Ask HN: How to get a job at cybersecurity?
Hey , I am graduated computer science student, I have experience developing android apps and some google appengine backends ,lately i am interested in cybersecurity , it sounds like a really interesting domain , and i want to know what learning paths should i take to get a job in this domain , since i assume my computer science background is different than pen testing ??
can you provide me resources (Books ,CTFs , Advices ) ?
Thank You
25 comments
[ 2.4 ms ] story [ 46.6 ms ] threadThe good ones may look askance at it and wonder whatever motivated you to get one.
https://news.ycombinator.com/item?id=8823260
Also from Matasano: cryptopals.com and microcorruption.com
Offensive security lectures:
http://www.cs.fsu.edu/~redwood/OffensiveSecurity
Other resources:
http://www.binary-auditing.com
http://www.enigmagroup.org
https://www.hackthissite.org
https://www.vulnhub.com
"Cybersecurity" is vague. What domains are you mostly interested? Crypto? Network protocols? Applications {Web, Mobile, Desktop, Client/Server}?
That said, I don't think you do. Your question is somewhat like asking if you need to study every medical specialty to the bleeding edge of research to become a general practitioner.
No, but any of them you master will definitely be a boon. :)
There's two things that would be helpful to know before providing advice, and they might not be things that you even know the answer to yet; but it's worth considering.
First, what are your reasons for being interested in security. Is it because it's a good job market? Or because you think it sounds cool? Or, god forbid because you think of it as a higher calling? There's nothing inherently good or bad about any of those three choices (except people who believe the third one I find unbelievably tedious to be around), but it definitely effects what advice I'd give. I'm going to assume it's the second one (based on the way you worded your question).
Secondly, security is an ever-expanding field, and in particular, the domain knowledge for each piece of it is starting to take up all available volume in any person's individual skill-bag.
At the risk of somewhat oversimplifying, you can pretty much carve out a full and successful career in infosec in any of the four fields: network security, application security, incident response, general-purpose security practitioner.
Each of those requires skills that are very different than the other 3, and each can be a totally fulfilling choice to make (most of us have wound up in a specific specialty and probably don't enjoy working in one of the other 3, but don't let my or anyone else's distaste for one of them sway you).
Network security is what it sounds like. It's basically the people who do penetration tests. At the bottom end of that field, it's the people who click "run" on a Nessus scan. At the higher end, it's the people who come up with interesting research around protocol vulnerabilities and exploits. Like any field, the vast majority of people aren't at the high end. Without passing judgement, Network security was the first piece of infosec to start to become commoditized, thereby making it probably the least desirable from a financial perspective. This isn't true at the high end, but then again, it's never true at the high end.
It's probably where the majority of people start out, regardless of where they end up. You can thank the mid-90's era of terrible system security and compliance audit requirements for that.
Application security is probably the most applicable for people who have a development background (although again, at the higher end of network security, you are writing code, and exploiting other people's code). It started as a field in pretty much the late 90's. My company saw the writing on the wall that network security was going to become more and more commoditized and we shifted our focus to application security. For most of my career, that has predominantly been web application security. Other places do work on "native-applications", embedded systems, etc. It really depends on the firm. Application security has become more and more important as more and more of people's lives have shifted to include doing things online. Again, not trying to make a value judgement (although as someone who has worked mostly in AppSec, I'm definitely biased), but it's where I would place my bets for at least the foreseeable future career-relavence wise.
Incident Response has only really come into the limelight the past 5 or 6 years. It's been a thing since the 80's, but it was mostly ignored while people tried to convince themselves that they could build secure systems that would actually keep attackers out. The thinking around that has started to change (although in some cases just as an excuse by security people to absolve themselves of responsibility for doing a shitty job). Incident Response will probably never go away, because it's sort of the existential reality of doing business with machines that have to trust one another. Currently, it also c...