldn't be asked to hold beginner certs. But companies do this all the time. It perpetuates a false impression that a beginner cert is actually aligned with advanced knowledge, which sets up people to complain about "bullshit certs" on internet forums.
No it isn’t, because it’s not intended to be literal. Instead, it’s shorthand for saying, “certifications have approximately negligible positive utility compared to learning alternatives, and net negative utility after time and monetary investments are considered compared to alternatives.”
It’s like functions in the local versus global scale: for the most part, a certification is has an imperceptible impact on overall career trajectory. To abuse terminology a bit, of available opportunities with similar time and monetary costs, certifications are not among the those capable of changing the global scale of your career.
I’ve been responsible for making hiring decisions in infosec positions. I consider certifications like CISSP to be a weakly negative signal in an inexperienced candidate and no signal either way in an experienced candidate. It’s useless to say that certain things have value if their value is absolutely dominated by similarly accessible alternatives. I know more than a handful of people who have started successful infosec careers with no certification or degree because they invested in themselves in more meaningful ways that the really well paying companies care about.
They have a lab environment and a curriculum, and I think a forum and video tutorials for you to practice with before you actually pony up for the exam.
It is one of the widely well-regarded certs because it doesn't simply test knowledge, but your ability to do a practical thing that infosec companies are looking for.
From what I've read (I don't have this cert) you need to cover a lot of knowledge bases to actually pass it anyway, chief among those is enumerating networks and vulns.
Some of the other certs are treated like software engineering certs (that is, not really well regarded except in cases of consultancy body shops needing simple qualifications for their clients)
> SEC301 Introduction to Cyber Security.
> Dates: Fri, May 11 - Tue, May 15 (5 Days)
> Fee: 5,380 USD
Source: https://www.sans.org/registration/register.php?conferenceid=...
Over 5 grand for a 5 day course for an Intro Level Training? Wut!
It is interesting that he values "SANS" certifications, but not the courses for them.
Besides my own rambling[1] you might find these resources valuable instead:
* https://tisiphone.net/category/security-education/
* https://krebsonsecurity.com/category/how-to-break-into-secur...
* https://s3ctur.wordpress.com/2017/06/19/breaking-into-infose...
[1] http://dfirnotes.net/ etc.
hth,
adric
I strongly disagree. Most security shops I've been in are made up of people who are blunt and speak exactly like that. You absolutely do need to be able to conduct yourself professionally in a professional setting, but when giving advice to folks I tend to use the most informal language I have, which sometimes means this level of profanity.
Not sure how it's distracting.
His educational advice was good but the attitude he shares via diction is unhelpful at best especially to folks who do not _yet_ have an awesome job in infosec.
Thanks, have a great weekend, cheers,
adric
- Be hungry - I'm willing to spend hours with someone who's hungry and just lacks knowledge or a mentor
- Be humble - Always underplay what you know, especially in a market where people wildly overestimate their skillset being humble sets you aside
- Do open source stuff - It's a great indicator not only that you're willing to fail publicly and be ok with it, but it's also a great way to show your progression as an engineer. It also shows you can deal with occasional asshats on the internet (hopefully).
- Differentiate yourself somehow - Being knowledgeable about IT is only one of those ways (though probably the best IMO), if you can have security skills and a sense for business, or security skills and hardcore networking experience (think Cisco certification), etc you'll almost automatically shoot to the top of any stack of resumes.
In saying that, the top-tier InfoSec guys get paid buckets, and buckets of money - usually through non-traditional means (ie bug hunters making $2-3M/yr on private bounties). That's 1% of the 1% though.
Can you make your question a little bit more specific?
First of all, it's 2018. Don't pay for a cert unless you are trying to get into an industry you know nothing about really fast, in which case you will be hired by idiots or abusive exploitative companies (or governments). Studying certs is a good way to identify the processes/requirements of infosec, but paying for one is like paying for a certificate that says you learned how to cook. If someone talks to you about cooking they can tell if you have ever actually done it.
Second, forget working your way up, IT, tic tac toe. There's so much more to know that this really doesn't begin to explain. You want to know how technology is managed in a business, which is IT, but then there's the software dev and product dev and project management and admin, etc. Then you'll want to actually know how to not only develop software, but how to do it so it's secure. And then you'll want to know how to find software that isn't secure, and exploit it. And then you'll want to know how to prevent it. That is a metric shit ton of information. Experience and talking to people who know can help speed this up, and you can skip a lot of it for specific positions, but this certainly is more demanding than becoming a DBA.
Third, 2600 meetings are a great way to waste your time. I should know. I started one when I was 16. Conferences are great ways to network and find people hiring, and cheap if you can get a ticket to a "real" con and not a trade show for people expensing their trip to Vegas. But stay away from unprofessional egotists full of the lore of the elite hacker. And generally just stay off of IRC. There's so many snobby douchebags still holding on to their little cliques, it's generally a soul crushing waste of time to court them. Talk to people who work on teams at real companies, or know people who do.
Infosec is one of those jobs where you basically just have to learn what the processes are and have a firm grasp of all the concepts, and know the latest tools and trends, and you can get a job. (Come to think of it, that's every tech job...) So besides knowing the ins and outs of how businesses interact with technology (regulations, standards & practices) you also need to know how security firms do business (procedures, positions, services, etc).
But, yeah, don't go this route if you want a real career. Learn it from the bottom up by studying it like it was a job maintaining nuclear reactors, but keeping in mind it's basically just monkeys running tools and generating reports.
Second. I am for the most part speaking to how I got into the field. You DO NOT by any stretch of imagination need to know secure coding, how to find exploits in code, etc. Sure if you want to gun straight for a senior role it would help but if you don't have corporate experience it's not going to get you in the door any faster than working your way up.
Third. I'm not even sure what to say to that. You come off as one of those egotistics you speak of. Maybe your 2600 meeting in your area are not good. That's not to say they all are the same. Stay off irc? Again not all channels are the same.
Last paragraph you basically spell out what the certifications I mention literally do for you. Learn the processes, trends, latests tools, etc. I think you're the one trying to troll.