Ask HN: How to get a job at cybersecurity?

14 points by abdelhadikhiati ↗ HN
Hey , I am graduated computer science student, I have experience developing android apps and some google appengine backends ,lately i am interested in cybersecurity , it sounds like a really interesting domain , and i want to know what learning paths should i take to get a job in this domain , since i assume my computer science background is different than pen testing ?? can you provide me resources (Books ,CTFs , Advices ) ? Thank You

25 comments

[ 2.4 ms ] story [ 46.6 ms ] thread
Google for CISSP.
I know CISSP and i don't think studying for the certificate will give me the skills needed to be a good security researcher
Possessing that certificate is an entry requirement for many security jobs. But from what you are saying you have already conducted your research.
I know many people in the security industry who are willing to waive the CISSP requirement if you have a CVE on your resume.
Oh that sounds interesting, haven't come accross myself - thanks!
They don't advertise this fact too much. CISSPs are a joke.
That was my thought too , i don't think CISSP has big weight in this industry .
But not the good ones.

The good ones may look askance at it and wonder whatever motivated you to get one.

Why not give Matasano a call? Rumor has it they'll give you great book(s) just for applying.

https://news.ycombinator.com/item?id=8823260

Also from Matasano: cryptopals.com and microcorruption.com

Offensive security lectures:

http://www.cs.fsu.edu/~redwood/OffensiveSecurity

Other resources:

http://www.binary-auditing.com

http://www.enigmagroup.org

https://www.hackthissite.org

https://www.vulnhub.com

"Cybersecurity" is vague. What domains are you mostly interested? Crypto? Network protocols? Applications {Web, Mobile, Desktop, Client/Server}?

As co-head of recruiting for Matasano/NCC US, I endorse this approach! Bear in mind that we are pretty heavily focused on appsec, but of course for us appsec includes kernel work, sandboxes, firmware, etc, as well as web, mobile, custom protocols, desktop, client-server, etc.
am I required to study all these to be considered for a job at Matasano ? That seems a lot of things ?
I should probably have specified: I don't represent Matasano / NCC Group in any way shape or form.

That said, I don't think you do. Your question is somewhat like asking if you need to study every medical specialty to the bleeding edge of research to become a general practitioner.

No, but any of them you master will definitely be a boon. :)

Thank you ,actually i was addressing the one from Matasano who responded on your comment , Your advice is very helpful sir , thanks again .
Certainly not required! To get a job in application security (at Matasano/NCC or anywhere, really) you should be demonstrably okay at web application, and have interests beyond webapps.
Do you give rejections to people who apply? I emailed careers@matasano.com asking about an internship in October and never heard back. I took that as a sign that you weren't interested, but I'm now thinking I should double check on that in case you missed the email.
We are literally drowning in intern applications. Either we haven't gotten to yours yet (likely), or we accidentally dropped it on the floor (also, sadly, possible, given the number of applications we've received this year). If there are any keywords in your email that might help me find it, I'd be happy to follow up.
That'd be great! If you search for "sophomore studying computer science at UW Madison", you should find my email.
For years I've tried to figure out good advice to this question, but I've never been able to successfully articulate it. Here's attempt++.

There's two things that would be helpful to know before providing advice, and they might not be things that you even know the answer to yet; but it's worth considering.

First, what are your reasons for being interested in security. Is it because it's a good job market? Or because you think it sounds cool? Or, god forbid because you think of it as a higher calling? There's nothing inherently good or bad about any of those three choices (except people who believe the third one I find unbelievably tedious to be around), but it definitely effects what advice I'd give. I'm going to assume it's the second one (based on the way you worded your question).

Secondly, security is an ever-expanding field, and in particular, the domain knowledge for each piece of it is starting to take up all available volume in any person's individual skill-bag.

At the risk of somewhat oversimplifying, you can pretty much carve out a full and successful career in infosec in any of the four fields: network security, application security, incident response, general-purpose security practitioner.

Each of those requires skills that are very different than the other 3, and each can be a totally fulfilling choice to make (most of us have wound up in a specific specialty and probably don't enjoy working in one of the other 3, but don't let my or anyone else's distaste for one of them sway you).

Network security is what it sounds like. It's basically the people who do penetration tests. At the bottom end of that field, it's the people who click "run" on a Nessus scan. At the higher end, it's the people who come up with interesting research around protocol vulnerabilities and exploits. Like any field, the vast majority of people aren't at the high end. Without passing judgement, Network security was the first piece of infosec to start to become commoditized, thereby making it probably the least desirable from a financial perspective. This isn't true at the high end, but then again, it's never true at the high end.

It's probably where the majority of people start out, regardless of where they end up. You can thank the mid-90's era of terrible system security and compliance audit requirements for that.

Application security is probably the most applicable for people who have a development background (although again, at the higher end of network security, you are writing code, and exploiting other people's code). It started as a field in pretty much the late 90's. My company saw the writing on the wall that network security was going to become more and more commoditized and we shifted our focus to application security. For most of my career, that has predominantly been web application security. Other places do work on "native-applications", embedded systems, etc. It really depends on the firm. Application security has become more and more important as more and more of people's lives have shifted to include doing things online. Again, not trying to make a value judgement (although as someone who has worked mostly in AppSec, I'm definitely biased), but it's where I would place my bets for at least the foreseeable future career-relavence wise.

Incident Response has only really come into the limelight the past 5 or 6 years. It's been a thing since the 80's, but it was mostly ignored while people tried to convince themselves that they could build secure systems that would actually keep attackers out. The thinking around that has started to change (although in some cases just as an excuse by security people to absolve themselves of responsibility for doing a shitty job). Incident Response will probably never go away, because it's sort of the existential reality of doing business with machines that have to trust one another. Currently, it also c...

I’m not in the field but this looks like a good overview to me. Thank you for sharing this!
I work in security incident response and I can say this is all quite accurate. Though usually the 3 AM call just involves a quick drive rather than a plane trip, unless you work for a MSSP.
This is the most complete answer i have received in my life , thank you for your help , so much appreciated .
+1 but I do want to add: there is a growing overlap between the crypto community and appsec. :)
(comment deleted)